A new botnet named Roboto is targeting Linux servers running Webmin app, according to security researchers at 360 Netlab. Roboto is a peer-to-peer botnet that has been active since summer and is exploiting a vulnerability in the Webmin app. The app offers a web-based remote management system for Linux servers and is installed on as many as 215,000 servers.
The vulnerability, identified as CVE-2019-15107, allows bad actors to compromise older Webmin servers by running malicious code and gaining root privileges. The vulnerability was identified and patched by the company behind Webmin. However, many users have not installed the latest version with the patch, and Roboto botnet is targeting such servers.
According to security researchers, the Roboto botnet has DDoS attack capability in its code, and it is the main feature of the botnet. The bad actors behind the botnet aim to expand it by conducting DDoS attacks via vectors such as HTTP, ICMP, UDP, and TCP.
Also, once the botnet compromises a Linux system running the older version of the Webmin app, it can perform actions like collecting system, network, and process information. It further uploads collected data to a remote server, executes Linux commands, and initiates a file downloaded from a remote URL.
What makes Roboto botnet unique is its peer-to-peer network structure.
To evade this attack, we recommend our users to update the Webmin app to version 1.930, or you can disable the ‘user password change’ option in the app.