Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 11
Registered: ‎03-10-2009

Re: Virus attack - URGENT @UBNT

James
What right way for virus removal?
the file MCUSER . It should be removed also?

Established Member
Posts: 1,137
Registered: ‎08-20-2012
Kudos: 519
Solutions: 13

Re: Virus attack - URGENT @UBNT

One popular device that uses AirMax is the AirRouter. I sell a lot of them and I know that other stores in my area must do the same since one of the local ISP's on the city fiber network has contacted me regarding AirRouters that have been hijacked and is making bad things on the net.

 

Since they have the default user and password right out of the box and almost EVERY (sorry for the caps) average person that buy them never logs into them but uses the default login I have as a routine to ask the customer of what SSID/password they like to have and I also upgrade the FW and then, I check the block remote management button that should be checked by default on atleast this router!!

 

I'm sorry for bad language here but I have begged this many times, that since the AirMax units always will be configured by an installer if they will be used in a pair (AP-ST) or by "not an average person", then as a second checkmark in the first page beside country selecttion and the accept one, that the installer could SELECT to have remote management Allowed.

 

Please! Fix this! Ubiquiti will get bad reputation from this and I really like the AirRouter, not by the 1x1 MIMO  or the 100 Mbit/s ports (a little irony and they are old but they work and not every application needs fast AC) but as the low price that can be replaced in an instant, versatile unit it is as it can be bridged, station/AP and so on by default without any hacks, and then the VLAN and firewall settings that it has. To be honest I'm a little afraid that it will be abandoned further on and I don't really know what to use instead.

 

So please fix this setting so that they have remote management blocked by default instead.

New Member
Posts: 6
Registered: ‎11-19-2014

Re: Virus attack - URGENT @UBNT

Hi i am from brazil, and i have same problem here, this problem started today 9:00AM, the infected CPEs have version of AirOS 5.5 to 5.5.10, need help!, Sorry for my bad english.

New Member
Posts: 1
Registered: ‎05-13-2016
Kudos: 1

Re: Virus attack - URGENT @UBNT

Buenas Noches amx,

Somos un WISP de la parte sur de España y tenemos el mismo problema.

Tenemos una cantidad considerable de cpes ubiquiti, nos gustaria contactar directamente con vosotros para ver si nos podemos ayudar . 

Avisame si esto es posible.

Gracias.

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

hola...acabo de enviarte un mensaje privado....

New Member
Posts: 26
Registered: ‎08-13-2008
Kudos: 1

Re: Virus attack - URGENT @UBNT

I have just got hit this morning also.    Here i tried the given script to remove:

 

cd /etc/persistant
rm mf.tar
rm -R .mf
cfgmtd -w -p /etc/
killall -9 search; killall -9 mother; killall -9 sleep;
reboot

 

 

I get the following:

-sh: cd: can't cd to /etc/persistant

 

So I run it manually be doing "cd /etc/peristant"  using the tab key to auto finish and run rest of script.   This seems to run.   But after rebooting nothing is removed.

 

Anyone got a good script on the "mf" problem?

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

persistent with E, not with A Man Very Happy

New Member
Posts: 26
Registered: ‎08-13-2008
Kudos: 1

Re: Virus attack - URGENT @UBNT

With an E?  Good lord!!  I've been on this problem too long today.   Thanks for the heads up.

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

no prob...take an hour to sleep a bit...we're all tired of this sh... ;-) I'm just here for 8 hours now taking control of this stupidness Man Happy

Ubiquiti Employee
Posts: 9,041
Registered: ‎11-27-2012
Kudos: 2573
Solutions: 576
Contributions: 73

Re: Virus attack - URGENT @UBNT


jhonnyp wrote:

James
What right way for virus removal?
the file MCUSER . It should be removed also?


mcuser should be OK if you have managed this device with airControl2.

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

Ubiquiti Employee
Posts: 9,041
Registered: ‎11-27-2012
Kudos: 2573
Solutions: 576
Contributions: 73

Re: Virus attack - URGENT @UBNT


jhonnyp wrote:

James
What right way for virus removal?
the file MCUSER . It should be removed also?


mcuser should be OK if you have managed this device with airControl2.

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

Ubiquiti Employee
Posts: 9,041
Registered: ‎11-27-2012
Kudos: 2573
Solutions: 576
Contributions: 73

Re: Virus attack - URGENT @UBNT

If you are having trouble removing malicious scripts or accessing infected devices, please feel free to email me directly and I will take a look.  (james@ubnt.com).

 

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

Member
Posts: 207
Registered: ‎07-06-2012
Kudos: 15

Re: Virus attack - URGENT @UBNT

How do I even get access to the cpe to enter the code?

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

ssh USERNAME@IP_ADDR

Member
Posts: 207
Registered: ‎07-06-2012
Kudos: 15

Re: Virus attack - URGENT @UBNT

right I understand how to get SSHed into the cpe it was just the user and pass that I had not gleaned from your earlier posts.

SuperUser
Posts: 21,696
Registered: ‎11-20-2011
Kudos: 7787
Solutions: 233

Re: Virus attack - URGENT @UBNT

[ Edited ]

amx wrote:

Hi James.

 

Thanks for the information.

 

Ahm...just for my info: we're one of the largest WISPs in Spain and we didn't receive any Vulnerability Warning?

Neither on direct way nor via our Wholesale Partner Landatel!?

 

You will pay the costs for cleaning up all customers' CPEs affected of this and other issues provoced by UBNT-Software failure?

 

Thanks in advance for your feedback!


Actually there ARE noticies about fixing security vulnerabilities in the release notes for firmware. You should pay more attention to those @amx

 

You also should NOT be exposing direct access to the CPE from the WAN. That access should be on a vlan using RFC1918 space with ACL's to prevent internet access to/from there.



isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
Ancient Member
Posts: 28,776
Registered: ‎05-05-2012
Kudos: 9077
Solutions: 1389

Re: Virus attack - URGENT @UBNT


esseph wrote:

amx wrote:

Ahm...just for my info: we're one of the largest WISPs in Spain and we didn't receive any Vulnerability Warning?


Actually there ARE noticies about fixing security vulnerabilities in the release notes for firmware.


You should also subscribe to the updates blog.

http://community.ubnt.com/t5/airMAX-Updates-Blog/bg-p/Blog_airMAX

Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33

Re: Virus attack - URGENT @UBNT

thanks, but there are no vulnerabilities notifications on this updates' blog

SuperUser
Posts: 16,264
Registered: ‎06-23-2010
Kudos: 5134
Solutions: 76

Re: Virus attack - URGENT @UBNT

What are the symptoms of this virus?
New Member
Posts: 21
Registered: ‎04-17-2012
Kudos: 6

Re: Virus attack - URGENT @UBNT

you will no longer have access to the CPE for starters.

Reply