We recently had a customer complain about extremely high CPU usage on one of their HP servers.

On investigation we found this was caused by a _-minerd file – a virus dropped on the servers which reports back to a Chinese IP address, which has seen an outbreak across Linux servers over the last few days. Both the file and the running process hide themselves from view.

The route of attack is a vulnerability on IPMI – used by Dell’s iDRAC and HP’s iLO management systems. Any iDRAC or iLO system on a public facing IPv4 address is vulnerable.

While we use iLO as well, we keep them only accessible via an internal network, so our own servers were safe. We would suggest anyone using iLO or iDRAC on a public network moves them to an internal-only network, updates to the latest firmware and checks for this infection as a matter of urgency!