hack lesson?
Dustin Cross
dusty at sandust.com
Fri Jan 11 23:49:32 PST 2002
I don't know what version of webmin you are running but there is only one known
vulnerability (that I know of anyway) in the current version (0.91). It is a
directory traversal exploit using ../../ read about it at
http://xforce.iss.net/static/7711.php. I definately wouldn't open webmin up to the
world, but it is safer than using telnet which millions still do!
Dusty
P.S. - You can't clean up after being hacked! You never know what was done, so
make sure you format and reinstall!
R Scott Belford (sctinc at mac.com) wrote:
>
>I guess that I was asking for this, if such a thing is possible. Some
>of you will laugh and some may be interested. It's a good story. This
>morning, a little after I posted a response about rpm's and webmin,
>someone entered my machine. It was right as I was being responded to
>and warned about the explicit dangers perl creates. I obviously should
>have realized this as someone was determined to teach me a lesson by
>damage rather than words.
>
>I noticed around 2:30 this afternoon, when running top, that several
>pid's owned by root had been consuming a lot of processor cycles for
>about 5.25 hours. They were running /usr/bin/perl. When I looked at my
>gui process manager, several programs with unfamiliar names were
>running. I was unable to terminate these by kill -9 pid. I elected to
>restart my machine. Typical windoze fix, but I was hoping to stop the
>processes. Upon restarting, I am unable to get a terminal on the redhat
>box. It keeps flashing for a second, this disappears. Someone has put
>the x server in some kind of loop that keeps me from the prompt. I'd
>log in from my Debian box, but they went in there too. I log in to it,
>enter a password, and am returned to the login prompt. At least I get a
>prompt on it. Unkind but funny. I ssh in from my windoze box and ps
>-ax shows a complicated x command running that seems to be causing my
>redhat login difficulties. Attempts to kill this pid fail as its pid
>number keeps changing. These are teasing hacks, I know, but I just
>can't fix them (yet.)
>
>So, obviously there is some kind of vulnerability that perl has created
>for me which I was warned about then exploited through. No harm done, I
>keep backups of my worthless data. My time is not so valuable that I
>care about reinstalling. Someone can pat their self on the back for
>it. What is a shame, though, is that I clearly upset someone reading
>this mailing list earlier who decided to show me how smart they were.
>The coincidence is too uncanny. Rather than share their knowledge to
>the better of all, they have abused my poor little box. I guess that
>shows me how much smarter real sysadmins are than newbies.
>
>I have an appetite for humble pie, though, and will only grow wiser from
>this experience. If this perl vulnerability is in anyway related to
>webmin, then let me be the first to say to be wary of it. I have no
>certainty of this, though, and would be more wary about spreading fud.
>When I learn what is of value from this hack, I'll let any of you know
>who are interested. If you have any insights in to what tricks have
>been played here, perhaps you will share them. I'd love to make
>something good out of this.
>
>scott
>
>
>---
>You are currently subscribed to luau as: dusty at sandust.com
>To unsubscribe send a blank email to $subst('Email.Unsub')
>
More information about the LUAU
mailing list