Lately I noticed someone change my users’ password and even the root password.
Try to trace from secure log file but never see from the log anyone change the password. Suspect it may change from Webmin.
Is there anyway I can track the password change in Webmin?
| SYSTEM INFORMATION | |
|---|---|
| OS type and version | CentOS Linux 5.8 |
| Webmin version | 1.480 |
Ah, you are on CentOS 5.8? Did you not see the End of Life warning on the Webmin Dashboard? CentOS has been sunset in 2017. We are now in 2025.
With such an old version of webmin I would guess not
Buddy, your system is very likely welcoming anyone who wants to walk in. CentOS 5.8 reached end of life nearly a decade ago, there’s no way there isn’t some exploitable service running, probably several.
Webmin 1.480 probably has security bugs, too.
You can’t run outdated software on a network-facing server.
Understood my version is obsoleted but I’m waiting for good timing to migrate or upgrade.
While waiting, is there anyway I can check or trace how the password change action is executed?
Time to destroy that box. Once rooted it is of no use to you and probably a source of danger to others - start afresh with a new box and make a big note to self to keep up to date!
there is no point in trying to chase down how this happened,or who did it, without the forensic kit of tools. 
Webmin has an action log (/var/webmin/webmin.log, but also miniserv.log and miniserv.error), but if root is exploited, you can’t trust anything you read. root can delete or modify logs, any executable or config files, etc. A rooted system is gone, you can never trust it again, because the attacker can hide their tracks complete.
Thanks. I will investigate any suspicious from the log.
At the same, I had also change the root password.
I will plan to reinstall with new fresh latest version.