Information about what an infection looks like, the attack method, etc: http://malwaremustdie.blogspot.com/2013/03/the-evil-came-bac...
From skimming the article, it sounds like it attacks control panels (mostly Plesk?) and possibly WordPress for remote shell, then does some sort of local privilege escalation. It then adds a module to Apache or Nginx which injects malware into served web pages under certain conditions.
More information about distribution: http://nakedsecurity.sophos.com/2013/03/05/rogue-apache-modu...
If you need something more complicated, I can see it being difficult (having sweated through the process myself).
RedHat has tried to make this thing more usable, but it's still a greasy pig to wrestle. Applications just mysteriously "don't work" without explanation, and there's no obvious resolution to the problem.
Although iptables is an example of an ornery configuration format, at least it's self-contained. SELinux seems to allow applications to define their own quirky rulesets which complicates things severely.
What's better still, is there are a couple selinux modules for Puppet or Chef which allow you to take your audit2allow rules and build them on the fly for any deployed machine!
If the system acts weird, its either rooted or SELinux is on.
Unless, of course, you run apache as root. Bu then, SELinux won't protect you either.
Ah I see here http://malwaremustdie.blogspot.co.uk/2013/03/the-evil-came-b... that it only works in non selinux systems...
I've already checked the server for any rogue Apache modules and nothing appears out of place.
Never mind. There is a stop script.
But, Webmin hasn't had a major remote exploit in years (that we know of). In terms of security risks, I consider Webmin pretty low on the list, because of its good security history (see http://webmin.com/security.html for the security history going back several years). It does provide root access, though, which makes it a very valuable target for exploits. As far as we know, Webmin is not implicated as a vector in this particular attack. Plesk has been mentioned as correlated with this attack, but I don't think that's been confirmed, and Plesk has no relation to Webmin, so it seems an odd choice.
Source and disclaimer: I am a developer on the Webmin and Virtualmin projects, and co-founder of Virtualmin, Inc.
As a beginner, I'd rather disable Webmin for now. Just in case! But you are correct; Webmin is probably not affected by this.
The details on that page are weak and there are all sorts of problems with the content in general (namely asking users to run a script blindly), but it seems to mimic what is described.
If security did not have a human element, these problems would have been solved long ago.