Thank you for the suggestion! I don't see anything listed, is there another location I should be looking?
Well it was worth a shot. Anyways what I would do now if I've checked everything else, is setting up a Auditd rule for checking the path where phpmyadmin is installed. Reinstall phpmyadmin and if it is gone again check the auditd log. It will log all details about the monitored folder and files.
Thank you, I'm trying to figure how to set up audit to do what I need now. Woke up this morning to find it uninstalled again. Tried to run the reinstall script and was met with this. It's making me think an update is being attempted and the server can't find the domain perhaps(the domain is accessible from my desktop PC)
When the script asks me for the password, is it asking for the mysql root user's password or something else? I've been entering the root mysql pass there. It works but I'm wondering if I should be inputting something else, or leaving it blank.
It asks you for the mysql root password, as previously mentioned in this thread. I don't know why your system was not able to resolve the hostname "files.phpmyadmin.net".
Hi, I also had the problem of the mysterious disappearance of webmail and phpMyAdmin after the upgrade, but I resolved it simply by reinstalling them via packages, and everything returned to normal https://forum.howtoforge.com/thread...0-04-to-ubuntu-22-04.90678/page-3#post-457200
Hi there pyte, I'm wondering if you're very familiar with the auditd rules? I'm trying to monitor the index.php file inside of /usr/share/phpmyadmin with the following rule but am not sure I'm setting it correctly: I've only just set it up so it hasn't had a chance to report anything but when I check for mention of the monitor in the log file, I do get this:
Create a new rule at /etc/audit/rules.d/phpmyadmin.rules: Code: -a always,exit -F dir=/usr/share/phpmyadmin -F syscall=unlink -F auid>=1000 -F auid!=4294967295 -F key=phpmyadmin-delete -a always,exit -F dir=/usr/share/phpmyadmin -F syscall=unlinkat -F auid>=1000 -F auid!=4294967295 -F key=phpmyadmin-delete -a always,exit -F dir=/usr/share/phpmyadmin -F syscall=rmdir -F auid>=1000 -F auid!=4294967295 -F key=phpmyadmin-delete Generate the rules: Code: augenrules --load Then create and delete a file in that /usr/share/phpmyadmin folder and check the logs with: Code: ausearch -k phpmyadmin-delete
I'll change out the rules right now but having woken up this morning, I did find phpma gone again and this was logged in auditd. I don't see anything useful about what or who used mv but that's probably because I'm missing it.
I added the rules in the manner you said but now I'm getting an error and phpmyadmin-delete is not being found. My audit.rules looks like this: My phpmyadmin.rules looks like this: and upon augenrules --load, it tells me it failed to load them: and trying to look at the logs, I get this:
That log provides all information needed. Some process with root permissions, and I assume it's the cronjob that auto updates phpmyadmin, moved the folder /usr/share/phpmyadmin to /usr/share/phpmyadmin-bak-5.2.2-250819062511. I think your automated phpmyadmin job is broken, if the path is empty now.
Thank you for the clarification. In this thread, I think we went through the process of finding any cron jobs that might be causing it but I couldn't find any job related to that(post 21 and post 23). How else might I find it if those two methods of finding it come up with nothing?
You can try to figure out what initiate the mv command with: Code: ausearch -p 1743300 --start recent I would check every single file in /etc/cron.d/
I checked ausearch as instructed and got no match. I also went through every file in cron.d and there's no mention of phpmyadmin in them. I'm not sure where to go from here.
Maybe something like this? Code: grep -r --exclude-dir=phpmyadmin "phpmyadmin" /etc/ This will search for the string "phpmyadmin" in all files in /etc/ except for /etc/phpmyadmin. Maybe you'll find something usefull. Could be a systemd timer unit, but that is very unlikly: Code: systemctl list-timers --all
I think you found it for me! It found auto_update_phpmyadmin in /etc/cron.daily, which I never checked. The contents of that dir is : Inside that file: Code: !/bin/bash # Name: auto_update_phpmyadmin.sh # Description: this script searches for the latest PHPMyAdmin version and updates if necessary. # Author: Thom Pol # Written on 22-02-2022 # Tested on systems that were installed according to HowToForge's Perfect Server guides for auto/manual install (Debian 10/11) # Installation: # Put this script in /usr/local/sbin/ # curl https://git.ispconfig.org/ispconfig/tools/-/raw/stable/auto_update_phpmyadmin.sh -L -o /usr/local/sbin/auto_update_phpmyadmin> # Make it executable: # chmod +x /usr/local/sbin/auto_update_phpmyadmin.sh # Test the script by running it: # /usr/local/sbin/auto_update_phpmyadmin.sh # Then create a cronjob: # 0 4 * * * /usr/local/sbin/auto_update_phpmyadmin.sh # Eventually set the email variable below to your e-mail address. # User variables # E-mail address to send update notifications to when a update has been done. If this variable is empty, no notifications will be se> email="[email protected]" # Directory where phpMyAdmin is installed phpMyAdmindir="/usr/share/phpmyadmin" # Static variables currentversion=$(grep -m 1 "version" /usr/share/phpmyadmin/package.json | grep -oEm 1 "[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,3}") latestversion=$(curl -s https://www.phpmyadmin.net/home_page/version.txt | grep -oEm 1 "[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,3}") latesturl=$(curl -s https://www.phpmyadmin.net/home_page/version.txt | grep -E "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a> # Check TempDir permissions if id -u ispapps >/dev/null 2>&1; then chown -R ispapps:www-data /var/lib/phpmyadmin fi if [ $(dpkg --list phpmyadmin 2>/dev/null | grep '^i' | wc -l) == "1" ]; then echo "phpMyAdmin is installed through apt. Run apt update && apt upgrade to update to the latest available package." exit 1 # this should not be necessary as in the new version of this script we can set the phpMyAdmindir ourself and no permissions are touc> #elif [ ! -f /etc/debian_version ]; then # echo "This script only supports Debian/Ubuntu systems, but your server seems to be running a different OS." # exit 1 elif [ "$currentversion" != "$latestversion" ]; then currentdate=$(date +"%y%m%d%H%M%S") phpMyAdminbakdir=""$phpMyAdmindir"-bak-"$currentversion"-"$currentdate"" echo "phpMyAdmin version is out of date, installed version: "$currentversion", latest version: "$latestversion"" echo "Starting phpMyAdmin update." # Move current install to backup directory mv "$phpMyAdmindir" "$phpMyAdminbakdir" # Download and unpack newest version to the phpMyAdmin directory curl "$latesturl" -s -L -o /tmp/phpMyAdmin-"$latestversion"-all-languages.zip unzip -q /tmp/phpMyAdmin-"$latestversion"-all-languages.zip -d /tmp mv /tmp/phpMyAdmin-"$latestversion"-all-languages "$phpMyAdmindir" # Copy old config files to the new installation cp "$phpMyAdminbakdir"/config.inc.php "$phpMyAdmindir"/ if [ -f "$phpMyAdminbakdir"/.htaccess ]; then echo ".htaccess file found! Copying to new installation." cp "$phpMyAdminbakdir"/.htaccess "$phpMyAdmindir"/ fi # Wait sleep 1 # Announce that we're done updatedone="phpMyAdmin has been updated to the latest version ("$latestversion")." customconfig="If you had any custom config files other than the config.inc.php and/or a .htaccess file, you have to copy them yo> if [ "$email" != "[email protected]" ] && [ "$email" != "" ]; then echo "$updatedone" "$customconfig" | mail -s "phpMyAdmin update on $(hostname -f)" "$email" fi echo "$updatedone" echo "$customconfig" elif [ "$currentversion" == "$latestversion" ]; then # Local install is up-to-date echo "Local phpMyAdmin install is up-to-date, installed version: "$currentversion", latest version: "$latestversion"" else echo "Unknown error. Exiting." exit 1 fi I remember Thom doing some work on my server years ago when I had an issue, perhaps this got installed at that time. Should I just remove this file from the directory to keep it from running any longer or is this something that needs to remain but fixed in some manner?
You should rather figure out why it is not able to install a newer version. A current version of that script can be found here: https://git.ispconfig.org/ispconfig/tools/-/blob/master/auto_update_phpmyadmin.sh?ref_type=heads Remove the file and then: Follow the installation steps and see where it fails: Code: # Installation: # curl -s https://git.ispconfig.org/ispconfig/tools/-/raw/master/auto_update_phpmyadmin.sh -L -o /etc/cron.daily/auto_update_phpmyadmin # chmod +x /etc/cron.daily/auto_update_phpmyadmin Then run it manually once: Code: /etc/cron.daily/auto_update_phpmyadmin
