Vulnerability of your servers known to attackers through IPMI Email.

[coreyman]

Dear abuse/security team!

We have to inform you that during the investigation of a security
incident, we noticed that hackers had found an exploitable
vulnerability on the machine(s) with the following IP address(es):

**********

The attack vector is a weakness of the IPMI protocol used by a number
of remote management consoles (ILO, DRAC, ...).

We have currently no information on whether or not the attackers
have actually exploited the vulnerability or if they will do so in the
future.

More information about detection and remediation can be found at:

https://wiki.univie.ac.at/x/FLAKAw

We suggest that you check for a compromise and make sure your systems
aren't vulnerable to this attack.

Kind regards,

Alexander Talos-Zens, ACOnet-CERT




The recipient address of this report was provided by the Abuse Contact
Database of abusix.org. If you have any question or think the recipient
address might be wrong, contact abusix.org directly via email
([email protected]). Further information about the Abuse Contact Database
can be found here:

http://abusix.org/services/abuse-contact-db

abusix.org is neither responsible nor liable for the content or accuracy
of this message.

I checked out the ipmi firmware version on this server and it is 3.19. I went to supermicro's website and looked at the board I have and 3.19 seems to be the latest firmware revision. Has anyone else received a notice like this?

 

[mitgib]

I received the email on a pair of X10SLL boards running the latest firmware, so moved IPMI to private space. Nothing found on the server to indicate any miner running, seems like a more detailed answer is needed from ACOnet-CERT, otherwise it looks like they are simply trolling

 

[coreyman]

Yea it's almost as if they ran 'if IPMI === true mail(thepersonwiththeipmiandwarnthemnomatterwhat)'

 

[TheLinuxBug]

Hmm, yeah we got one of these also today. Interesting...