New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
iDRAC vulnerability
Just saw this on cloudlinux blog
http://cloudlinux.com/blog/clnews/idrac-vulnerability-hacked-servers.php
They made a check script
wget -qq -O - http://kb.cloudlinux.com/scripts/idrac_hack_check.sh|bash
Comments
Seriously? They're having you pipe a script straight into Bash over HTTP?
That's just negligent. If anything, it provides another avenue of attack...
I copy pasted it from the blog post
YOLO!
Is this exploit limited to any specific iDRAC versions?
Right, sorry, I was a bit unclear I guess. My criticism isn't towards you, but towards CloudLinux. Especially calling themselves a security vendor - what the hell were they thinking?!
Here is more info about the hack:
https://wiki.univie.ac.at/display/CERT/Bitcoin+Mining+Hack+750x7+-+Technical+Details+for+Detection+and+Recovery
and their bash just check for the mining libraries, not even iDrac
https://www.kb.cert.org/vuls/id/843044
Dell simply removes IPMI 1.5 to solve this.
>
It check if you have been hacked :P nothing else. There is no way (as far as I know) to detect if there is a iDrac attached to the server from inside the server OS
It's not isolated to iDrac.. It's IPMI in general.
This was patched last year for DRACs and I really hope anybody with their management ports accessible to the public is at least keeping them patched.
Thank you for the nice script. I hope It is already patched, this may be some old time backdoor-ed servers.
Since it was apparently not clear enough: DO NOT RUN THE COMMAND IN THE POST. The script is downloaded over HTTP, which means there's absolutely no guarantee that it isn't maliciously modified. Running it like above could very well result in compromising your server.
Instead, download the script, verify that it does what it claims, and only then run the local copy you already have.
Script clear have a look at : http://pastebin.com/YDynRrFc They are just checking files like: /etc/ld.so.preload . I don't think so it will be helpful to detect the actual vulnerability.
Someone could change the content depending on the user agent. And if it's FF / Chrome / IE send a legit script and with wget a malicious one.
You're completely missing the point, which is very concerning given the services you advertise.
Making people pipe scripts straight into Bash over HTTP allows for trivial MITM by anybody inbetween - that can be the hosting company on either side, any of the transit providers, or any third party that has coerced (or partnered with) any of the aforementioned. Especially with the use of watering hole attacks by the NSA and friends, this is a really bad idea.
Unless you've downloaded and verified the script by yourself beforehand, you can't know whether you're running the same code as everybody else.
The way they are downloading script is suspicious!
Try with all user agent like FF, IE , IPAD, Iphone other. I guess you will find no cloaking tricks.
Read what I said. You cannot check this for anything but your own servers. You should not be advertising security services if you do not understand this.
It's quite funny to see some folks don't understand/know how a MITM (man in the middle) attack works.
I agreed with you! Its pretty clear and totally understood what you trying to say. Even i doubt on the ISP companies for eavesdropping.