I just wanted to make a note here. Problems with growing popularity of Virtualmin is that the vultures are there also. My bad here, I didn’t change the Webmin’s “admin” username on a box I was populating, and within days a “phishing” hacker got in and placed his coding in a cpanel migrated website, though I think it just more the first website listed.
He’d created his own website first, and for whatever reason decided to bury the PHishes into a deep website. ( probably because we don’t check eveyone’s website until someone shouts at us).
Bottom line, lose the admin username right away and here we typically choose a port other than 10000 and 20000 for webmin and usermin respectively, because that’s public also.
My suspicion is that it’s a webmin user using the webmin server search. Is that a possibility, Joe?
Having the username “admin” poses no risk. It’s the password that is.
Google search will find any site https/port if its linked from any website. Even refers are vulnerable to be used for searches.
The bottom line is the passwords are the key to a secure server. Not a web search or webmin search.
I have used a webmin install that has the default "admin" username for 4 years and I have never been hacked and the address is public.
If he had admin access you should be happy that all he did was add a phishing website and didn’t just delete your entire server.
Actually we’ve been using admin for years with no problem, but changed the port all the time. THis was a new install on a new OS still assigned to port 10000 and I probably did something stupid while tweaking. I’d thought he got in through the reseller DEMO I have on there. So now that you mention it, that site does have a published link containing the IP and port because the domain doesn’t stay masked when you access it.
Probably 50% of our log activity is hacking attempts. My qustion to Joe was, could a webmin user use the search to narrow his pool to webmin servers.
Of course he could but he would still need to know the ports and use a dictionary password attack to hack your install.
This strictly boils down to a bad password that was used. Nothing is secure if you use a password that is weak be it for webmin or a website.
By the way you should be limiting the IP access and number of tries to get admin access before they are locked out.
Also changing the ports all the time does nothing to stop a hacker. They could always use Nmap and port scan until they find the webmin port. You are wasting your time and over thinking this.
Check your PASSWORDS !!! Make sure they ARE NOT easy and contain UPPER/lower/numbers in them.
Having a user name means nothing.