Webmin hacked bypassing CSF

My server was configured with CSF restricting the access to webmin for my own specified ip range. Also, TCP Wrappers were configured with both “perl” and “miniserv.pl” to allow only these specified ip. Also, Webmin was configured to allow root access only to my specified ip’s inside the webmin configuration. Perl libraries for TCP Wrappers were installed. All these protections were tested before but become useless.

edited: I have submit this post as a ticket support, I think it’s a better place.


Would it be possible to share the full contents of this post in the support tracker, where Jamie can take a closer look?

If there is a security issue, we’d certainly like to take a closer look into that – and we’d need Jamie’s help to figure that out.



of course. I post here hoping some improvement or thoughts.
I don’t know exactly how they get access into this. The server has been a pair of years without any issue.
I believe they goes directly against miniserv.pl although I don’t know for sure. Now I observe that as soon I log as root in webmin, then they access getting the session.id. Probably now they have installed some alert.

They are not accessing by SSH or other ways. Probably they don’t touch other things hoping I don’t see the attack

Amazing to me is the bypass of csf and tcpwrappers. Iptables rules and ports are the same. No changes even when they are logged.

You need to make sure that CSF isn’t running in TESTING mode. You don’t need to bother about TCP wrappers or anything else when using CSF.

What makes you really think that your Webmin was hacked?

restricting the access to Webmin for my own specified IP range.

Those entries are added to /etc/csf/allow.csf file, thus Webmin port should be closed in CSF configuration in TCP_IN and TCP6_IN.

It’s very possible that you didn’t follow the syntax correctly for creating IP range in allow file or didn’t remove Webmin port from allowed ones.

HI IIia 3 years later, sorry :rofl:

I had to.

Have nice Christmas you guys

1 Like