Results 1 to 8 of 8
  1. #1

    Webmin wont start after hack attack

    Hi All,
    I've been up all night battling with a hacker who seems to want to cripple apache and send as much spam through sendmail as possible. After restarting apache and sendmail several times I ended up leaving sendmail off for a while, and implementing a script to track all calls from php scripts so I can see where the user is coming from. Webmin just wont start and I don't know why. Where do I find errors for Webmin? When I try to access through the URL I don't get nothing, not even an error the browser just hangs and hangs. When starting Webmin there were no erors, but if I try to stop webmin it says it isn't running.

    Something just wasn't right and the httpd kept becoming inaccessible.

    In the end I did a reboot as it's driving me mad and I want some sleep (it's 7:40 am over here).

    Apache now finally looks like it is going ok, and I've started sendmail again to see what php script (if any) was causing the leek.


    What could the hacker have done to do this to the server? I HATE doing resets, it's not the way to solve problems. I've had people expose email script holes before, but nothing like this.

    Any ideas?


    Lyle
    (Secretly wondering why nothing like this has happened to my server before for over 2 years and now it does after posting some messages about my negative experiences with 2CheckOut.com. Maybe I'm just being paraniod but I'd like a way to trace who did it)

  2. #2
    Hello, cosmicperl

    If nothing so far is working out for you with retarting webmin, why dont you try reinstalling webmin again?

  3. #3
    If Webmin isn't working, perhaps the hacker some how fooled around with your firewall settings. Try typing this after connecting via SSH, "service iptables stop". Then try to use Webmin to see if it works. If it does, then you might want to redo your iptables, then start it up again.

  4. #4
    Join Date
    Feb 2005
    Posts
    334
    doesnt webmin run seperate from the system web server and keep its own logs? check the webmin logs for errors.

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Was the server rooted?


    What could the hacker have done to do this to the server?
    if root access was gained, the attacker could have done "ANYTHING".



    (Secretly wondering why nothing like this has happened to my server before for over 2 years and now it does after posting some messages about my negative experiences with 2CheckOut.com. Maybe I'm just being paraniod but I'd like a way to trace who did it)
    I have seen boxes that, were grossly out of date running for years and one day get rooted/exploited, due to somethng as simple as a bad php script... it happens, you have to be head of the game
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Thanks for the replies.

    After another reboot Webmin did start. Everything now is running fine, but I took my Sendmail daemon offline for some time (not good). Whoever it was is gone, but I've no doubts they'll be back.

    What's the best way to protect my server from an attack? I get the feeling Webmin went down due to memory issues and sendmail struggling to deal with the message queue.

    The Sendmail message queue had over 100,000 messages in it. God knows how many were already sent.

    There must me some simple way to track what userID this came from?


    Lyle

  7. #7

    It's stopped again

    Webmin has stopped again. I know when it happens now. The same a last time it was right after I created a new Virtual server.

    I can't find error logs for webmin anywhere. Am I looking in the right place?

    I try to start webmin, I get no errors, but the process doesn't actually start. I did update webmin to the latest version a couple of days ago. I guess it caused some kind of problem. Now I'm worried, this happened just before the spam attack I had last time


    Lyle

  8. #8
    I found the problem. When webmin goes down to reboot after setting up a Virtual server the process isn't stopping properly. When I ran:-
    fuser 10000/tcp
    I got a list of 3 processes.
    10000/tcp: 1763 1998 2525
    When I killed them:-
    kill -9 1763 etc...
    Webmin started again.

    I'll contact Webmin.com and see if it's a bug or just my setup.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •