Jump to content
RESET Forums (homeservershow.com)

iLo Hacked???!!!


vgoncalves
 Share

Recommended Posts

Hi all,

 

does anybody know if iLo has some severe vulnerabilities?

The ilo of my server has been hacked, they could logon as System Administrator and created users, then started/stopped server, entered remote console, and so on...

Here is a small log of the ilo, I removed sensitive data:

1323,"Informational","03/03/2018 10:46","03/03/2018 10:46","1","Browser logout: hp - X.X.X.X",	
1322,"Informational","03/03/2018 10:46","03/03/2018 10:46","1","Remote console session stopped by: hp - X.X.X.X.",	
1321,"Informational","03/03/2018 10:46","03/03/2018 10:46","1","Remote console started by: hp - X.X.X.X,	
1320,"Informational","03/03/2018 10:46","03/03/2018 10:46","1","Browser login: hp - X.X.X.X,	
1319,"Informational","03/03/2018 10:29","03/03/2018 10:29","1","Browser logout: System Administrator - 127.0.0.1(localhost).",	
1318,"Informational","03/03/2018 10:29","03/03/2018 10:29","1","User hp added by System Administrator.",	
1317,"Informational","03/03/2018 10:29","03/03/2018 10:29","1","Browser login: System Administrator - 127.0.0.1(localhost).",	

 

the X.X.X.X is the public IP of the hackers...

 

 

 

Link to comment
Share on other sites

Hi, I'm Italian and I'm using a translator.

You should never expose the ILO to the WAN interface (internet).I use a VPN server (pfsense) in my network and connect to it with a VPN client.
The ILO has an IP address of my local area network (LAN) and the VPN server routes the remote client into the local network.

I think this is the best and safest way to access the ILO remotely.

 

  • Like 2
Link to comment
Share on other sites

 

Hi all,

 

does anybody know if iLo has some severe vulnerabilities?

The ilo of my server has been hacked, they could logon as System Administrator and created users, then started/stopped server, entered remote console, and so on...

Here is a small log of the ilo, I removed sensitive data:


1323,"Informational","03/03/2018 10:46","03/03/2018 10:46","1","Browser logout: hp - X.X.X.X",	
1322,"Informational","03/03/2018 10:46","03/03/2018 10:46","1","Remote console session stopped by: hp - X.X.X.X.",	
1321,"Informational","03/03/2018 10:46","03/03/2018 10:46","1","Remote console started by: hp - X.X.X.X,	
1320,"Informational","03/03/2018 10:46","03/03/2018 10:46","1","Browser login: hp - X.X.X.X,	
1319,"Informational","03/03/2018 10:29","03/03/2018 10:29","1","Browser logout: System Administrator - 127.0.0.1(localhost).",	
1318,"Informational","03/03/2018 10:29","03/03/2018 10:29","1","User hp added by System Administrator.",	
1317,"Informational","03/03/2018 10:29","03/03/2018 10:29","1","Browser login: System Administrator - 127.0.0.1(localhost).",	

 

the X.X.X.X is the public IP of the hackers...

 

 

 

Hello good afternoon! This data from where you have obtained them, within ilo there is no reference to it. Could you explain it to me? Thank you.

 

 

 

Hi, I'm Italian and I'm using a translator.

You should never expose the ILO to the WAN interface (internet).I use a VPN server (pfsense) in my network and connect to it with a VPN client.
The ILO has an IP address of my local area network (LAN) and the VPN server routes the remote client into the local network.

I think this is the best and safest way to access the ILO remotely.

 

Hello! I am not Italian, but I am Spanish and also used the translator!

In my case I also have exposed the website of ilo to the Internet, basically because my router does not have VPN management, and if there is any failure and I am not at home (I live 80 km where the server is) because I can not do anything if the server stops working. At least, from ilo you can see and manage everything that happens in case of breakdown. It is clear that it is very bad to expose the web pages to the Internet, but in my case I do not see another solution until the router changes.

The only thing I use are strong passwords created from keepass.

Link to comment
Share on other sites

 

Ciao buon pomeriggio! Questi dati sono simili. Potresti spiegarmelo? Grazie.

 

 

Ciao! Non sono italiano, ma sono spagnolo e ho anche usato il traduttore!

Nel mio caso ho anche esposto il sito di Internet, fondamentalmente perché il mio router non ha la gestione VPN, e se c'è qualche errore e io non sono a casa (vivo 80 km come è il server) perché posso non fare nulla se il server smette di operare. Almeno, da ilo puoi vedere e gestire tutto ciò che accade in caso di guasto. È chiaro che è molto brutto esporre le pagine Web a Internet, ma nel mio caso non vedo un'altra soluzione finché il router non cambia.

L'unica cosa che uso sono le password forti create da keepass.

Ciao, questa è una schermata di log in ILO.
Tuttavia, preferirei andare a 100 km che esporre ILO alla WAN.
Posso solo consigliarti di sistemare la rete con un firewall VPN.

Schermata del 2018-03-19 16-27-32.png

Link to comment
Share on other sites

 

Ciao, questa è una schermata di log in ILO.
Tuttavia, preferirei andare a 100 km che esporre ILO alla WAN.
Posso solo consigliarti di sistemare la rete con un firewall VPN.

But I would need to change the router obligatorily, and at present there is none that convinces me :(I

Link to comment
Share on other sites

Hello! I am not Italian, but I am Spanish and also used the translator!

In my case I also have exposed the website of ilo to the Internet, basically because my router does not have VPN management, and if there is any failure and I am not at home (I live 80 km where the server is) because I can not do anything if the server stops working. At least, from ilo you can see and manage everything that happens in case of breakdown. It is clear that it is very bad to expose the web pages to the Internet, but in my case I do not see another solution until the router changes.

The only thing I use are strong passwords created from keepass.
This data were retrieved from the ilo log.

My password were strong, and I had the option for delay login for each wrong password...
So I believe it was some vulnerability with code injection that they instantly gained access and created an extra user...

For now I just removed the access from the WAN.
  • Like 1
Link to comment
Share on other sites

 

For now I just removed the access from the WAN.

 

That is the only real solution. Don't expose any ports outside of your LAN. The only secure solution is VPN server (preferably OpenVPN) and then you can access anything within your LAN.

 

For example I am running 3 (three) OpenVPN servers on two devices. On my router I am running two servers (TCP and UDP) and on dedicated VM within my Microserver Gen8 - one TCP. This configuration allows me to manage remotely all devices within my LAN, including the OpenVPN servers. In the case when I want to do something with the router I am connecting through Microserver's OpenVPN and vice versa.

Edited by netware5
Link to comment
Share on other sites

Hi, I have ilo publicly available on Port 25000 and no problem at all, I have latest ilo version 2.55, it's safe I think, what firmware you have installed now?

 

 

Link to comment
Share on other sites

Hi, I have ilo publicly available on Port 25000 and no problem at all, I have latest ilo version 2.55, it's safe I think, what firmware you have installed now?
 
 
I had 2.40, but now I upgraded to version 2.55
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...