So I recently found out about a vulnerability in the popular system administration web interface program, webmin. I personally don’t use webmin, nor do I like it, since I think if you are going to have a linux server, you or someone you pay to administer it for you should have the skills necessary to set it up correctly. So anyway, at work there were several customers that had this installed and some used it and some didn’t. Either way, most of them don’t know anything about linux or keeping their system up to date (hence the need for Webmin) and had never updated webmin since it was first installed. So this vulnerability is pretty bad, it allows malicious people to view any file on your server. These hackers, download the /etc/shadow file to their own computers and let their computers spend their idle cpu time attempting to crack the passwords. Once a system user’s password has been cracked, they simply log in to the server as an authorized user and setup camp. What a nuisance these hackers cause, especially when they decide to launch a denial of service attack and fill up the network with a UDP packet flood. Nice. Well, now that we know about it, it’s no longer a problem, but man, I hate hackers!
So, how do you know if they have stolen your passwords through webmin? Check /var/webmin/miniserve.log and see if there is a line in there getting your /etc/shadow file. I’m not going to post the actual line, that’s the last thing I want – to give someone who doesn’t know where to find it elsewhere the code they need to steal someone else’s passwords. If the file has already been downloaded, then shutdown Webmin and change your passwords immediately. Then check to see if there are any extra files in /tmp, /var/tmp, and in user’s home directories. Really they can be anywhere a normal user can write to. Often they will be hidden directories, so make sure you use `ls -la` when listing the directories. On trick is to use the name “. ” where the name is first a period followed by a space. To enter that directory you would have to type `cd ./. /`and then othertimes they will call them … or .,. or ,,, stuff like that. If you know how to clean up after a hacker, you may be able to clean it up, if you have no idea, it would be best to get someone else to work on it. Then if you have to have it installed, upgrade to the latest version!