Thread: [webmin-l] hacker attempt to get /etc/shadow

A web-based interface for system administration of UNIX

Brought to you by: iliaross, jcameron

webadmin-list

[webmin-l] hacker attempt to get /etc/shadow

From: Obantec S. <su...@ob...> - 2006-09-02 11:26:40

Hi

any idea what this is in /var/webmin/miniserv.error

[26/Aug/2000] [24.119.41.35]
/unauthenticated//../../../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../..
/../../../../../../../../../../../../../../../../../../..
/../../../../../../../..//etc/shadow : File not found

errors above and below are 2006 so the date is odd!

Mark

Re: [webmin-l] hacker attempt to get /etc/shadow

From: Jamie C. <jca...@we...> - 2006-09-02 15:25:20

On 2/Sep/2006 04:26 Obantec Support wrote ..
> Hi
> 
> any idea what this is in /var/webmin/miniserv.error
> 
> [26/Aug/2000] [24.119.41.35]
> /unauthenticated//../../../../../../../../../../../../../../..
> /../../../../../../../../../../../../../../../../../../..
> /../../../../../../../../../../../../../../../../../../..
> /../../../../../../../..//etc/shadow : File not found
> 
> errors above and below are 2006 so the date is odd!

This looks like an attempt to exploit a bug in Webmin that existed in versions
before 1.290, which could be used to access any file on the system (including
/etc/shadow). I strongly recommend upgrading to 1.290 if you haven't already ..

 - Jamie

Re: [webmin-l] hacker attempt to get /etc/shadow

From: Obantec S. <su...@ob...> - 2006-09-02 16:53:38

----- Original Message ----- 
From: "Jamie Cameron" <jca...@we...>
To: "Webmin users list" <web...@li...>
Sent: Saturday, September 02, 2006 4:25 PM
Subject: Re: [webmin-l] hacker attempt to get /etc/shadow


> On 2/Sep/2006 04:26 Obantec Support wrote ..
> > Hi
> >
> > any idea what this is in /var/webmin/miniserv.error
> >
> > [26/Aug/2000] [24.119.41.35]
> >
/unauthenticated//../../../../../../../../../../../../../../..
> >
/../../../../../../../../../../../../../../../../../../..
> >
/../../../../../../../../../../../../../../../../../../..
> > /../../../../../../../..//etc/shadow : File not found
> >
> > errors above and below are 2006 so the date is odd!
>
> This looks like an attempt to exploit a bug in Webmin that existed in
versions
> before 1.290, which could be used to access any file on the system
(including
> /etc/shadow). I strongly recommend upgrading to 1.290 if you haven't
already ..
>
>  - Jamie
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -
> Forwarded by the Webmin mailing list at
web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.1.405 / Virus Database: 268.11.7/436 - Release Date: 01/09/2006
>
>

I am running 1.290

Thanks

Mark

Re: [webmin-l] hacker attempt to get /etc/shadow

From: Jamie C. <jca...@we...> - 2006-09-02 16:54:59

On 2/Sep/2006 09:53 Obantec Support wrote ..
> 
> ----- Original Message ----- 
> From: "Jamie Cameron" <jca...@we...>
> To: "Webmin users list" <web...@li...>
> Sent: Saturday, September 02, 2006 4:25 PM
> Subject: Re: [webmin-l] hacker attempt to get /etc/shadow
> 
> 
> > On 2/Sep/2006 04:26 Obantec Support wrote ..
> > > Hi
> > >
> > > any idea what this is in /var/webmin/miniserv.error
> > >
> > > [26/Aug/2000] [24.119.41.35]
> > >
> /unauthenticated//../../../../../../../../../../../../../../..
> > >
> /../../../../../../../../../../../../../../../../../../..
> > >
> /../../../../../../../../../../../../../../../../../../..
> > > /../../../../../../../..//etc/shadow : File not found
> > >
> > > errors above and below are 2006 so the date is odd!
> >
> > This looks like an attempt to exploit a bug in Webmin that existed in
> versions
> > before 1.290, which could be used to access any file on the system
> (including
> > /etc/shadow). I strongly recommend upgrading to 1.290 if you haven't
> already ..
>
> I am running 1.290

In that case, you don't have to worry .. this was a failed attempt to
exploit the bug that was blocked and recorded in your log.

 - Jamie

Re: [webmin-l] hacker attempt to get /etc/shadow

From: boricua <bo...@de...> - 2006-09-02 17:00:18

what are these doing in miniserv.error


/bin/chmod: invalid mode: `clamav.clamav'
Try `/bin/chmod --help' for more information.
/bin/chmod: invalid mode: `clamav.clamav'
Try `/bin/chmod --help' for more information.

Re: [webmin-l] hacker attempt to get /etc/shadow

From: Jamie C. <jca...@we...> - 2006-09-02 17:54:26

On 2/Sep/2006 09:56 boricua wrote ..
> what are these doing in miniserv.error
> 
> 
> /bin/chmod: invalid mode: `clamav.clamav'
> Try `/bin/chmod --help' for more information.
> /bin/chmod: invalid mode: `clamav.clamav'
> Try `/bin/chmod --help' for more information.

Are you using any module that manages clamav? It looks
like some module has an error in the chmod command it
calls ..

 - Jamie

Re: [webmin-l] hacker attempt to get /etc/shadow

From: boricua <bo...@de...> - 2006-09-02 19:09:12

On Sat, 02 Sep 2006 10:54:19 -0700 (PDT)
"Jamie Cameron" <jca...@we...> wrote:

> On 2/Sep/2006 09:56 boricua wrote ..
> > what are these doing in miniserv.error
> > 
> > 
> > /bin/chmod: invalid mode: `clamav.clamav'
> > Try `/bin/chmod --help' for more information.
> > /bin/chmod: invalid mode: `clamav.clamav'
> > Try `/bin/chmod --help' for more information.
> 
> Are you using any module that manages clamav? It looks
> like some module has an error in the chmod command it
> calls ..
> 
>  - Jamie
> 


yes the clamav module under systems

Re: [webmin-l] hacker attempt to get /etc/shadow

From: Jamie C. <jca...@we...> - 2006-09-02 22:54:09

On 2/Sep/2006 12:05 boricua wrote ..
> On Sat, 02 Sep 2006 10:54:19 -0700 (PDT)
> "Jamie Cameron" <jca...@we...> wrote:
> 
> > On 2/Sep/2006 09:56 boricua wrote ..
> > > what are these doing in miniserv.error
> > > 
> > > 
> > > /bin/chmod: invalid mode: `clamav.clamav'
> > > Try `/bin/chmod --help' for more information.
> > > /bin/chmod: invalid mode: `clamav.clamav'
> > > Try `/bin/chmod --help' for more information.
> > 
> > Are you using any module that manages clamav? It looks
> > like some module has an error in the chmod command it
> > calls ..
> > 
> >  - Jamie
> > 
> 
> 
> yes the clamav module under systems

You might want to email the developer of that module
about this .. or alternately try creating
a clamav user and group on your system.

  -Jamie

Re: [webmin-l] hacker attempt to get /etc/shadow

From: Roger B.A. K. <ro...@qu...> - 2006-09-02 23:20:51

Jamie Cameron wrote:
> You might want to email the developer of that module
> about this .. or alternately try creating
> a clamav user and group on your system.
>   


The latter won't do any good -- it's calling chmod, not chown, with 
"user.group".

Re: [webmin-l] hacker attempt to get /etc/shadow

From: Shawn R. <sun...@gm...> - 2006-09-02 16:42:29

Looks like a buffer overflow, but I can't be sure. =20


Shawn P. Raymond I
SCSA, MCSA, MCP

-----Original Message-----
From: web...@li...
[mailto:web...@li...] On Behalf Of =
Obantec
Support
Sent: Saturday, September 02, 2006 5:26 AM
To: web...@li...
Subject: [webmin-l] hacker attempt to get /etc/shadow

Hi

any idea what this is in /var/webmin/miniserv.error

[26/Aug/2000] [24.119.41.35]
/unauthenticated//..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/.=
.=01/..=01/..=01/..=01/..=01/..
=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01=
/..=01/..=01/..=01/..=01/..=01/..=01/..
=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01=
/..=01/..=01/..=01/..=01/..=01/..=01/..
=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01/..=01//etc/shadow : File =
not found

errors above and below are 2006 so the date is odd!

Mark


-------------------------------------------------------------------------=

Using Tomcat but need to do more? Need to support web services, =
security?
Get stuff done quickly with pre-integrated technology to make your job
easier Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D=
121642
-
Forwarded by the Webmin mailing list at =
web...@li...
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list