Careful about Webmin access from outside; someone logged into mine!
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '1:79feee6ad7e6755dc43be4700797a050' in /var/www/mythdora/html/includes/cache.inc on line 26.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p>I figured I should post this here since I\'m sure other people do the same thing. I have my Webmin open on its standard port (10000) from the outside. Well, today I went to do something in the shell through Webmin, and this was in my previous commands:<br />\n\'echo -n BUFUWUZHERE;hostname\'<br />\nI only have the root account able to access Webmin, and it has a secure password, it\'s seven digits with one capitol letter, one number, and one symbol. I don\'t know what happened. That\'s the only previous command that wasn\'t by me, so I think (hope) they didn\'t do anything to my system.<br />\nThis was a fine way to wake up on Sunday morning...</p>\n', created = 1368869300, expire = 1368955700, headers = '', serialized = 0 WHERE cid = '1:79feee6ad7e6755dc43be4700797a050' in /var/www/mythdora/html/includes/cache.inc on line 109.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '1:fac1e14dc94522ca0e0c8a86c5c000c3' in /var/www/mythdora/html/includes/cache.inc on line 26.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p>Could be real trouble there. I\'ll assume you\'re not oe of the people who already posted to the <a href=\"http://www.clarkconnect.com/forums/showflat.php?Cat=0&Board=networking&Number=100209&Searchpage=1&Main=100176&Words=&topic=1&Search=true\" class=\"bb-url\">ClarkConnect forum</a> on the same subject (even if you are, this is information we all should be aware of seeing as Webmin looks to be the weak point and it is enabled by default in MythDora)and post the link here for yours and others information.</p>\n<p>Looks like there is a good chance your system has been seriously compromised. One person reports that after a BUFUWUZHERE attack, many of the system utilities were replaced with cracker type tools that recorded passwords and such crap.</p>\n<p>Best bet is to format and rebuild your system, use really secure passwords, and block all ports and shut down all services that don\'t need to be open.</p>\n', created = 1368869300, expire = 1368955700, headers = '', serialized = 0 WHERE cid = '1:fac1e14dc94522ca0e0c8a86c5c000c3' in /var/www/mythdora/html/includes/cache.inc on line 109.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '1:4b1f368f2ba771335bdc5da30edcc0f8' in /var/www/mythdora/html/includes/cache.inc on line 26.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p>Giving access to root on the outside is awfully risky. I can\'t think of any reason you would need to. Most useful things in MD are done as user mythtv anyway. I could see it if it was a remote server but even then, I would use something a bit more cryptic than having port 10000 open and easily scannable by even the most novice of malicious people. That method of password is pretty minimal as far as security goes. I\'d spread out more capitol letters at the very least. Any way you can do this via vpn? Is your Myth box behind a firewall/router or is it sitting on the web directly? If you had enough bandwidth, people could attach a frontend to your backend and enjoy your collection. Never heard of that happening though.</p>\n', created = 1368869300, expire = 1368955700, headers = '', serialized = 0 WHERE cid = '1:4b1f368f2ba771335bdc5da30edcc0f8' in /var/www/mythdora/html/includes/cache.inc on line 109.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '1:9823be13a0eee847dea70e57e49c3c9f' in /var/www/mythdora/html/includes/cache.inc on line 26.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p>I don\'t currently have VNC setup on that machine. And the server is behind a router, I just had port 10000 forwarded to it. The first thing I did after I saw that message was remove the port forwarding for that.<br />\nI\'m sure it sounds naive, but I just figured having webmin open with a fairly secure password would be good enough, but I now know it\'s not.</p>\n', created = 1368869300, expire = 1368955700, headers = '', serialized = 0 WHERE cid = '1:9823be13a0eee847dea70e57e49c3c9f' in /var/www/mythdora/html/includes/cache.inc on line 109.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '1:48a9b86d18ba6ee5b086e835357af21c' in /var/www/mythdora/html/includes/cache.inc on line 26.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p>I only have 1 port forwarded from a firewall/router to a server at my house - just ssh. I can check the logs and see that every single day there are people trying to break in. I also restricted the IP range that a connection can be accepted from - so they need to break the password and guess the IP range that will be legal. </p>\n<p>It bugs me that there seems to be nothing one can do to stop these attempted break-ins. With all the automated scripts running trying to break into every system in the world - it is really rough out there.</p>\n', created = 1368869300, expire = 1368955700, headers = '', serialized = 0 WHERE cid = '1:48a9b86d18ba6ee5b086e835357af21c' in /var/www/mythdora/html/includes/cache.inc on line 109.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: SELECT data, created, headers, expire, serialized FROM cache_filter WHERE cid = '1:e2de564044fd1cb5fe6b533128e98d4b' in /var/www/mythdora/html/includes/cache.inc on line 26.
- user warning: Table './drupal_gding/cache_filter' is marked as crashed and should be repaired query: UPDATE cache_filter SET data = '<p>I discovered this same activity back in July on my Mythbox.</p>\n<p>I quickly changed the password and tried adding more security. Of course, this had no effect. I disabled port forwarding to 10000 and 80 after that.</p>\n<p>I don\'t know what all that jerk did to my box and since Schedules Direct was coming out anyway I added more HD space and reformatted.</p>\n<p>Some kind of Botnet probably. What I don\'t understand is why he didn\'t clean the logs. If he/it hadn\'t left the \"Bufuwuzhere\" in the command line, I\'d never noticed.</p>\n<p>Oh, the other thing I noticed was that Bufu made login attempts from all over the world, not just personal computers, but corporate domains. These could have just been spoofing my logs I suppose. So, it\'s possible that if you restrict logins from a specific IP range someday Bufu could compromise a computer in that range and it could start all over again. I don\'t have a static IP at work or I could restrict it to that one IP.</p>\n<p>For now my Mythweb / Webmin is not getting access to the outside world.</p>\n', created = 1368869300, expire = 1368955700, headers = '', serialized = 0 WHERE cid = '1:e2de564044fd1cb5fe6b533128e98d4b' in /var/www/mythdora/html/includes/cache.inc on line 109.
Submitted by joltman on October 7, 2007 - 6:38am
I figured I should post this here since I'm sure other people do the same thing. I have my Webmin open on its standard port (10000) from the outside. Well, today I went to do something in the shell through Webmin, and this was in my previous commands:
'echo -n BUFUWUZHERE;hostname'
I only have the root account able to access Webmin, and it has a secure password, it's seven digits with one capitol letter, one number, and one symbol. I don't know what happened. That's the only previous command that wasn't by me, so I think (hope) they didn't do anything to my system.
This was a fine way to wake up on Sunday morning...
Could be real trouble there.
Could be real trouble there. I'll assume you're not oe of the people who already posted to the ClarkConnect forum on the same subject (even if you are, this is information we all should be aware of seeing as Webmin looks to be the weak point and it is enabled by default in MythDora)and post the link here for yours and others information.
Looks like there is a good chance your system has been seriously compromised. One person reports that after a BUFUWUZHERE attack, many of the system utilities were replaced with cracker type tools that recorded passwords and such crap.
Best bet is to format and rebuild your system, use really secure passwords, and block all ports and shut down all services that don't need to be open.
Giving access to root on the
Giving access to root on the outside is awfully risky. I can't think of any reason you would need to. Most useful things in MD are done as user mythtv anyway. I could see it if it was a remote server but even then, I would use something a bit more cryptic than having port 10000 open and easily scannable by even the most novice of malicious people. That method of password is pretty minimal as far as security goes. I'd spread out more capitol letters at the very least. Any way you can do this via vpn? Is your Myth box behind a firewall/router or is it sitting on the web directly? If you had enough bandwidth, people could attach a frontend to your backend and enjoy your collection. Never heard of that happening though.
I don't currently have VNC
I don't currently have VNC setup on that machine. And the server is behind a router, I just had port 10000 forwarded to it. The first thing I did after I saw that message was remove the port forwarding for that.
I'm sure it sounds naive, but I just figured having webmin open with a fairly secure password would be good enough, but I now know it's not.
ssh
I only have 1 port forwarded from a firewall/router to a server at my house - just ssh. I can check the logs and see that every single day there are people trying to break in. I also restricted the IP range that a connection can be accepted from - so they need to break the password and guess the IP range that will be legal.
It bugs me that there seems to be nothing one can do to stop these attempted break-ins. With all the automated scripts running trying to break into every system in the world - it is really rough out there.
I discovered this same
I discovered this same activity back in July on my Mythbox.
I quickly changed the password and tried adding more security. Of course, this had no effect. I disabled port forwarding to 10000 and 80 after that.
I don't know what all that jerk did to my box and since Schedules Direct was coming out anyway I added more HD space and reformatted.
Some kind of Botnet probably. What I don't understand is why he didn't clean the logs. If he/it hadn't left the "Bufuwuzhere" in the command line, I'd never noticed.
Oh, the other thing I noticed was that Bufu made login attempts from all over the world, not just personal computers, but corporate domains. These could have just been spoofing my logs I suppose. So, it's possible that if you restrict logins from a specific IP range someday Bufu could compromise a computer in that range and it could start all over again. I don't have a static IP at work or I could restrict it to that one IP.
For now my Mythweb / Webmin is not getting access to the outside world.