Page 1 of 1

Webmin compromised along with whole machine

Posted: 2007/02/04 09:36:35
by simonb
I've had a server compromised via webmin using the exploit described here...
http://bliki.rimuhosting.com/space/knowledgebase/linux/miscapplications/webmin
...in the section "Changing passwords".

Running the following script identifies the files that were successfully read...

grep "\.\.%01" /var/webmin/miniserv.log | grep "[^0-9]200[^0-9]" | grep -o "%01\/[a-z][^ ]*" | sed 's/%01//gi' | sort -u

Of coarse, /etc/passwd and /etc/shadow are first on the menu!


I am curious how this happened. We have yum auto-update enabled and yum.log shows updates happening as expected. I can't see any recent security advisory about this (I haven't look that hard yet though, maybe someone can point me to it). This is a show-stopping security hole.

The version of Webmin we have installed is,
webmin-1.250-1.2.el4.rf

The OS version is CentOS 4.3 and it has been updated automatically since installation.

Further to the previous report,
OK. I've just realised that webmin is not part of the standard CentOS4 install. It was downloaded from DAG.

Re: Webmin compromised along with whole machine

Posted: 2007/02/04 20:58:58
by pjwelsh
You are not actually "up-to-date" if you are running CentOS 4.3. CentOS 4.4 has been out for a while. You can try to run a "yum upgrade". But you may be better off (since the compromise) to just start over with a clean 4.4 install.

Re: Webmin compromised along with whole machine

Posted: 2007/02/05 09:20:41
by simonb
As I understand it, the minor version numbers are just versions of CentOS major numbers with sercurity updates etc pre-applied. So if you install CentOS 4.0 and install all the updates you effectively get CentOS 4.4.

Each major release has a 5 year lifetime of updates. That's why the "enterprise" version of RH is used for stable server applications in preference to Fedora which would keep changing too much and be too unstable to be useful.

Re: Webmin compromised along with whole machine

Posted: 2007/02/05 13:14:40
by pjwelsh
Sorry, but CentOS 4.3 is "depreciated". From the 4.3 Readme:
http://isoredirect.centos.org/centos/4.3/readme
"This directory (and version of CentOS) is depreciated. For normal users,
you should use /4/ and not /4.3/ in your path. Please see this FAQ
concerning the CentOS release scheme:

http://www.centos.org/modules/smartfaq/faq.php?faqid=34

If you know what you are doing, and absolutely want to remain at the 4.3
level, go to http://vault.centos.org/ for packages."

AND the primary site contains *no updates* for 4.3.

Re: Webmin compromised along with whole machine

Posted: 2007/02/09 04:20:52
by fjones
I don't think Webmin is part of CentOS. To install webmin I enabled the DAG/rpmforge centos. I noticed a few months ago that the DAG/rpmforge RPM for webmin was an older vulnerable version.

Not only must you keep your CentOS upto date but any 3rd parth RPM's you install must also be kept upto date. For things like Webmin I only allow access from my static IP at home via iptables. You could also disable access to webmin except from the localhost and access it via an ssh tunnel.

Regards,

fj