Advance and Be Mechanized

There’s a security problem in Webmin that affects all versions previous to the latest one (1.290) : the Artbitrary remote file access.

In short, anyone can grab any file from your server and in particular the passwords file /etc/shadow . Once a cracker has this file, he can run a brute force or rainbow attack to get the original Linux user passwords, so he could have login privileges including root and therefore fully compromising the server.

Do I run Webmin?

This is the easy part. Webmin is a web server that runs by default in port 10000, so you can see if it’s running by looking at https://yourip:10000 or http://yourip:10000 (Usermin from Webmin runs at port 20000)

Inside the server you can test if Webmin is running for instance with: ps aux|grep webmin or /etc/init.d/webmin status

To see if you have Webmin installed at all you can do a locate webmin (if locate complaints you can do a updatedb first) or just:
find / -name webmin

To see the version of webmin you have: cat /etc/webmin/version
If the version is earlier than 1.290 and webmin is running then your server is vulnerable.

Have I been compromised?

To check if somebody has taken a file from your server using this exploit, you can see the webmin log for unauthenticated access with:
grep unauthen /var/webmin/miniserv.log | grep -v jpg

(the –v jpg is to disregard the display of an icon). Credit to Peter at Rimuhosting.

if you get any result, the end of each line will tell you which file has been taken away:

w.x.y.z - - [23/Jul/2006:02:51:36 -0500] "GET /unauthenticated/..%01/..%01/
%01/..%01/..%01/..%01/..%01/..%01//etc/shadow HTTP/1.1" 200 32

In this case we see that the cracker has copied the /etc/shadow password file (if you get a 404 instead of a 200 "OK" at the end that's http for "not found" and you're lucky), and we also get a timestamp and the ip of the intruder (w.x.y.x here to protect the guilty, in this day and age you never know who sues who).

What do I do if I’ve been compromised?

This is just the short answer but basically:

1. Stop webmin if it’s running: service webmin stop or /etc/init.d/webmin stop
Confirm that it’s not running with ps aux|grep webmin

2. Change all your Linux user passwords.
Look at the users with passwords (for instance with less /etc/shadow); the file has fields separated by colons :, the second field is the encrypted password and you will only see root and the users you created with a long string after their name, the rest have an asterisk * in that field, for instance:

root:$1$Jn3xi7Tp7$7jc0T725mD4eXLWh0wA581:13371:0:99999:7:::
bin:*:12821:0:99999:7:::
daemon:*:12821:0:99999:7:::

So change the password of all the Linux users with: passwd username

Now, if you plan on using again Webmin, you have to upgrade to the latest version, do so by downloading from http://webmin.com/ and installing it.

It's also a good idea to harden Webmin by changing the port it listens to and using IP Access Control, both options are in the Webmin configuration module.

If you are using only a few modules of webmin you can check if there are safer alternatives, for instance phpmyadmin for administration of MySQL databases or Squirrelmail as a web mail client.

You also have to check if the cracker already logged in with one of the usernames and passwords stolen, you can see this with the ‘last -a’ command and looking for unrecognized login locations since the date the passwords were stolen.

This vulnerability is yet another reason to use ssh only with key pairs only, in which case the cracker wouldn’t be able to log in (but other problems like compromised email accounts would persist).