Webmin compromised along with whole machine

Support for security such as Firewalls and securing linux
Post Reply
simonb
Posts: 14
Joined: 2005/02/15 13:37:53

Webmin compromised along with whole machine

Post by simonb » 2007/02/04 09:36:35

I've had a server compromised via webmin using the exploit described here...
http://bliki.rimuhosting.com/space/knowledgebase/linux/miscapplications/webmin
...in the section "Changing passwords".

Running the following script identifies the files that were successfully read...

grep "\.\.%01" /var/webmin/miniserv.log | grep "[^0-9]200[^0-9]" | grep -o "%01\/[a-z][^ ]*" | sed 's/%01//gi' | sort -u

Of coarse, /etc/passwd and /etc/shadow are first on the menu!


I am curious how this happened. We have yum auto-update enabled and yum.log shows updates happening as expected. I can't see any recent security advisory about this (I haven't look that hard yet though, maybe someone can point me to it). This is a show-stopping security hole.

The version of Webmin we have installed is,
webmin-1.250-1.2.el4.rf

The OS version is CentOS 4.3 and it has been updated automatically since installation.

Further to the previous report,
OK. I've just realised that webmin is not part of the standard CentOS4 install. It was downloaded from DAG.

pjwelsh
Posts: 2598
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: Webmin compromised along with whole machine

Post by pjwelsh » 2007/02/04 20:58:58

You are not actually "up-to-date" if you are running CentOS 4.3. CentOS 4.4 has been out for a while. You can try to run a "yum upgrade". But you may be better off (since the compromise) to just start over with a clean 4.4 install.

simonb
Posts: 14
Joined: 2005/02/15 13:37:53

Re: Webmin compromised along with whole machine

Post by simonb » 2007/02/05 09:20:41

As I understand it, the minor version numbers are just versions of CentOS major numbers with sercurity updates etc pre-applied. So if you install CentOS 4.0 and install all the updates you effectively get CentOS 4.4.

Each major release has a 5 year lifetime of updates. That's why the "enterprise" version of RH is used for stable server applications in preference to Fedora which would keep changing too much and be too unstable to be useful.

pjwelsh
Posts: 2598
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: Webmin compromised along with whole machine

Post by pjwelsh » 2007/02/05 13:14:40

Sorry, but CentOS 4.3 is "depreciated". From the 4.3 Readme:
http://isoredirect.centos.org/centos/4.3/readme
"This directory (and version of CentOS) is depreciated. For normal users,
you should use /4/ and not /4.3/ in your path. Please see this FAQ
concerning the CentOS release scheme:

http://www.centos.org/modules/smartfaq/faq.php?faqid=34

If you know what you are doing, and absolutely want to remain at the 4.3
level, go to http://vault.centos.org/ for packages."

AND the primary site contains *no updates* for 4.3.

fjones
Posts: 32
Joined: 2005/07/05 06:05:10

Re: Webmin compromised along with whole machine

Post by fjones » 2007/02/09 04:20:52

I don't think Webmin is part of CentOS. To install webmin I enabled the DAG/rpmforge centos. I noticed a few months ago that the DAG/rpmforge RPM for webmin was an older vulnerable version.

Not only must you keep your CentOS upto date but any 3rd parth RPM's you install must also be kept upto date. For things like Webmin I only allow access from my static IP at home via iptables. You could also disable access to webmin except from the localhost and access it via an ssh tunnel.

Regards,

fj

Post Reply

Return to “CentOS 4 - Security Support”