Perhaps something that offers reasons for concern about?

pdropi · December 22, 2021, 9:55pm

SYSTEM INFORMATION

OS type and version: Ubuntu Linux 20.04.3	REQUIRED
Webmin version: 1.981	REQUIRED
Virtualmin version: 6.17	REQUIRED
Related products version: Usermin version 1.823	RECOMMENDED

Hello!

While testing a new and fresh install of virtualmin 6.17 on Ubuntu Linux 20.04.3, i realized that there was a connection on port 10000 that was not mine or from any authorized user, because there is none on this server yet. In a searching on another old in production server of ours and apparently without security problems, we found several suspicious connections (from different countries) on the webmin/virtualmin and usermin ports.

Some examples og connections (same standard in new version) from an old Ubuntu Linux 14.04.1
Webmin version 1.710 Virtualmin version 4.11

netstat -anp | grep ESTABLISHED
tcp 0 0 my_server_ip:20000 123.160.221.52:29122 ESTABLISHED 23017/perl
tcp 0 0 my_server_ip:20000 123.160.221.52:58036 ESTABLISHED 2483/perl
tcp 0 0 my_server_ip:20000 123.160.221.52:23134 ESTABLISHED 25560/perl
tcp 0 0 my_server_ip:20000 27.115.124.36:28104 ESTABLISHED 19745/perl
tcp 0 0 my_server_ip:20000 20.52.182.46:49214 ESTABLISHED 16099/perl
tcp 0 0 my_server_ip:10000 104.152.52.129:50571 ESTABLISHED 26946/perl
tcp 0 0 my_server_ip:20000 123.160.221.52:14892 ESTABLISHED 21342/perl
tcp 0 0 my_server_ip:20000 122.228.19.80:55865 ESTABLISHED 12215/perl
tcp 0 0 my_server_ip:20000 122.228.19.80:11176 ESTABLISHED 8988/perl
tcp 0 0 my_server_ip:10000 80.82.77.240:64344 ESTABLISHED 24518/perl
tcp 0 0 my_server_ip:20000 27.115.124.75:43732 ESTABLISHED 29511/perl
tcp 0 0 my_server_ip:20000 27.115.124.36:13091 ESTABLISHED 19753/perl
tcp 0 0 my_server_ip:10000 104.152.52.106:59139 ESTABLISHED 2181/perl
tcp 0 0 my_server_ip:10000 89.248.165.52:44488 ESTABLISHED 28057/perl
tcp 0 0 my_server_ip:10000 104.152.52.198:44825 ESTABLISHED 25193/perl
tcp 0 0 my_server_ip:20000 159.65.207.2:61000 ESTABLISHED 30483/perl
tcp 0 0 my_server_ip:10000 13.40.128.180:46431 ESTABLISHED 9887/perl
tcp 0 0 my_server_ip:20000 27.115.124.37:41959 ESTABLISHED 19736/perl
tcp 0 0 my_server_ip:20000 111.7.96.149:48604 ESTABLISHED 32295/perl
tcp 0 0 my_server_ip:20000 122.228.19.80:50835 ESTABLISHED 31041/perl
tcp 0 0 my_server_ip:20000 80.246.28.12:58566 ESTABLISHED 30069/perl
tcp 0 0 my_server_ip:20000 123.160.221.38:51096 ESTABLISHED 11843/perl
tcp 0 0 my_server_ip:20000 183.136.226.4:40748 ESTABLISHED 7715/perl
tcp 0 0 my_server_ip:20000 101.227.1.196:59095 ESTABLISHED 6132/perl
tcp 0 0 my_server_ip:20000 120.52.152.20:22892 ESTABLISHED 30709/perl
tcp 0 0 my_server_ip:20000 80.82.77.240:64344 ESTABLISHED 16605/perl
tcp 0 0 my_server_ip:20000 183.136.226.3:16748 ESTABLISHED 4486/perl
tcp 0 0 my_server_ip:20000 123.160.221.44:42550 ESTABLISHED 19407/perl
tcp 0 0 my_server_ip:20000 123.160.221.38:30666 ESTABLISHED 11551/perl

All proccess are from:
/usr/bin/perl /usr/share/usermin/miniserv.pl /etc/usermin/miniserv.conf

Someone, please, can help me with an answer to a question?:
Is there any reason for concern or is it just something that usually occurs, like miniserv.pl not closing old invalid connections or another thing that offers no danger?

tpnsolutions · December 22, 2021, 10:24pm

@pdropi,

You know, it could be as simple as someone has visited the login screen of Virtualmin which runs on that port…

If you’re concerned, you can always block the unknown IP address via a firewall rule.

pdropi · December 23, 2021, 4:37pm

tpnsolutions, thank you very much for your reply!
You’re correct. It could be something simple (i hope so) but I sent the question just to try to make sure.
When we visit the virtualmin login screen, our ip stays connected for a while, but soon the connection is interrupted. For both virtualmin and usermin login screen.

Some of the worrying connections are old, eg:
tcp 0 0 serv_ip:20000 123.160.221.44:42550 ESTABLISHED 19407/perl
tcp 0 0 serv_ip:10000 89.248.165.52:44488 ESTABLISHED 28057/perl

sudo ps -ef | grep 19407
root 19407 2270 0 Oct17 ? 00:00:00 /usr/bin/perl /usr/share/usermin/miniserv.pl /etc/usermin/miniserv.conf

sudo ps -ef | grep 28057
root 28057 25468 0 Oct15 ? 00:00:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf

This data is from today, Dec23.

I monitored for a while some processes with the strace command, what took some of my fear as i did not find suspicious activity but, the connections are still open and i don’t know why these connections remain open, why doesn’t the miniserv close them and if i can really ignore it.

I appreciate suggestions in order to understand the miniserv behavior and to discard possibility of open security breach for virtuamin/webmin/usermin users!

tpnsolutions · December 23, 2021, 5:50pm

@pdropi,

The IP 123.x.x.x noted above is from a Chinese subnet. It could be used by a malicious player. They might be maintaining the connection at their end, perhaps attempting to hack your system, though that’s really just speculation.

The IP 89.x.x.x noted above is owned by some company called “Recyber”. Their whois records had this to say about their intent…

This net-block is not trying to hack you, we are only scanning for LEGIT purposes ONLY. This scanning is done by multiple security organizations.

Please use The Recyber Project to have your ip-address and/or netblock/as number white-listed and excluded from this project.

If you have any further questions please contact admin@recyber.net

pdropi · December 23, 2021, 6:31pm

Hi tpnsolutions, thank you, one more time. I’ve already done the whois query. Some connections are very suspicious, like 80.82.77.240, from Seychelles. As these are old persistent connections, i believe the miniserv could have closed them after a while, as it does with normal connections.

tpnsolutions · December 23, 2021, 7:47pm

@pdropi,

If you’d like, there is a way to configure your firewall to automatically block traffic from certain countries and suspicious IPs. I pointed out a tutorial in another thread on here which basically periodically updates the firewall rules for you. Seemed like a nifty project, and implementation which I am considering giving a go myself.

pdropi · December 23, 2021, 8:30pm

Thank you tpnsolutions, but it is not a solution.
I can not just block some countries, if it has a security issue, it will continue to country ips released to legitimate users.
My question is to understand the miniserv behavior and to discard possibility of security issues for virtuamin/webmin/usermin users. I’m not looking for a workaround.
A “solution” while I’m not finding out if it’s a security problem would be to completely close the webmin and usermin ports via the firewall and access miniserv only via reverse proxy on localhost, from apache or nginx, but it is not what i am looking for, especially for a in production server.

pdropi · January 13, 2022, 9:48pm

@tpnsolutions, thank you for atention!

Do you have an installation with webmin and usermin ports open to the public? When you type netstat -anp | grep ESTABLISHED, does any unwanted/suspicious/ connection that is not soon closed by the miniserv, like most? There is no one with the same problem?
With me, it happens on different servers that have default ports open, new and old.

system · March 14, 2022, 9:49pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.