From: Jamie C. <jca...@we...> - 2005-07-01 11:19:32
|
Were these extra processes very long-lived? I have begun to see some of these connections on my own servers, but any processes caused by them will disappear after the 60-second timeout. - Jamie On Fri, 2005-07-01 at 19:03, Frank Hutcheon wrote: > Hi, > > I upgraded our server in the office here to 1.216 yesterday afternoon to > see if it would help with these extra webmin processes / connections but > when I got back into the office this morning there were a few > "unauthorised" connections as with 1.210 and a few webmin processes > running which shouldn't have been. > > I decided to implement an ACL to Webmin (rather than firewall off port > 10000 to all except us) and restarted it and since then they've all > dropped and not come back as far as I can see. > > Cheers, > > Frank > > Frank Hutcheon > Systems Manager > Web Integrations > 2 Market Square > Stonehaven > AB39 2BT > www.webintegrations.co.uk > Tel: +44 (0)1569 763300 > > -----Original Message----- > From: web...@li... > [mailto:web...@li...] On Behalf Of Grant > Peel > Sent: 30 June 2005 14:15 > To: web...@li... > Subject: Re: [webmin-l] Webmin Processes > > Thanks Jamie, yer-da-best, in the mean time, I have sent all data to the > offending ISP (IP-69-88-4-162), hawaiiteleport.com. > > Will let you know what happens there...if anything. > > -GRant > > ----- Original Message ----- > From: "Jamie Cameron" <jca...@we...> > To: <web...@li...> > Sent: Thursday, June 30, 2005 9:02 AM > Subject: Re: [webmin-l] Webmin Processes > > > > I've been researching this some more, and found that there is a recent > > exploit for NDMP servers that also run on port 10000. This doesn't > work > > on Webmin, but if some attackers are making masses of connections to > > port 10000 in order to attempt to exploit this problem in another > > server, it could hang up Webmin. > > > > I've developed a fix though, and the 1.216 development release which > > should be available at the usual URL in about 30 minutes will include > > it. Try upgrading to that, and let me know if it helps .. > > > > - Jamie > > > > On Thu, 2005-06-30 at 22:42, Grant Peel wrote: > >> Jamie, > >> > >> Upon further investigation, netstat shows on IP address trying to > connect > >> to > >> port 10000 via every virtual domain on the box (or alot of them > anyways). > >> I > >> wonder if: > >> > >> ipfw allow only from my IP > >> or > >> webmin alow only from my ip > >> > >> Would stop this.... > >> > >> -Grant > >> > >> > >> ----- Original Message ----- > >> From: "Jamie Cameron" <jca...@we...> > >> To: <web...@li...> > >> Sent: Wednesday, June 29, 2005 8:09 PM > >> Subject: Re: [webmin-l] Webmin Processes > >> > >> > >> > On Wed, 2005-06-29 at 23:42, Grant Peel wrote: > >> >> Jamie, > >> >> > >> >> > >> >> No. Noone restarts the webmin servers but me (the webmin > software). > >> >> Also, > >> >> I > >> >> do not use Virtualmin (yet), and I am the only Webmin user. > >> >> > >> >> I did see the post from the other who had the same problem. It > seems > >> >> coincidental that he had the exact same symptoms, at about the > same > >> >> time > >> >> period, with the same fix, on a completely different platform. > Centos > >> >> 3.1 > >> >> and 3.4 vrs FreeBSD 4.7 + 4.10. > >> >> > >> >> ....I can't help wondering if someone has found an exploit or DoS > >> >> attack > >> >> ... > >> > > >> > It is possible someone is trying to make some kind of bogus > connections > >> > on port 10000. You should use the Running Processess module to see > if > >> > those processes have any network connections option, and if so to > where > >> > .. > >> > > >> > - Jamie > >> > > >> > > >> > > >> > > >> > ------------------------------------------------------- > >> > SF.Net email is sponsored by: Discover Easy Linux Migration > Strategies > >> > from IBM. Find simple to follow Roadmaps, straightforward articles, > >> > informative Webcasts and more! Get everything you need to get up to > >> > speed, fast. > http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > >> > - > >> > Forwarded by the Webmin mailing list at > >> > web...@li... > >> > To remove yourself from this list, go to > >> > http://lists.sourceforge.net/lists/listinfo/webadmin-list > >> > > >> > > >> > >> > >> > >> > >> ------------------------------------------------------- > >> SF.Net email is sponsored by: Discover Easy Linux Migration > Strategies > >> from IBM. Find simple to follow Roadmaps, straightforward articles, > >> informative Webcasts and more! Get everything you need to get up to > >> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > >> - > >> Forwarded by the Webmin mailing list at > >> web...@li... > >> To remove yourself from this list, go to > >> http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > > > > > > ------------------------------------------------------- > > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > > from IBM. Find simple to follow Roadmaps, straightforward articles, > > informative Webcasts and more! Get everything you need to get up to > > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > > - > > Forwarded by the Webmin mailing list at > > web...@li... > > To remove yourself from this list, go to > > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > > > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > - > Forwarded by the Webmin mailing list at > web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > > > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opÌk > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list |