0

The IPMI board on one of our servers seems to have become infected - we were hit by the "password in the clear" vulnerability - and it seems to have allowed something to have infected by a bot that launched a DDoS attack.

Right now, we've taken it off-line, and know how to prevent it re-occuring. But... how do I get rid of the infection?

Motherboard is a Supermicro X8SIE-LN4F dmidecode reports these details about firmward and such Supermicro X8SIE(-F)/X8SIE-LN4(F)/X8SI6-F v 1.0c 5/27/10 Does not seem to support the sh command

Given that the thing has its code in flash memory, and a limited instruction set - I'm wondering two things: 1. Where the bot code is actually stored 2. How to clear it out

Dave M
  • 4,514
  • 22
  • 31
  • 30
Miles Fidelman
  • 31
  • 1
  • 1
    And you know the IPMI board is actually infected... how? – HopelessN00b Sep 08 '14 at 19:09
  • 2
    Do you have a link to a resource that has information on this "password in the clear" vulnerability ? – user9517 Sep 08 '14 at 19:12
  • @Iain The guy who first discovered it [made a blog post about it here](http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/). Always choose strong passwords - you never know when a crappy piece of code is going to expose them to the world. That said, there's no evidence of actual, malware-infected hardware existing outside of the NSA. – HopelessN00b Sep 08 '14 at 20:25
  • Well, I'm 90% sure mine is infected. Something was using it to launch a denial of service attack - and it was using ports that don't have services running (so it wasn't an amplification attack). The questions come back to: if somebody or something logged into the IPMI board, where and how could it plant a bot, and how to get it out? – Miles Fidelman Sep 09 '14 at 13:01
  • Don take this as wise cracking please, but as a gentle reminder for anyone else reading this: your IPMI board should be connected to an internal-only separate (V)LAN. These IPMI boards are not made with strong security in mind. – Micropolis May 18 '22 at 19:59

1 Answers1

1

The IPMI firmware of your board is ATEN-based. You can download the IPMI firmware image at the Supermicro website (it's named "SMT...").

You should use firmware version 3.15 (SMT_315.bin) or later and put IPMI behind a firewall or use the included firewall of the IPMI firmware. Check this article for more details.

I assume that you have been affected by the NTP DDoS issue (if your current firmware is older than v3.13).

gtirloni
  • 5,746
  • 3
  • 25
  • 52
Werner Fischer
  • 11
  • 1