Strange domain

I have discovered today an new domain in virtualmin. The domain is called 134495319720915
It is created today by the root user there is no username or password connected to it and no homedirectory.
I can see that there is bandwidth usage since 10.07.2012 500 Mb that is strange because the creation of this domain is dated 10.08.2012
The only feature enabled is Mail for domain enabled.
I am not able to delete this domain.
There are no users connected to the domain that I can see in virtualmin but strange the traffic is both email and FTP.
Is this a virtualmin error or is my system hacked ?


That’s a bug that we’ve seen on occasion… but it happens so rarely that we haven’t been able to track down the cause.

It’s harmless though, and easy to fix.

You can delete it from the command line using this command:

rm /etc/webmin/virtualmin/domains/134495319720915

Then restart Webmin:

/etc/init.d/webmin restart

I’ve seen this effect as well several times in the past. I don’t think it means you’re being hacked, but I believe some so far undiscovered bug in Virtualmin can cause this. I haven’t been able to reproduce the effect reliably, nor to determine when exactly it happens though.

You can get rid of the erroneous domain by deleting the file in /etc/webmin/virtual-server/domains that is named like the long number you mentioned. To make sure, search through /etc/webmin/virtual-server and its subdirectories, if a file with that name exists elsewhere.

EDIT: Damnit, Eric was a few seconds faster. :wink:

Thanks for info I just finished a system check after the usual suspects but the system was clean. I have removed the file form the specified folder and is working.

I’ve had this happen again last night.

Two effects this odd “domain creation” has is that the “Validate Virtual Servers” will report missing home directories, administrative users and other stuff for the bogus domains. And when you try to create a backup of them, the contents of /root will get backed up as their home directory.

Luckily, no existing domain gets damaged due to this bug, but rather a new bogus domain entry will be made. I wonder what we can do to nail down this odd behavior. While it seems harmless, it can create restlessness among the wary administrators. :slight_smile: