How to find spambot? Got network abuse report from my ISP

MrGlasspoole

What the hell is IPMI?

Yes its a ASUS P9D-I

Talk to me like i never heard the word network before
I'm not a network god like you people

johnpoz

IPMI is a management protocol - problem is that there are security issues with it... So when enabled on a nic that is connected to the public internet - it can be exploited and give control of the system..

this might help
https://www.itworld.com/article/2708437/ipmi--the-most-dangerous-protocol-you-ve-never-heard-of.html

Grabbing the manual
https://dlcdnets.asus.com/pub/ASUS/mb/socket1150/P9D-I/Manual/E8351_P9D-I.pdf

I would suggest you go in and disable the IPMI stuff

And make sure you update bios and firmware...

Until you get it disabled/fixed - I would pull that hardware off the network!!!

stephenw10

When you started this thread was it not running on a VM? Was that in this same hardware though?

That is a painful discovery. Better to have discovered it though...

Steve

MrGlasspoole

No the Hyper-V stuff is running on a ASRock Rack board.

To make sure its not Hyper-V/Windows i installed pfSense on that Asus board.
I have this Asus board since a half year but never used it until now.
Bought it for a NAS build.

The BIOS is the latest. But i cant figure out how to disable that IPMI stuff.
If i go to "Intel Server Platform Services" there are no settings, only information.

Damn. Had to move around monitors because that old 1440x900 i normally use for testing does not work.
First time i have a BIOS that only works on 1080p.

stephenw10

The BMC stuff is what you want. If you can't set it as disable you can just set it to static and put in some bogus IP that is unreachable.

The BMC shares LAN1 on the board according to the manual so you should use that for LAN. It must be WAN currently if it's got a public IP.

The fact it's sending spam though, or seems to be, is highly worrying! If you can't disable the BMC entirely I would consider if that's possible to use. the BMC has access to everything on the board.

As I understand it you were seeing these spam reports before you had this board connected at all though?

Steve

bmeeks

Adding to where Steve is going -- where else was this hardware that now has pfSense on it? Was this same hardware in use elsewhere on the network? Might the LAN1 port have had access to the WAN side of your network before it was re-purposed to be a pfSense platform?

MrGlasspoole

I cant remember what pfSense (this board or Hyper-V) was running when i had the first spam report.

What i did is switching the NICs (WAN/LAN) and did login to that ASMB7-iKVM thing.
I did disable all services except "web".
I did create a new user, changed the admin password and disabled login for the admin.
I also disabled IPv6 and set IPv4 to static.

The last 2 hours there are only ~4 entries in the IPFIX log.
For example scanners.labs.rapid7. com (88.202.190.135) on port 25.
But i guess that's normal that some bots are trying to come in.

I cant believe that there are boards where something like that is on by default with a default user/password.
I found this: https://homeservershow.com/forums/topic/9350-asus-p9d-i/
Looks like there is a jumper to disable it. I need to check that with the flashlight because there is nothing in the manual.

I let it run now for a view hours and then i will see what happens.

So it means the bots did hijack the BIOS/IPMI to send spam?

@bmeeks, I never used that board before.

EDIT
Found it but i still can invoke that web management site

EDIT again
You need to remove power when switching the jumper that it works.
So its off now.

NollipfSense

This makes for a good case study indeed!

Gertjan

Ooooh.

Not a hacked modem after all.
Hacked BIOS (sort-of) motherboard ....

Impressive.

MrGlasspoole

@NollipfSense said in How to find spambot? Got network abuse report from my ISP:

This makes for a good case study indeed!

Yeah. No one is completely useless; he can always serve as a bad example.

Every day you learn something new.
Computer since C64 and never heard of IPMI before...

Thanks to everybody here. Never would i had figure that out myself.

The good thing is i have PRTG now. A while back i was looking at Zappix and found it complicated.

This are the softflowd entries from the last 12 hours:

Not sure right now what 10.1.2.3 is. But my parents have yahoo mail. They are away since 2 hours for 3 days and it can be a phone/tablet.

Any tips what you would log for a certain time (2, 3, 5 days) in a home network?
At the moment I'm logging just the blocked outgoing mail firewall ports on LAN (System Logs Remote Logging) and
this ports on WAN.

Gertjan

I guess you can remove (or disable or make it log only) this LAN firewall rule that blocks mail server ports.
Scarp that ASUS board - or make that IPMI brain-dead.

MrGlasspoole

@Gertjan as i wrote: that jumper did deactivate IPMI.

stephenw10

I would also consider reinstalling pfSense to be sure. Anyone with access to the BMC would have had full access to the system including console access. They could have installed anything really.

It would be interesting to know what they did there have the controller send email. I suspect they were just relaying it somehow. It was probably entirely automated based on knowing there are a lot of misconfigured BMC devices connected directly to WAN like that. As such I doubt any real person connected to do anything specific but....

Steve

MrGlasspoole

Yes i guess there are bots scanning for that IPMI thing.

But i can use my backup (settings) if i make a fresh pfSense install?

stephenw10

Yes, you should be able to. I would read through it though. Better to be sure.

Steve