Had a strange attack on a webmin server this weekend. Probably not a webmin problem, but just in case I thought I would report it.
Around 10PM Eastern a remote user at an AOL address attempted to log on once to one of my webmin servers via account "admin" and was rejected because of a bad password. Then the same IP attempted to log in as user "steve" and was successful on the first try.
This machine had only 3 webmin users defined - admin, steve, & a third name. None of the passwords were vulnerable to dictionary attack, although steve's has only 5 characters long. All have been changed now.
By the time I was notified of the problem, the intruder had a few hours head start on me installing various root kits. Since this machine was supporting live content for 100's of users, I had to decide to either pull the data plug or fight while still online. I choose the fight and battled for a few hours closing various ports and hunting down alien & subverted files. In the end, I own the race. In hindsight, after finding all that was installed, I should have pulled the plug right away. There were at least three time where I had just blocked an specific evil action and the intruder tried to do that same action within 5 minutes. If I had stopped for a cup of coffee, I would have lost everything on the machine.
In the end, he/she/they threw a nasty denial of service attack against the server, and every night since has unleashed a few nasty kiddy scrips against the same machine.
AOL was less then helpful, they didn't even respond to my report.
I assume that we were the victim of some sort of social engineering attack, as there is no way they could have got the password in one try. We're reviewing our internal procedures and controls. But, just in case others have had successful crack of user passwords in one attempt, it would indicate a security problem.