SORBS now blocking servers with webmin installed

7 posts / 0 new
Last post
#1 Sun, 02/15/2009 - 20:54
sgrayban

SORBS now blocking servers with webmin installed

SORBS has just started blocking all IP's that have port 10000 open claiming its backdoor which is entirely false and malicious.

Additional information on the host is: Likely Backdoor installed Port: 10000

I just checked 3 servers that were being blocked and that is the reason from SORBS.

Anyone that is having issues needs to contact SORBS like I did and bitch them out for blocking without due cause. LIKELY does not mean it is.....

Mon, 02/16/2009 - 10:01
Joe
Joe's picture

I can't find any reference to this new policy on the SORBS site or in a Google search, and none of my mail servers show up in a SORBS database search (and obviously all of them run Webmin, on port 10000). Could you email me a link to the full error report on the host?

--

Check out the forum guidelines!

Mon, 02/16/2009 - 11:14
sfatula

All I see is that the record was created way back last June, and, this comment:

"Currently inactive and not flagged to be published in DNS."

So, haven't you been on their list for 8 months?

It says your server is exploitable. It doesn't say due to webmin. How do you know that? Where do you see the port 10000 message, I do not see it going to your link?

Mon, 02/16/2009 - 11:28 (Reply to #4)
sfatula

I do see this note on a site, makes me wonder....

"This is the kiddies looking for hosts running Webmin on Usermin. There is a vuln from June 30 2006 (BID 18744; CVE-2006-3392) which allows an attacker to request an arbitrary file from the remote host without authenticating to webmin. The mass auto-rooters that I've captured for this vuln request /etc/shadow, and then send the file via email to a yahoo account by default. There was also a Metasploit module published recently for the vuln. There is also a format string bug and integar overflow in Webmin, but there are no public sploits for them (CANVAS has one). Versions of Webmin older than 1.290 are effected by BID 18744, as well as versions of Usermin older than 1.220. If you're running Webmin or Usermin, take a look at your miniserv.log (/var/log/webmin/miniserv.log). You should see a great deal of requests for /etc/shadow. Usermin also runs on port 20000. Look for a directory called w, and/or a file called pscan2. Both these were used in the auto-rooters I was able to capture."

So, are you using older version?

It is also used by OpwinTRojan

Certainly, contact Sorbs and ask for more info. Also, realize Sorbs doesn't scan your host, UNLESS, you send mail to a sorbs host. So, this means mail did go from your server to a sorbs host of some sort at some time.

Of course, you can also change your webmin port.

Mon, 02/16/2009 - 11:28 (Reply to #5)
sgrayban

They just cleared 78.47.67.145 -- they cleared all the ones they said 10000 were likely backdoors after I royally bitched them out for being stupid idiots.

*likely* does not mean it is.......

Mon, 02/16/2009 - 12:01
sfatula

Excellent! I never had any of mine added, been running webmn for at least 3-4 years. But, I always used SSL and I always changed the port from 10000 as well.

Maybe they won't do any more then. At least we hope!

Topic locked