Shortcut: If you have been warned specifically about the IPMI vulnerability (watch out for the tag: 750x7ipmi in the subject),

• your machine(s) has been found by a hacker using metasploit;
• we found his scan results on a hacked machine that we have analysed;
• you can jump directly to  specific notes regarding IPMI.

Bitcoin Mining Hack "750x7" - Technical Details for Detection & Recovery

...

• Unexplained reboots.
• rkhunter reporting the libncom rootkit.
• we've heard that /lib/libproc-3.2.8.so has been replaced on some machines, not detected by rkhunter (seen on ubuntu so far, unclear whether other distributions are affected)
• Presence of files in /tmp like do, update, rc_local_found.
• Presence of files in /usr/bin like minerd, or starting with _- (underscore-dash - these should apparently be hidden by the rootkit).
• Presence of /lib/libncom.* or /lib64/libncom.* and /etc/ld.so.preload pointing to this library (beware of the rootkit, see above).
• CPU usage that can't be accounted for. The miner process might only be visible when evading the rootkit (see above). 
• CPU usage by processes like metasploit, nmap, minerd.
• Presence of /usr/local/bin/ssh.
• Some tools may have been upgraded or installed (gnu auto*, Python, JRE), metasploit, nmap.

...

1. A vulnerable machine doesn't necessarily get hacked. To 
2. The vulnerability, if present, should nevertheless be fixed ASAP.
3. If the interface is exposed to untrusted networks (i.e. the Internet), the attacker we observed would try to access the system
   1. by guessing just a username. This is possible if the so called "cipher 0" is enabled, which implies that no password is required.
   2. to crack the password of an IPMI user after retrieving the Hash. This is possible with weak or moderately complex passwords. 
4. However, a cracked password (3b above) may not be exploitable when the user is disabled, the attack would then fail. ACOnet-CERT has no data whether this is the case and can't detect this either, as this would require us to try to attack ourselves.
5. See also the vendor's documentation and make sure the firmware is up to date - see the links below.

Intrusion

As far as we could observe, the attackers intrude the system in one of at least two, possibly three ways:

...

Truth is: We don't know who or where the hackers are.

Anker
links links

Links and further information

Note that if you use of the tools and information on this page or following any of it's links, you do so at your own risk.

...

• Dell iDRAC: Best Practices for Security for iDRAC, IPMI, SNMP
• Dell iDRAC: Vulnerability Note VU#843044 (Dec. 2014)
• Cisco: IPMI Security Vulnerabilities
• Dan Farmer about IPMI security: http://fish2.com/ipmi/
• Metasploit: A Penetration Tester's Guide to IPMI and BMCs
• Article about ipmi vulnerabilities: Many servers expose insecure out-of-band management interfaces to the Internet

Others

• rkhunter (Rootkit detection tool): http://rkhunter.sourceforge.net

...