Results 1 to 10 of 10
  1. #1

    Supermicro Phantom Reboot

    About two hours ago my colocated server rebooted. I checked with the facility and they had no issues. I loaded up the IPMI tool and checked the event log, I'm assuming a power failure or anything of the like would be recorded there. The last Boot was in March of last year, and the two records after that read as follows:
    151,System Event,Pre-Init 00:27:29,Session Audit,,Assertion: Session Audit| Event = Invalid Username or Password
    152,System Event,Pre-Init 00:27:30,Session Audit,,Assertion: Session Audit| Event = Invalid Username or Password
    Those records aren't time stamped but I did have a few failed log ins once when I forgot my password.
    The server runs CentOS, where would reboots or crashes be logged? I know that's a noob question but I'm really not sure. The server was up for over 200 days without a blip and I'm kind of worried about a sudden crash/reboot.
    Thank you!

  2. #2
    Hang on while I remove non relevant info
    Last edited by murphyslaw4267; 01-03-2014 at 03:25 PM.

  3. #3
    Oh well, I'll just chalk it up as a crash, 200 days running who knows what isn't bad. Sorry for the fruitless thread.

  4. #4
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    There's a thread currently making the rounds, regarding an alleged Supermicro NIC reset bug. Haven't had much chance to read it yet. Are you running CentOS 6.5?
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  5. #5
    If your IPMI is on a publicly accessible IP address, then most likely someone else is rebooting your server. The Supermicro IPMI, you need to treat it as though it has no password on it at all. I.e. if someone can reach the login page, you need to assume they have full admin on the ipmi. I would assume that people are rebooting your server as a way to test this exploit, if the ipmi is publicly accessible.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  6. #6
    Join Date
    Feb 2008
    Location
    Wilkes-Barre, PA
    Posts
    1,119
    Quote Originally Posted by funkywizard View Post
    If your IPMI is on a publicly accessible IP address, then most likely someone else is rebooting your server. The Supermicro IPMI, you need to treat it as though it has no password on it at all. I.e. if someone can reach the login page, you need to assume they have full admin on the ipmi. I would assume that people are rebooting your server as a way to test this exploit, if the ipmi is publicly accessible.
    This ^. I don't even setup IPMI unless someone specifically requests it. I'm working on a way to access it via private network through our Control Panel, but until that's done, it's too big of a risk.
    NEPA Fiber
    AS 394868 - Wilkes-Barre, PA
    █ Fiber Internet, Dedicated Servers, Colocation, Cloud
    100% Uptime SLA - 24/7/365 Support

  7. #7
    Crashes and reboots would be logged in /var/log/messages if there is any information (which there very well may not be). Look for the syslog restart and go backwards from there.

  8. #8
    I'm having my host setup my IPMI connection so its out of band, however there are no logs that it was compromised. I checked the logs on the machine and there was nothing that raised any red flags. There was nothing logged several hours prior to the startup taking place and everything before it seems fairly normal. Thank you for your responses.

  9. #9
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    Could have been a power blip. IPMI, at least not until very recently (and when specifically enabled), doesn't log power failures.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  10. #10
    Quote Originally Posted by murphyslaw4267 View Post
    I'm having my host setup my IPMI connection so its out of band, however there are no logs that it was compromised. I checked the logs on the machine and there was nothing that raised any red flags. There was nothing logged several hours prior to the startup taking place and everything before it seems fairly normal. Thank you for your responses.
    IPMI being compromised leaves no logs that I'm aware of. Some of the simpler exploits simply allow you to connect with no password without doing anything fancy. Some of the other exploits take advantage of buffer overflows. In either case, it would be trivial to run a port scanner that just attempted to reboot every supermicro ipmi on the public internet, and it would be successful I might add.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

Similar Threads

  1. Supermicro IPMI drop out on reboot
    By Zeon100 in forum Colocation and Data Centers
    Replies: 6
    Last Post: 01-03-2012, 02:21 PM
  2. Supermicro temp light flashing upon reboot, but only with certain OS
    By JetJaguar in forum Colocation and Data Centers
    Replies: 22
    Last Post: 03-09-2011, 05:36 PM
  3. Supermicro IPMI Card - (AOC-IPMI20-E) or 3rd party Remote Reboot port?
    By hostbox in forum Colocation and Data Centers
    Replies: 5
    Last Post: 06-26-2008, 12:11 PM
  4. Replies: 0
    Last Post: 05-03-2005, 01:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •