hack lesson?

[Dustin Cross]

I don't know what version of webmin you are running but there is only one known 
vulnerability (that I know of anyway) in the current version (0.91).  It is a 
directory traversal exploit using ../../ read about it at 
http://xforce.iss.net/static/7711.php.  I definately wouldn't open webmin up to the 
world, but it is safer than using telnet which millions still do!

Dusty

P.S. - You can't clean up after being hacked!  You never know what was done, so 
make sure you format and reinstall!

 

R Scott Belford (sctinc at mac.com) wrote: 
>
>I guess that I was asking for this, if such a thing is possible.  Some
>of you will laugh and some may be interested.  It's a good story.  This
>morning, a little after  I posted a response about rpm's and webmin,
>someone entered my machine.  It was right as I was being responded to
>and warned about the explicit dangers perl creates.  I obviously should
>have realized this as someone was determined to teach me a lesson by
>damage rather than words.
>
>I noticed around 2:30 this afternoon, when running top, that several
>pid's owned by root had been consuming a lot of processor cycles for
>about 5.25 hours.  They were running /usr/bin/perl.  When I looked at my
>gui process manager, several programs with unfamiliar names were
>running.  I was unable to terminate these by kill -9 pid.  I elected to
>restart my machine.  Typical windoze fix, but I was hoping to stop the
>processes.  Upon restarting, I am unable to get a terminal on the redhat
>box.  It keeps flashing for a second, this disappears.  Someone has put
>the x server in some kind of loop that keeps me from the prompt.  I'd
>log in from my Debian box, but they went in there too.  I log in to it,
>enter a password, and am returned to the login prompt.  At least I get a
>prompt on it.  Unkind but funny.  I ssh in from my windoze box and ps
>-ax shows a  complicated x command running that seems to be causing my
>redhat login difficulties.  Attempts to kill this pid fail as its pid
>number keeps changing.  These are teasing hacks, I know, but I just
>can't fix them (yet.)
>
>So, obviously there is some kind of vulnerability that perl has created
>for me which I was warned about then exploited through.  No harm done, I
>keep backups of my worthless data.  My time is not so valuable that I
>care about reinstalling.  Someone can pat their self on the back for
>it.  What is a shame, though, is that I clearly upset someone reading
>this mailing list earlier who decided to show me how smart they were.
>The coincidence is too uncanny.  Rather than share their knowledge to
>the better of all, they have abused my poor little box.  I guess that
>shows me how much smarter real sysadmins are than newbies.
>
>I have an appetite for humble pie, though, and will only grow wiser from
>this experience.  If this perl vulnerability is in anyway related to
>webmin, then let me be the first to say to be wary of it.  I have no
>certainty of this, though, and would be more wary about spreading fud.
>When I learn what is of value from this hack, I'll let any of you know
>who are interested.  If you have any insights in to what tricks have
>been played here, perhaps you will share them.  I'd love to make
>something good out of this.
>
>scott
>
>
>---
>You are currently subscribed to luau as: dusty at sandust.com
>To unsubscribe send a blank email to $subst('Email.Unsub')
>