Unsolved
4 Posts
0
295
February 11th, 2023 01:00
Remote file share attached without logging into iDRAC
Hey all, maybe someone can help with this issue below:
I am managing two remote Linux servers running on R720. Recently, system was compromised in a mean of installed miner that was run from ISO mounted via Remote File Share.
In LC logs, I can see only that share was mounted but iDRAC was not accessed, not via WEB, not via SSH, not via RACADM... so before or after this log, there are no unrecognized successful logins onto iDRAC, except me.
Remote share mounted successfully xxx.xxx.xxx.xxx:/nfs/debian-custom.iso.
RAC0721
iDRAC.Embedded.1
xxx.xxx.xxx.xxx:/nfs/debian-custom.iso
<br> </event></pre> <p> </p> <p>I have trying replicating this myself in couple of ways, but every time, there is a log of successful login into iDRAC, via WEB, SSH or RACADM.</p> <p> </p> <p>Would it be possible something like this happens without authenticating? </p> <p> </p> <p>My next, and probably last though is that this was done via Serial Console. Is there a way to figure it out somehow, to see Serial Console log history or anything that would shed more light onto this? Any help would be appreciated as I really want to get to the bottom of this one. </p> <p> </p> <p>Thnaks.</p>
No Events found!
DELL-Shine K
6 Operator
•
3K Posts
0
February 12th, 2023 04:00
Racadm command executed from server OS also does not need user name password.
Milan.Delta
4 Posts
0
February 12th, 2023 05:00
Hey, and thanks for reply.
That is true, but RACADM was not installed on the OS of the servers at the time.
What is strange to me is that both of them got compromised within couple of minutes of each other, and going back trough the logs I can confirm this.
DELL-Young E
Moderator
•
5.4K Posts
•
37 Points
0
February 12th, 2023 14:00
Hello if your system is still in warrenty, the tech support can take a look at your logs. Wish you a good one.
Milan.Delta
4 Posts
0
February 13th, 2023 05:00
Hey thanks for reply.
System is not under warranty anymore unfortunately.
But as I said, went trough all LC logs and nothing strange except:
Just logs with Message ID's RAC0721 and RAC0702 are present. So Remote share mounted successfully and Requested system powercycle. After this, system will boot from mounted ISO and install some scripts and malicious software onto the system.
I have since cleaned all the malicious stuff from the OS, changed all the passwords just be safe, although I am sure none are leaked, and still, same thing happened this morning.
These servers are going to be decommissioned anyway and moved to a different hosting, but I still want to know, if possible from where these command are sent. For sure not from the OS.
iDRAC FW is 2.32.31.30 and since I found that might be vulnerable to some hacks, like CGI injection:
https://dl.dell.com/manuals/all-products/esuprt_software/esuprt_it_ops_datcentr_mgmt/dell-management-solution-resources_white-papers6_en-us.pdf
Or perhaps someone is connecting via Serial Port and running these commands.
If anyone have a clue how to discover which of two, or perhaps third method might be used...
Cheers.
DELL-Chris H
7 Practitioner
•
9.7K Posts
•
48K Points
0
February 13th, 2023 05:00
https://dell.to/3Iml1l6,
While I would still suggest working with support when security is involved, regardless of warranty status. Another option, beyond the LC controller is doing a supportassist log, as described here. Once complete you can upload it to upload. dell. com and then private message us the svc tag used to upload, so we may locate the logs.
vovanxxx
1 Rookie
•
34 Posts
0
February 13th, 2023 22:00
I believe a remote command execution vulnerability is involved. If I recall correctly there was one critical RCE vulnerability in iDRAC <= 2.40.40.40, so the first thing you should do is update iDRAC to the latest available version. If the issue persists then please report back - it may be an unknown vulnerability.
Also, does iDRAC have a direct connection to the Internet or is available in a local network only (via VPN)?
If possible you should protect iDRAC with VPN and do not allow the whole world access your iDRAC.
> both of them got compromised within couple of minutes of each other
It seems that you was not an only target of the attack, it is rather an automated script which scans the whole Internet for vulnerable iDRACs and infects the servers with that mining ISO.
BTW I will be grateful if you share the link to the ISO, I'd like to research it.