Webmin hacked

It does not matter though if login via account is disabled and loggin via SSH Key is in place

@coderinthebox exactly…you are very right there - as I mentioned earlier, ssh keys will reduce this to 100% within fail2ban properly deployed even more (it will save some bandwidth you know)… changing ports is just not enough perhaps (speaking for me only personally) waste of time.

Thanks - all very good - i like the script/hangouts/login idea… disabling the root login is another thing i use, then if anyone tries a root login - they are banned instantly.

I used to use fail2ban - and still have it set up as a fall-back - but now i use OSSEC which does more of the same thing, but as a network tool - including a tripwire type scan - login notifications etc- means if someone does something annoying on one machine - i can block that ip/user on all machines i have responsibility for.

Changing port is not waste of time but should never be used as only prevention to hacking attempts. Its a fact that majority of hacking/scanning bots are hitting default ports and to use non-standard ports will eliminate most of them. Using keys instead of passwords, closing unused ports, fail2ban or other security software, all this will help to increase your overall security so moving to non-default ports is just one small piece of the bigger picture.

Only reason to leave default ports is in cases like shared hosting, some technical requirement or client for whatever reason want to use them.

of course its not waste of time and can be useful and its good advice as well - i was saying that as my personal opinion.

both my servers have been hit too
my real server and my home/backup server.
not sure if it is the same issue or not,

Webmin version 1.801 Virtualmin version 5.04
Operating system CentOS Linux 6.8

I run chkrootkit and see ‘suckit’ infected.:
Searching for Suckit rootkit… Warning: /sbin/init INFECTED

I see that I had a (hacked) script running on server /etc/webmin/status/monitor.pl
and it produces files in /tmp/.webmin

d---------     2 root root  4096 Aug  7 11:25 204159_2211_2_status.pl
d---------     2 root root  4096 Aug  7 11:25 24501_2089_2_monitor.pl
d---------     2 root root  4096 Aug  7 11:10 248937_25009_2_status.pl
d---------     2 root root  4096 Aug  7 11:45 289317_6865_2_status.pl
d---------     2 root root  4096 Aug  7 11:15 333563_32736_2_status.pl
d---------     2 root root  4096 Aug  7 11:15 371546_32619_2_monitor.pl
d---------     2 root root  4096 Aug  7 11:30 469862_3129_2_monitor.pl
d---------     2 root root  4096 Aug  7 11:20 474562_1179_2_monitor.pl 

Selinux has caused major problems too, still trying to sort that out

I rebooted my home server and now unable to boot up it due to kernel panic. I can cet access through terminal but only in limited shell mode. tried USB live distro but still cannot get in.

I also get rm command not found. means I can’t delete any of the hackers files. so now I have a script changing permissions to 000 that stops the files getting accessed.

how were they able to hack into the /sbin/init file ?
seems they used Selinux security which caused home server to boot up with a kernel panic - not syncing : Attempted to kill init!

I also found a .scan folder and a ‘scan’ user

does look like I’ll have to setup both servers from scratch now.

The root user can do anything, including replace system files, like init. SELinux can prevent some kinds of exploit, but it is currently disabled by default on Virtualmin systems due to the user unfriendliness of it; it causes a ton of confusing errors for many folks, and can be tricky to diagnose if you don’t know how SELinux works. It’s probably time to stop disabling it, by default, even though the problems with usability still exist. The tools for overcoming those usability failings are somewhat better now. Anyway, one can run Virtualmin with SElinux enabled, if you set the right booleans (mostly the ones related to httpd and user home directories).

So, what the attacker modifies is up to the attacker, if they obtain root privileges (so, the fact that they changed init only tells you with certainty that they obtained root, and nothing about how they got in). Your version of Webmin is not subject to the exploit being discussed in this thread, so unless it happened weeks ago it would be unrelated to this bug. But, they obviously got in somehow, and figuring out how would be useful, so you know what to fix on the new system.

And, you’re right that reinstalling the OS is the only certain way to know the system is clean; even if you could delete everything you found, with a system that has been rooted, it is very difficult to know for sure you got everything. Your attacker looks clumsy, and like they’re using off-the-shelf rootkit stuff, but it’s difficult to be certain.

joe thanks for feedback.

it happened at least 7-10 days or more ago.
I probably didn’t notice due to working heavily on a project for the last month