Hacked System

[infinityM]

Definitely sounds like someone gained unauthorized access. As a general precaution, you should move your iLOs to a management VLAN that has no access to anything other than a few designated VLANs. I would suggest deleting the user and upgrading iLO. The most recent version for 4 can be found here: https://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v182737/CP044405.scexe
To install it, extract the scexe file using 7zip and then extract the file that comes out. You'll see a .bin file that you can upload to the iLO via the web portal.

Did you extract the file? There's no bin in there. Or am I missing something?

 

[LnxBil]

Is your root PW strong? A couple of years ago, I created a honeypot with a simple root pw and the machine was infected in under an hour.

 

[shammyh]

I'd look at other machines on your network, especially whatever machine you're using to access and configure your Proxmox box.

Easiest way to exploit access is simply to sniff/exfill it off of a machine that already has access/keys/passwords.

Sounds to me like your workstation has a trojan/virus of some kind.

 

[Virt]

Did you extract the file? There's no bin in there. Or am I missing something?

Extract twice. The first time will give you a generic file.

 

[infinityM]

Ok guys thanks for all the feedback. You guys did get my head working in a different direction. So as it turned out, they did hack the ILO since it was accessible via the internet, and kept infecting it from there.

I was able to find the cronjob and scripts being installed and was able to stop them, aswell as delete the users created by the hack...

It looks like we're good!!!
THANK YOU VERY MUCH!

 

[apoc]

You shouldn't ever expose such systems directly in the WWW as you have learned the hard way - always use a VPN to connect to your network or use at least port-knocking so the port isnt exposed the whole time.
Glad though you found the source.
All the best