Avast Decompression Bomb on Virtualmin Backups

Posted in Technology

I regularly backup my domains that are on a dedicated server running Virtualmin GPL under Centos 5.

Downloaded all my domains virtual server backups today, scanned them with Avast after downloading and a handful was reported as decompression bombs by Avast.

No need to panic, decompression bombs are not malicious, they are highly compressed archive files. So I knew this wasn’t an Avast virus warning per se, means the compression is very high so the files have not been decompressed for scanning.

I manually decompressed the tar.gz files and the resulting tar files scanned fine with Avast (no malicious infections).

One of the websites is small, no email, no MYSQL database, just a couple of hundred KB of files. Add log files etc… and a couple of MBs should be all that’s associated with that domain.

The tar.gz Virtualmin virtualserver backup file was under 3mb in size.
The extracted tar Virtualmin virtual server backup file was 140mb in size, hence the decompression bomb report by Avast.

Extracted the virtual server tar file (first time I’ve looked inside a virtualserver backup) and there was 27 number folders like 11255762540

Each folder had bits of the site, log files etc… repeated. Guessing it’s a restore point type system (didn’t realise Virtualmin had a restore point system?).

I’ve got 130 odd domains on the Virtualmin dedicated server and each time I backup it comes in at 2GB and it puts me off downloading them every time I run the backup (I run it monthly on schedule and roughly weekly manually: a bit anal when it comes to backups :-) ).

What I want to do is find a way to limit how far back these virtual server ‘restore points’ go to limit backup file size.

Also if these are restore points how to access one?

Had my dedicated servers FTP passwords hacked recently: I think they obtained my FTP passwords because of a security flaw in an old version of Adobe PDF reader IE plugin and Filezilla not storing passwords in a secure password file!!!

For others who use Filezilla DO NOT have it store the passwords, (the XML file is NOT secure, so if a hacker gains access to it, the hacker gets ALL your FTP passwords in one go!!!) enter them each time you use FTP (use SFTP if you can as well), so worse case scenario if your system is compromised by a hacker (happens to the best of us, no such things as a 100% secure system) they have to be in the system (or using a key-logger) when you enter a password, so less likely to loose all your sites FTP passwords in one go (changing over 200 passwords on my dedicated server and updating config type files for sites with the new passwords was a PAIN).

Would have made my life so much easier to use a virtualserver restore point for the files that got changed and had various Trojans and hidden text links added to them! Instead used Virtualmin backups that was just under one week old and clean, so lost almost one weeks worth of data (still, could have been worse).

I’ll add comments if I find the answers.

David

Web Guru : AKA SEO Dave, Search Engine Optimization Consultant, Internet Marketer, Stallion WordPress SEO Theme Developer and Nice Guy :-)


Website - Web Guru

Leave a reply to Avast Decompression Bomb on Virtualmin Backups

Related Articles to Avast Decompression Bomb on Virtualmin Backups