Reply
Highlighted
Regular Member
Posts: 351
Registered: ‎02-16-2016
Kudos: 128
Solutions: 8

Nanostation 5 Malware?

It looks like two of my nanostations may well have fallen for some kind of malware (both in the same subnet, connected to each other).

 

I can ping them, I can query them with SNMP, and they pass traffic, but I can't log into them on normal ports for http/https/ssh. Unfortunately, I don't recall what software version they were on last time I could access them. 

 

I eventually resorted to running some port scans of one of them; this looks a little odd (see attached NMAP xml saves). 


In particular, it seems to be running SSH on a non-standard port (9132), and there seem to be services running on UDP that I wouldn't necessarily expect: 

 

443/udp open|filtered https
684/udp open|filtered corba-iiop-ssl
776/udp open|filtered wpages
1030/udp open|filtered iad1
1050/udp open|filtered cma
9000/udp open|filtered cslistener
18821/udp open|filtered unknown
20518/udp open|filtered unknown
49170/udp open|filtered unknown
49176/udp open|filtered unknown
49184/udp open|filtered unknown
50099/udp open|filtered unknown

 

Irritatingly, they're in very inaccessible locations. 

SuperUser
Posts: 11,976
Registered: ‎06-18-2010
Kudos: 3421
Solutions: 1209

Re: Nanostation 5 Malware?

Nanostation 5, or M5? If it's 5, you need to be on firmware 4.0.4

If it's M5, you need firmware 5.6.2 or later. See here:

http://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/b...
Occam was Right; more than two blades is just silly
Regular Member
Posts: 351
Registered: ‎02-16-2016
Kudos: 128
Solutions: 8

Re: Nanostation 5 Malware?

[ Edited ]

Thanks, flipper - I strongly suspect I'm going to be climbing on some roofs soon for some factory reset action...!

 

It's a shame the malware script doesn't offer to "brute force" through known malware login credential variants. Helpfully, none of the ones I'm aware of worked, nor did our original logins. :/ 

Reply