Reply
Established Member
Posts: 1,276
Registered: ‎09-03-2013
Kudos: 346
Solutions: 41

Re: Virus attack - URGENT @UBNT


@mseeEngineer wrote:
can I turn ssh port 22 off so they can not enter via ssh

/Flemming

 

Know that AirControl2 will not work if you turn off SSH

It requires SSH port 22 


 

You can use alternative ports for Aircontrol

Deleted Account
Posts: 0

Re: Virus attack - URGENT @UBNT

Where is the setting ?

SuperUser
Posts: 4,676
Registered: ‎12-16-2008
Kudos: 1948
Solutions: 398

Re: Virus attack - URGENT @UBNT

Look at: Control Panel -> Monitoring Settings


Muestra tu agradecimiento, a quienes te ayudaron, con un Kudo

Si el post de un compañero te ayudó a resolver el problema, márcalo/acéptalo como solución.
New Member
Posts: 7
Registered: ‎04-12-2014
Kudos: 7

Re: Virus attack - URGENT @UBNT


@Djursland01 wrote:

can I turn ssh port 22 off so they can not enter via ssh

 

we run with 5.6.4 on all devices but can they do something about the version

 

and what is it exactly the virus dos beyond changing Password

 

/Flemming


As far as we know: http and https ports are used.

We did not find anything about a ssh-port in the mf.tar

Emerging Member
Posts: 62
Registered: ‎07-19-2013
Kudos: 1

Re: Virus attack - URGENT @UBNT

Excuse the ignorance, but knowing that running the cleanup script and updating the problem disappears. Why not develop a UBNT firmware to do this step automatically. Given that there is no certainty since version has the problem, we know that this would be a large-scale solution and fast. And please avoid the stupid fights fanboys who is the problem, if ubnt or infected networks. In these cases, the important thing is to help. There is responsibility on both sides, customers and ubnt.

Regular Member
Posts: 513
Registered: ‎03-12-2013
Kudos: 62
Solutions: 10

Re: Virus attack - URGENT @UBNT

I do not use aircon control but local AIR CRM on my own server

and I do not care monitoring tool if it can help me to turn port 22 from

 

/Flemming

Established Member
Posts: 1,276
Registered: ‎09-03-2013
Kudos: 346
Solutions: 41

Re: Virus attack - URGENT @UBNT

[ Edited ]

@mseeEngineer wrote:

Where is the setting ?


 

Not sure, every time I add a radio I just key in the non standard SSH port.

 

I also have my https port set to a non-standard port.  Both the SSH and HTTPS are blocked at our firewall.  

 

Still..I guess if one UBNT device on my network gets "infected" then I'm still screwed.

 

Ubiquiti --- could you give a little more info about the exploit and how it spreads?  

Established Member
Posts: 1,726
Registered: ‎05-20-2008
Kudos: 482
Solutions: 6

Re: Virus attack - URGENT @UBNT

You need to tick the Client Isolation tick box on the advanced page in AP side too. so stations on the same AP doesnt connect to each other directly over the AP. 

Established Member
Posts: 2,576
Registered: ‎06-04-2008
Kudos: 603
Solutions: 6

Re: Virus attack - URGENT @UBNT


@SuperSebaS55 wrote:

Excuse the ignorance, but knowing that running the cleanup script and updating the problem disappears. Why not develop a UBNT firmware to do this step automatically. Given that there is no certainty since version has the problem, we know that this would be a large-scale solution and fast. And please avoid the stupid fights fanboys who is the problem, if ubnt or infected networks. In these cases, the important thing is to help. There is responsibility on both sides, customers and ubnt.


In this situation, I must admit the fanboys are more on-track than the masses...  and the world knows what I think of fanboys.

If that can be done...  it's a good way to force an upgrade...   just make 5.6.4.5 the same thing as 5.6.4, but add the cleanup routine. Not only do people get rid of their infection, but it also forces people to upgrade to current regulatory restrictions.

Established Member
Posts: 1,015
Registered: ‎10-24-2009
Kudos: 85
Solutions: 1

Re: Virus attack - URGENT @UBNT


@mhammett wrote:

@SuperSebaS55 wrote:

Excuse the ignorance, but knowing that running the cleanup script and updating the problem disappears. Why not develop a UBNT firmware to do this step automatically. Given that there is no certainty since version has the problem, we know that this would be a large-scale solution and fast. And please avoid the stupid fights fanboys who is the problem, if ubnt or infected networks. In these cases, the important thing is to help. There is responsibility on both sides, customers and ubnt.


In this situation, I must admit the fanboys are more on-track than the masses...  and the world knows what I think of fanboys.

If that can be done...  it's a good way to force an upgrade...   just make 5.6.4.5 the same thing as 5.6.4, but add the cleanup routine. Not only do people get rid of their infection, but it also forces people to upgrade to current regulatory restrictions.


And this way we cand do it with Aircontrol2 as well.

If it still had the command function (which if it does I can't find it) I would be done with this by now Man Sad

Yep, that can happen
www.wirelessdatanet.net
Established Member
Posts: 1,418
Registered: ‎10-15-2015
Kudos: 455
Solutions: 68

Re: Virus attack - URGENT @UBNT

You could easily automate the cleanup with Ansible.
Someone else already posted instructions in this thread http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/m-p/1563774#M55087

Take care with the spelling, I notice he misspelled a couple words.
Established Member
Posts: 1,420
Registered: ‎05-18-2011
Kudos: 516
Solutions: 110
Contributions: 2

Re: Virus attack - URGENT @UBNT

@justinhayes if you report me wich are those words, i can fix it Man Wink
Established Member
Posts: 1,418
Registered: ‎10-15-2015
Kudos: 455
Solutions: 68

Re: Virus attack - URGENT @UBNT


@sabueso wrote:

If somebody here needs a solution to clean an entire radio network infected with this exploit, Ansible can be your friend to automatize all the entire work

 

ubiquiti_clean.yml

 

---
- name: Clean Ubiquiti Network
  hosts: ubiquitinerwork

 


 

Established Member
Posts: 1,420
Registered: ‎05-18-2011
Kudos: 516
Solutions: 110
Contributions: 2

Re: Virus attack - URGENT @UBNT

[ Edited ]

@justinhayes Fixed, thanks.

Member
Posts: 230
Registered: ‎07-06-2012
Kudos: 69
Solutions: 5

Re: Virus attack - URGENT @UBNT

When checking an infected antenna via ssh what are we looking for?

 

While in SSH if I type "ls" all bad indicators should be there?

New Member
Posts: 3
Registered: ‎05-15-2014

Re: Virus attack - URGENT @UBNT

Hi, our network has been infected by today Custom Scripts Enabled.Just one antenna is infected and all of which are connected to the switch reboots to its factory settings. We repaired today the entire network from the beginning. After 10 hours everything from the beginning. Help us! How to cure these antennas? Do we have to install AirControl? Any one can help us via VNC?

 

 

 

Rocets Titanium all firmwares the nevest and the oldest

Fiber 24 v.2.2

Beams all firmwares the nevest and the oldest

Briges all firmwares the nevest and the oldest

Bulets all firmwares the nevest and the oldest

 

We set the network from the beginning. I destroyed it again

Emerging Member
Posts: 72
Registered: ‎04-27-2008
Kudos: 6

Re: Virus attack - URGENT @UBNT

What if I upgrade to 5.6.4 and system does not sign custom script?

 

We did upgrade and restored config from our crm system's backup.

Will it clear config again or not?

Experts, pls reply!

Established Member
Posts: 1,420
Registered: ‎05-18-2011
Kudos: 516
Solutions: 110
Contributions: 2

Re: Virus attack - URGENT @UBNT

@WiFiWizard if you connect via SSH into the device and run "ps" as an admin/root something like these must be showed:

ps.jpg

Member
Posts: 230
Registered: ‎07-06-2012
Kudos: 69
Solutions: 5

Re: Virus attack - URGENT @UBNT


@sabueso wrote:

@WiFiWizard if you connect via SSH into the device and run "ps" as an admin/root something like these must be showed:

ps.jpg


So when you "ls" on the antenna as see "rc.poststart" and "mcuser" are those both the bad files?

 

screen.jpg

Established Member
Posts: 1,420
Registered: ‎05-18-2011
Kudos: 516
Solutions: 110
Contributions: 2

Re: Virus attack - URGENT @UBNT

[ Edited ]

@WiFiWizard mf.tar is the exploit source... so you must exploited :-(

Reply