Reply
New Member
Posts: 25
Registered: ‎05-03-2016
Kudos: 7

Re: Possible new malware

@promelas

Access equipment for SSH, type ls to display the files, if the file rc.prestart exists type:

 

rm -rf /etc/persistent/rc.prestart; cfgmtd -w -p /etc; reboot;

 

Wait reboot equipment, upgrade to 5.6.4 and change the password.

Member
Posts: 162
Registered: ‎10-30-2013
Kudos: 102
Solutions: 2

Re: Possible new malware

Thank you!

Ubiquiti Employee
Posts: 484
Registered: ‎08-28-2007
Kudos: 82
Solutions: 8

Re: Possible new malware

Also maike sure there is no unknown users and ssh keys in system.cfg:

 

grep -E "users|sshd.auth.key" /tmp/system.cfg

 

Also recommented to remove all custom scripts is you are not using them:

rm -fr /etc/persistent/rc.* /etc/persistent/profile

 

Then
cfgmtd -w -p /etc/; reboot -f

 

If you also are not using ssh key authentication then it is recommented to clean persistent:

cfgmtd -w; reboot -f

 

 

Ubiquiti Networks, Inc.
System programmer
New Member
Posts: 25
Registered: ‎05-03-2016
Kudos: 7

Re: Possible new malware

@UBNT-keba

I will rephrase here cleaning all infected devices, luckily I made a list with all of them.

Thanks for the help.

Member
Posts: 210
Registered: ‎07-06-2012
Kudos: 16

Re: Possible new malware

ok so we are now seeing these lines

 

dropbear_dss_host_key mf.tar
dropbear_rsa_host_key rc.poststart

 

 I tried "rm -rf /etc/persistent/rc.poststart; cfgmtd -w -p /etc; reboot;"

 

but it comes up "segmentation fault" and does not stop the script

 

any ideas to stop the script

 

Member
Posts: 210
Registered: ‎07-06-2012
Kudos: 16

Re: Possible new malware

so when we see these lines

 

cardlist.txt dropbear_rsa_host_key rc.poststart
dropbear_dss_host_key mf.tar

 

it does work but not with the other

Ubiquiti Employee
Posts: 484
Registered: ‎08-28-2007
Kudos: 82
Solutions: 8

Re: Possible new malware

Can you drop these files to support@ubnt.com with reference to keba. Thanks
Ubiquiti Networks, Inc.
System programmer
Member
Posts: 210
Registered: ‎07-06-2012
Kudos: 16

Re: Possible new malware

not sure what files you want. Everything i have you can see in this post.

New Member
Posts: 25
Registered: ‎05-03-2016
Kudos: 7

Re: Possible new malware

Malware received an update, at least that's what it looks like and the commands no longer work, the device restarts and is infected again.

Ubiquiti Employee
Posts: 11,442
Registered: ‎11-27-2012
Kudos: 3621
Solutions: 747
Contributions: 73

Re: Possible new malware


@rocket_man wrote:

Malware received an update, at least that's what it looks like and the commands no longer work, the device restarts and is infected again.


Were these devices already cleaned? 

 

What firmware are they on?

 

Are you able to access via SSH?

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

New Member
Posts: 25
Registered: ‎05-03-2016
Kudos: 7

Re: Possible new malware

@UBNT-James

I can't clean, commands no longer work.

Versions 5.5.10, 5.5.6, 5.3.5, etc.

Yes, I can.

In /var/etc/persistent there are the following files: cardlist.txt, dropbear_rsa_host_key, poststart, dropbear_dss_host_key, mf.tar

Ubiquiti Employee
Posts: 11,442
Registered: ‎11-27-2012
Kudos: 3621
Solutions: 747
Contributions: 73

Re: Possible new malware

@rocket_man  Sending PM.

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

New Member
Posts: 25
Registered: ‎05-03-2016
Kudos: 7

Re: Possible new malware

@UBNT-James

 

Thanks for the help.

I'm removing the malware of the equipment with the following commands below:

grep -E "users|sshd.auth.key" /tmp/system.cfg
rm -fr /etc/persistent/rc.* /etc/persistent/profile
rm -rf /etc/persistent/rc.poststart; rm -rf mf.tar; cfgmtd -w -p /etc; reboot -f;

 

Update and change the password.

Ubiquiti Employee
Posts: 11,442
Registered: ‎11-27-2012
Kudos: 3621
Solutions: 747
Contributions: 73

Re: Possible new malware

[ Edited ]

@rocket_man wrote:

@UBNT-James

 

Thanks for the help.

I'm removing the malware of the equipment with the following commands below:

grep -E "users|sshd.auth.key" /tmp/system.cfg
rm -fr /etc/persistent/rc.* /etc/persistent/profile
rm -rf /etc/persistent/rc.poststart; rm -rf mf.tar; cfgmtd -w -p /etc; reboot -f;

 

Update and change the password.


Could you grab mf.tar and /tmp/system.cfg from an infected unit and forward to me?  (james@ubnt.com)

@rocket_man

 

 

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

New Member
Posts: 6
Registered: ‎10-24-2013

Re: Possible new malware

We are having the same issue as of today.
Units with this issue are 5.5.10 firmware. Web interfaces on units are only accessible via HTTPS:// and not able to upgrade unit firmware.
Custom Scripts enabled on the Main Tab.
How do we remove / fix?
Ubiquiti Employee
Posts: 11,442
Registered: ‎11-27-2012
Kudos: 3621
Solutions: 747
Contributions: 73

Re: Possible new malware

@rocket_man Posted steps that are working for him HERE.

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

New Member
Posts: 3
Registered: ‎05-02-2015

Re: Possible new malware

@UBNT-James Friend, in this case which procedure ubiquiti strongly recommends in this case? Have discovered where the vulnerability as well?

Established Member
Posts: 2,553
Registered: ‎06-04-2008
Kudos: 595
Solutions: 6
New Member
Posts: 25
Registered: ‎05-03-2016
Kudos: 7

Re: Possible new malware

Someone took over the authorship of this worm?

Reply