# Webmin exploit on the loose!



## Francisco (Oct 23, 2014)

Hello everyone,

This evening we noticed a fairly large spike in outbound traffic. After a bit of investigating and suspensions, it looks like there's a WEBMIN related exploit on the loose.

As of right now we're seeing UDP floods pounding away at 91.217.189.77 so if you have SFLOW's, port mirrors, or basic TCPDUMP knowledge (read further down), keep an eye on it.

It looks like the expliot is just the BASH exploit tied together with webmin doing poor validation inside /usr/share/webmin/session_login.cgi.

I've also spotted the following inside /tmp on every VPS so far:

total 232K
drwxrwxrwt 5 root root 4.0K Oct 23 03:37 ./
drwxr-xr-x 21 root root 4.0K Oct 17 06:51 ../
-rwxr-xr-x 1 root root 172K Oct 21 16:33 arm*
drwxrwxrwt 2 root root 4.0K Oct 17 06:51 .ICE-unix/
-rwxr-xr-x 1 root root 37K Oct 21 17:09 mips*
drwxr-xr-x 2 root root 4.0K Oct 17 06:51 .webmin/
-rw-r--r-- 1 root root 0 Oct 21 17:41 .x
drwxrwxrwt 2 root root 4.0K Oct 17 06:51 .X11-unix/
the 'arm' file looks to be an IRC bot: http://pastebin.com/nfsqr7fx
EDIT - Removed the bot commands and moved them to pastebin instead.

Francisco


----------



## rds100 (Oct 23, 2014)

So is it exploitable if bash is updated, or only if an old / vulnerable bash version is used?


----------



## splitice (Oct 23, 2014)

Oh lovely, time to brace for the attacks.


----------



## Francisco (Oct 23, 2014)

rds100 said:


> So is it exploitable if bash is updated, or only if an old / vulnerable bash version is used?


I'd assume if the user is patched up they're OK, but didn't debian 6 withhold bash and only put it in the security repository?

I think in total we've had about a dozen or so people that got exploited.

EDIT - Grammar

Francisco


----------



## rds100 (Oct 23, 2014)

Where does the bot connect to? x.secureshellz.net ?


----------



## Francisco (Oct 23, 2014)

rds100 said:


> Where does the bot connect to? x.secureshellz.net ?


I'd assume so given it was the only hostname I could spot with strings.

Francisco


----------



## TheLinuxBug (Oct 23, 2014)

I saw a rash of these with old bash versions and old versions of Webmin  on CentOS 5 servers.  Once Webmin is upgraded to newest and bash is upgraded it seems to remove the entry point.  Our customers were managed so we migrated them anyways to new servers on CentOS 6 to be safe after scanning the migrated contents with a malware scanner.  

Once the version of Webmin and bash were upgraded I didn't see further access to the server. To me, that is no guarantee that things are secure.  I always suggest migrating a server after its been exploited, better safe than sorry. 

The attack was generally to drop a payload with a irc bot and a DDOS attack script or proxy.  In most cases when we found the issue it was because the server was pushing larger than normal outbound traffic, usually trying to utilize up to full port speed, non-stop.  We have an alert that comes in in our monitoring if any of our servers start wildly using bandwidth.

Cheers!


----------



## DomainBop (Oct 23, 2014)

Francisco said:


> didn't debian 6 withhold bash and only put it in the security repository?


The updated Squeeze bash is in the LTS repos.  Anyone who is using Squeeze and isn't running LTS at this point is an idiot and a walking target.

deb http://http.debian.net/debian squeeze-lts main contrib non-free


deb-src http://http.debian.net/debian squeeze-lts main contrib non-free


----------



## ukvpsguy (Oct 23, 2014)

I've reported the domain to Namecheap (the registrar) for abuse. 

Seems this version of the exploit has been around a few years after checking google, surprised it's not been reported earlier.


----------



## InertiaNetworks-John (Oct 23, 2014)

Ahh webmin. Have not used it in years. Are you guys using this on your production customer servers?


----------



## MartinD (Oct 23, 2014)

InertiaNetworks-John said:


> Ahh webmin. Have not used it in years. Are you guys using this on your production customer servers?


I doubt anyone here is using it... but customers may well be.


----------



## Francisco (Oct 23, 2014)

InertiaNetworks-John said:


> Ahh webmin. Have not used it in years. Are you guys using this on your production customer servers?


Why would we be using webmin.....

Anyway, no, but we had a good handful of customers all exploited at the same time over both locations.

Everything was flooding at the same IP address.

It's possible that they've been exploited for a while and only now picked a target to wreck.

Francisco


----------



## Nick_A (Oct 23, 2014)

We had about the same number of people hacked this morning. Wasn't fun waking up to 6Gbps UDP outbound in multiple locations.


----------



## WhizzWr (Nov 1, 2014)

Right. Customer might be using webmin.. and I am customer.

Anyway, I'm only opening the webmin port to certain IP. I do have the latest bash, and I put two factor auth on the webmin login.

Should I assume I'm safe from this exploit?


----------



## perennate (Nov 1, 2014)

WhizzWr said:


> Right. Customer might be using webmin.. and I am customer.
> 
> Anyway, I'm only opening the webmin port to certain IP. I do have the latest bash, and I put two factor auth on the webmin login.
> 
> Should I assume I'm safe from this exploit?


Well this exploit involves issue in bash, so if you've updated bash to the version that's not vulnerable to "shellshock" then you're safe from this exploit. And if it's only open to your IP then attacker can't get to it. So not sure what your question is? I mean it seems like you basically stated that you're safe from the exploit and explained why with what security actions you took, and then for some reason (maybe to make your post seem more relevant?) asked if you're safe.


----------



## WhizzWr (Nov 1, 2014)

I have taken some security measures, but I'm no security expert nor a techie. So I genuinely just want to make sure if those are enough. (i.e I'm not sure if I'm really safe).

That said, you just answered my questions, thank you.


----------

