Hi,
You say malicious code inserted into Webmin and Usermin
and your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution.
On our server this is set to "Always deny users with expired passwords" for Webmin.
Is it the same for Usermin? In what part did the malicious code get inserted in to Usermin? In the same "Authentication" setting for Usermin the default is set to "Prompt users with expired passwords to enter a new one". When I changed it to "Always deny users with expired passwords" i got an error: "Failed to save authentication : Failed to open PID file", but the change seems to be saved. Is this because Usermin wasn't running, we don't use usermin so it is never running... or should I be worried???
Regards, Leffe
Comments
Submitted by andreychek on Mon, 08/19/2019 - 11:43 Comment #1
Howdy -- thanks for contacting us!
If Usermin isn't running, there wouldn't be any issues. It would have to be running for any sort of exploit to have take place.
Also, since the update, there's no need to change those options either. That is, there's nothing inherently wrong with using "Password expiry policy set to Prompt users with expired passwords to enter a new one".
I don't know the answer to your other questions, but I'll pass this along to Joe for additional comment.
Submitted by Blueforce on Mon, 08/19/2019 - 17:14 Pro Licensee Comment #2
Thanks Eric,
Okay, Then I don't have to worry, and that's the main thing for me!
Best regards, Leffe
Submitted by andreychek on Thu, 08/22/2019 - 20:02 Comment #3
Based on your question in the Forums, and with our better understanding of what happened, I wanted to revisit this --
We've learned that there was a window of time early when the malicious code was first added, where it could have been exploited even if the password changing option weren't enabled. That period appears to be about 3 months.
That is a window of time where your server could still have been compromised. We believe it's unlikely, as the exploit wasn't widely used until recently.
But we can't say with certainty nothing could have happened.
You'd need to weigh the risk and decide what direction to go.
Unfortunately, the only way to be 100% sure would be to perform a clean install.
We're already planning a migration (prior to all this), and will likely just use that as a way to ensure the server is clean.
For my personal servers, it probably comes down to what they're being used for. I'm not too concerned about them, I think my risk is very low, but those hosting more sensitive data I may do a clean install for.
Submitted by Blueforce on Thu, 08/22/2019 - 20:17 Pro Licensee Comment #4
Hi Eric
I guess you have read my post #52 and #54 in Forum News "Webmin 1.930 and Usermin 1.780 released".
And I think I will go the more safe route and wipe and clean install... I'm already preparing for it now during the night. My only question right now is - Is the installer and packages clean and safe to install!
Regards, Leffe
Submitted by andreychek on Thu, 08/22/2019 - 20:59 Comment #5
Yeah, we haven't seen any sort of compromise other than the Webmin one that's been disclosed. When we migrate our systems to the new datacenter, we'll be using this same installer as yourself.