Webmin mirror served backdoor

In August 2006, a Webmin 1.290 archive served from a SourceForge mirror was reported as modified. The compromise was distribution-side. Users following a normal download path could receive a tarball that did not match the expected project release.

The record is intentionally narrow. It tracks the affected archive, the mirror path, and the known hashes for the malicious file. It does not treat the ordinary Webmin 1.290 vulnerability history as the same event, because a vulnerable release and a replaced distribution artifact are different failures.

The operational risk came from where Webmin runs. Webmin is an administrative interface for Unix and Linux systems, commonly exposed on management ports and often used with high privilege. A modified archive in that path can become code execution in the management plane.

The durable lesson is provenance. SourceForge was a trusted distribution surface, but the mirror copy still had to be verified. The archive name and version were not enough; hashes separated the served artifact from the intended release.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• Webmin: Securitywebmin.com
• The hole tricktheregister.com
• SANS ISC: Webmin 1.290 Backdoorisc.sans.edu