knowledgebase/linux/miscapplications/webmin 1 Webmin (pre 1.290) Exploit In late June 2006 Security researchers discovered a webmin flaw that lets anyone (even someone without a webmin login) read any file on your server. http://www.webmin.com/security.html This is obviously quite serious. e.g. we believe this security flaw could be used to read the /etc/shadow file. And hackers could then more easily identify what user accounts are on your server and what passwords are being used. If you have not had webmin running since June 2006 then you are likely not affected by this. If you have been using webmin then: - log in to stop it. - upgrade webmin to the latest version. - change your passwords _and_ any other user's passwords you may have set on the server. - check the output of last -a to identify any unknown logins 1 Action Taken By RimuHosting RimuHosting installs webmin for customers who request/select it when ordering. So we have had customers running vulnerable versions of Webmin. On servers we have access to we have: - initially tried to stop webmin running on any server we have access to - upgraded webmin on servers that have webmin installed already - disabled webmin on servers that did not want to upgrade Additionally we have written this bliki entry to assist customers. And we will shortly be emailing customers whose servers we do not have access to so that they can upgrade or stop/disable webmin. 1 Stopping Webmin To stop webmin you can run the following code. Just paste it into an ssh session while running as root. It will stop webmin via the init script. Else it will find/kill webmin processes. {code} if [ -e /etc/init.d/webmin ]; then /etc/init.d/webmin stop fi webminline=$(ps auxf --width=200 | grep '[m]iniserv.co') if [ ! -z "$webminline" ] ; then echo killing off webmin kill -9 $(echo $webminline | awk '{print $2}') ps auxf --width=200 | grep '[m]iniserv.co' fi {code} 1 Upgrading Webmin To see what version of webmin you have, execute {code}cat /etc/webmin/version{code} If the version is 1.290 or newer (and webmin is not running) then just start it up with /etc/init.d/webmin start. If the version is older than 1.290 then you will need to upgrade webmin (or just not use it any more). You can upgrade webmin via the webmin UI if webmin is running. Else run the following code: {code} if which rpm 2>&1 > /dev/null ; then mkdir -p /etc/webmin rpm -Uvfh "http://apt.rimuhosting.com/webmin.rpm" fi if which dpkg 2>&1 > /dev/null ; then wget -q "http://apt.rimuhosting.com/webmin.deb" dpkg -i webmin.deb fi {code} 1 Disabling Webmin For Good If you do not use webmin then now may be a good time to disable it to protect yourself from any future vulnerabilities. Run this: {code} if [ -e /etc/init.d/webmin ]; then echo taking care of the webmin init script which chkconfig 2>&1 > /dev/null && chkconfig --del webmin which update-rc.d 2>&1 > /dev/null && update-rc.d webmin purge /etc/init.d/webmin stop rm -rf /etc/init.d/webmin fi webminline=$(ps auxf --width=200 | grep '[m]iniserv.co') if [ ! -z "$webminline" ] ; then echo killing off webmin kill -9 $(echo $webminline | awk '{print $2}') ps auxf --width=200 | grep '[m]iniserv.co' fi if [ -e /etc/webmin ]; then mv /etc/webmin /etc/webmin.insecureversion fi {code} 1 Changing Passwords If you were running a non-1.290 webmin at any point after June 2006 then your passwords may have been compromised. And other files on your server may have been viewed. You can see who has logged in recently by running last -a. You can change passwords via the passwd username command. You can see which users have passwords set by running (via ssh, as root): {code} cat /etc/shadow | grep -v --fixed-strings ':!!:' | grep -v --fixed-strings ':*:' {code} The first name in each of those lines is a user that has a password set. To see what attempts have been made to exploit your webmin setup run: {code} logfile=/var/webmin/miniserv.log if [ -e /var/log/webmin/miniserv.log ] ; then logfile=/var/log/webmin/miniserv.log fi grep unauthen $logfile | grep -v jpg | grep -v 404 {code} e.g. if that command outputs something like the following then someone has attempted to access (in this example) the /etc/shadow file: {code} 64.62.158.196 - - [05/Aug/2006:16:26:32 -0400] "GET /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow HTTP/1.1" 200 1634 {code} The 200 bit (at the end of the line) indicates the file was found/returned OK. 1 Running Webmin on LocalHost OK, the latest version fixes the problem. But what if there is another problem in the future. Well, you can make it so that webmin is only accessible via ssh. You can do this via a SSH tunnel. To setup a tunnel via SSH use: ssh -L 10000:localhost:10000 yourserverip to ssh to the server. If you are using Putty as your SSH client you can go to the SSH Tunnel page and add a Source port of 10000 and a Destination of localhost:10000. Now you can access webmin from your PC as https://localhost:10000/ while you have that SSH session running. Then use Webmin's Ports and Addresses to set webmin to listen only on the 127.0.0.1 IP/address. 1 Webalizer module problems Is webalizer showing stats for all sites, and not the virtual host log you want it to? Go to the modules main page, look down at the bottom of the page for the button that says "Edit Global Options". Delete the absolute path for the history and incremental files, usually just webalizer.hist and webalizer.current should appear in these boxes with no path specified. You want to leave an absolute path for the DNS cache file, usually /var/lib/webalizer/dns_cache.db. That way all vhosts can share the cache. Webalizer-mod docs are here: http://doxfer.com/Webmin/WebalizerLogfileAnalysis 1 Getting Help If you have any _general_ comments/suggestions/questions then these can be posted at http://forums.rimuhosting.com/forums/showthread.php?p=795#post795 . If you (are a rimuhosting customer and) need _specific_ help with anything related to this issue, please pop in a support ticket. 2007-04-18 22:10:45.0 2006-08-11 16:17:01.0