New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Update your WebMin/VirtualMin installations NOW!
MTUser2012
Member
Edit by @Amitz:
Update your installations now. See this post below.
End of Edit.
Two of my installations where hacked yesterday to install a basic DDos script. The vulnerability exploited was in Webmin, and the hack originated from an IP at reliableservers.com.
I generally keep all my installations updated via Cloudmin, all updates installed. Is anyone aware of any recent vulnerabilities in Webmin?
Anyone know if reliableservers.com will do anything if complain to the abuse dept.
The range is owned by:
Customer: Kryptotel llc Customer Handle: C06078239Address: 101 Possumtown Road
City: PiscatawayState/Province: NJ Postal Code: 08854 Country: UNITED STATES
Any point in trying to do something with them?
Comments
there could be an exploit in the wild, I haven't heard of any though, likely just reused passwords, and/or bruteforce
Not unless you're willing to get serious enough to get some lawyers involved. Else, you'll just be wasting your valuable time, that you could instead use to learn to lock shit down and prevent a recurrence.
I doubt it is brute force. Fai2ban monitors port 10000 and I have it set to ban for one year after 3 failed attempts. I'll look at reused passwords. Thanks for the suggestion.
How conclusive was the data that confirmed the exploited application and at what permission level was the script uploaded?
Basically what I'm asking is, do you have sufficient data to conclude that this was not an exploited web application (like Wordpress, Joomla, etc)?
Probably just a weak password, or a password in a DB.
Webmin has a bit of a history of security issues. Back ~10 years ago when I was starting out hosting a few sites I got hacked,defaced,database deleted through a webmin vulnerability days before the exploit release.
Since then I haven't trusted it. Now I dont need it of course. My advice, learn how to use the console.
Was root access obtained? If not, most likely related to an outdated application as the others have alluded too.
For what it's worth though, Webmin, Cloudmin & Usermin had many security vulnerabilities when we last looked at it; however, they were all local in nature and kind of exploits that a typical "script kiddie" wouldn't be going for.
shrugs
I have noticed one customer who was suspended by nodewatch and running webmin.Most probably related to this(?) and it was suspended due to high pps (ddos)
One server was just an idling Centos 7 application with only Virtualmin installed. It is the same script on both servers. The other server did have one WP site installed but I buy all my themes and plugins and keep them updated.
Yes. I got a polite email from OVH and a suspension from the VPS provider. My sysadmin figured it all out. I'll bet this is exactly the same thing. I have a log of the script used to break in.
So this is more deduction. I would say inconclusive.
Been running Virtualmin/Webmin for over 10 years on multiple servers and not once has it been hacked. Just about everything else I run has been hacked at one time or another but never Virtualmin/Webmin.
However, I do not allow remote login. Exposing root login via web server is too much of a risk.
My servers with Webmin/Virtualmin (5 of them) show no sign of being hacked. But: I had LARGE amounts of Brute Force Attack attempts on port 10000 throughout the last 6 days. My servers don't run Webmin on port 10000, so I did not care. But maybe someone is up to brute forcing possible Webmin installations at a large scale the last days?
From the #virtualmin channel on Freenode, where I posted a link to this thread:
Ye there`s some new exploit that runs on port 10000(root access and all that). Uses some kind of command injection...
Any source for that?
Can you prove that? I reached out to a few colleagues of mine, who have access to various private communities, and they don't know of any such exploit
Hmm Interesting I don't have any cause yet of hacked webmin I also run Virtualmin myself haven't notice anything strange however I will follow this thread to be upto date.
If there is a remote exploit, it's not in the wild yet..
I was handed an archive, I'll review it.
It looks like an old exploit tool from 2007 (Linux/Shark.A) that focusses on Plesk (see "scan") rather than Webmin/VirtualMin. Maybe it has been modified to bruteforce Webmin instead? I have received the same archive. But I am far from being too knowledgable when it comes to things like this.
@Amitz I've failed to see any exploit, the only thing I see is someone's IRC botnet, a punch of bruteforcers, payloads, and a variant of CVE-2014-6271, this guy's shitty coded IRC botnet: http://musti.be/zmuie ( mirror: http://pastebin.com/DfMc1umj ) (to which I could easily go in, and uninstall all the bots)
That reads like the more knowledgable version of my post above. :-)
Thank you very much! So there is still no proof that there is something in the wild yet. Let's hope it stays like this!
Update to 1.800. This version is in all of the Virtualmin repos and available on Webmin.com. If you cannot upgrade immediately, if you are using Authentic Theme, switch to Virtualmin Framed Theme immediately. (Upgrade or switch themes. You don't need to do both.)
There's a security bug in Authentic Theme shipped with Webmin devel versions 1.794 and 1.795; if you use any other theme, you're not vulnerable; and if you're running a non-devel version (1.790) you're not vulnerable. We'd audited Authentic for security issues before adding it to the default Webmin package a few months ago, but a new feature got added to the theme recently without proper code review.
We're unaware of any public exploit making the rounds, but we only found out about the issue a couple of hours ago. I've now found a couple of reports of problems; this one is the oldest report I've seen. So, if there is something in the wild, it hasn't been around long or very publicly.
Good job, thank you very much!
Do hang around Joe.
I'm really liking *min these days (after years of assuming it was yet another copy of cpanel's horrorshow.)
Vmin doesn't annoy me at all. Native OS integration done right.
@SwellJoe - Thanks a lot for the info (also to andreychek on IRC)! Had my installs on Auto-Update which obviously worked fine. All are on 1.800 in the meantime, but I had to restart the Webmin service manually afterwards. It did not re(start) automatically, but I guess that was on purpose?
@MTUser2012: I have changed the title and the opening post of this thread to make it more obvious that an update is highly necessary. I hope you are okay with that.
Silly question - Why not change the port for your Webmin access to something other than 10000?
I readily admit that it is security-by-obscurity, but the threat model for my VPSs does not include a very determined, persistent attacker who goes to the trouble of finding my random ports, figures out which services are running on them, and then attacks them. After that, I hope that defense-in-depth will keep them out.
In my opinion, changing port numbers stops 99.999% of attackers, who rely on simple automation to identify targets. They will move on to softer targets who haven't bothered to change the default remote access and management ports on their servers.
Guess What I chose
Yes. Part of posting was wondering if this had happened to anyone else. I am glad I was able to help others by having the earliest report of this problem, and correctly diagnosing its source, something in Webmin. LET is a great resource, and a great help to me and others.
Obscurity is the first line of defense... and is kind of effortless to achieve. So first thing you should do is change the common access ports (even block them in FW) like
SSH-22 , RDP-4489 , Webmin-10000 , VestaCP-8083 , cPanel-2082 / WHM-2086 , Plesk-8880 , etc...
It will always mitigate brute force attacks in the wild...