malicious code inserted into Webmin and Usermin and
your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution. On our server this is set to "Always deny users with expired passwords" for Webmin.
Is it the same for Usermin? In what part did the malicious code get inserted in to Usermin? In the same "Authentication" setting for Usermin the default is set to "Prompt users with expired passwords to enter a new one". When I changed it to "Always deny users with expired passwords" i got an error: "Failed to save authentication : Failed to open PID file", but the change seems to be saved. Is this because Usermin wasn't running, we don't use usermin so it is never running... or should I be worried???