Ransomeware infected machine
-
So your saying someone compromised your pfsense box and put slax linux on it? From your internal pbx lan.. Via the web gui?
-
@Derelict said in Ransomeware infected machine:
Even with full remote root ssh/webgui access I struggle to come up with a procedure where such a result would be possible without physical/console access.
Is there IPMI? Is that accessible? Is that secured????
-
@YYJWalking said in Ransomeware infected machine:
1U supermicro box
Which specific hardware - IPMI would be by my guess to something like this happening.
-
Well I'm not certain that the PBX controller was the entry point, just that it was also impacted. Would it even be possible to infect a machine from the WebGui? Maybe get the box to install a bogus manual package which runs a payload?
The box DOES hsve IPMI (https://www.supermicro.com/products/system/1U/5015/SYS-5015A-EHF-D525.cfm) but I hadn't checked to see if it had been left open or not (will do so tomrrow and report back.)
So just out of curriosity not a lot of other people have encountered this before is that correct?
-
Literally nobody.
-
Well that's joyus!!
-
Well, that's to be expected when you are on a pfSense forum asking about something that is, in all likelihood, not a pfSense problem.
-
JungleSec is well known ransomware that installed via ipmi.. Sure there are others..
There is tons of info and warnings about supermicro bmc firmware (IPMI) that should of been updated long time ago, etc. etc. If your saying this box is from 2014.. That stuff was prob never updated, etc.
-
@YYJWalking Thank you for coming back and proving me wrong!
It is unfortunate that this happened to you, and while you will likely never really know for sure how this infection happened, you did get some good advice about possible entry points and remedies.
-
Yeah anyone coming here should take the time to validate that their IPMI is not exposed to the public, and make sure the BMC firmware is current, etc..
Also good time to make sure that vlans that do not need access to web gui or ssh, do not have access!!
-
Very lucky if the PBX and pfSense box is the only compromised stuff.
Could be a lot worse...-Rico
-
@YYJWalking If these 2 machines (pfsense and PBX) were the only ones compromised, I agree with @Rico. Could be worse...
Having said that, depending on how long they were like this, it might be time to do a security audit on your network/machines there.
Jeff
-
Perhaps this is how he became exposed?
https://www.reddit.com/r/homelab/comments/6vord0/rookie_mistake_exposed_supermicro_ipmi_to_the/
I don't use a supermicro board for my pfsense setup but I do use one for another box on my network and had this issue. I'm not using IPMI and didn't have any spare ports on my switch so I had to pull out and old switch and connect it to the IPMI port on the board connecting nothing else to the switch just so the IPMI software would detect the connection and not failover to one of the other ports on the board.
-
You can disable that in the BIOS rather than having to connect the port.
Steve
-
@mhertzfeld said in Ransomeware infected machine:
not failover to one of the other ports on the board.
It can failover to another port for IPMI? That doesn't seem like all that smart of an idea from a security point of view ;)
