...
- IPMI (remote management as in e.g. ILO, DRAC etc, port 623 tcp/udp). This The IPMI protocol has severe weaknesses which (CERT.cc has a Vulnerability Note specifically about Dell iDRAC) which, if not properly mitigated, would allow an attacker to reboot the machine into a live linux image. He would then mount the root disk, alter it (thereby circumventing any of the target system's security controls), and then reboot the compromised system.
- RFB (remote framebuffer as in e.g. VNC). We currently have no information on how exactly the attackers exploit this protocol, but they are actively scanning for it.
- Possibly by using compromised accounts. We observed that an
sshclient was dropped in/usr/local/bin. Though we haven't analysed it, chances are that this binary collects the user's passwords as they log into other machines from the compromised one.
...
A number of directories and files were touched during installation of various software. Places to look at are /tmp, /usr/bin and /usr/bin, /raid2/, /optopt and directories that are seldom looked at by humans eg. /mnt or device directories.
In one case (so far),
- the minerd.gz and some more scripts have been installed in the ftp/http directory.
- metasploit has been used to scan for potential victims.
...