My server was configured with CSF restricting the access to webmin for my own specified ip range. Also, TCP Wrappers were configured with both “perl” and “miniserv.pl” to allow only these specified ip. Also, Webmin was configured to allow root access only to my specified ip’s inside the webmin configuration. Perl libraries for TCP Wrappers were installed. All these protections were tested before but become useless.
–
edited: I have submit this post as a ticket support, I think it’s a better place.
of course. I post here hoping some improvement or thoughts.
I don’t know exactly how they get access into this. The server has been a pair of years without any issue.
I believe they goes directly against miniserv.pl although I don’t know for sure. Now I observe that as soon I log as root in webmin, then they access getting the session.id. Probably now they have installed some alert.
They are not accessing by SSH or other ways. Probably they don’t touch other things hoping I don’t see the attack
Amazing to me is the bypass of csf and tcpwrappers. Iptables rules and ports are the same. No changes even when they are logged.
