Shortcut: If you have been warned specifically about the IPMI vulnerability (watch out for the tag: 750x7ipmi in the subject),
- your machine(s) has been found by a hacker using metasploit;
- we found his scan results on a hacked machine that we have analysed;
- you can jump directly to specific notes regarding IPMI.
Bitcoin Mining Hack "750x7" - Technical Details for Detection & Recovery
...
- Unexplained reboots.
- rkhunter reporting the libncom rootkit.
- we've heard that /lib/libproc-3.2.8.so has been replaced on some machines, not detected by rkhunter (seen on ubuntu so far, unclear whether other distributions are affected)
- Presence of files in
/tmplikedo,update,rc_local_found. - Presence of files in /usr/bin like
minerd, or starting with_-(underscore-dash - these should apparently be hidden by the rootkit). - Presence of
/lib/libncom.*or/lib64/libncom.*and/etc/ld.so.preloadpointing to this library (beware of the rootkit, see above). - CPU usage that can't be accounted for. The miner process might only be visible when evading the rootkit (see above).
- CPU usage by processes like metasploit, nmap, minerd.
- Presence of
/usr/local/bin/ssh. - Some tools may have been upgraded or installed (gnu auto*, Python, JRE), metasploit, nmap.
...
- Dell iDRAC: Best Practices for Security for iDRAC, IPMI, SNMP
- Dell iDRAC: Vulnerability Note VU#843044 (Dec. 2014)
- Cisco: IPMI Security Vulnerabilities
- Dan Farmer about IPMI security: http://fish2.com/ipmi/
- Metasploit: A Penetration Tester's Guide to IPMI and BMCs
- Article about ipmi vulnerabilities: Many servers expose insecure out-of-band management interfaces to the Internet
Others
- rkhunter (Rootkit detection tool): http://rkhunter.sourceforge.net
...