08-17-2016 07:37 AM
It looks like two of my nanostations may well have fallen for some kind of malware (both in the same subnet, connected to each other).
I can ping them, I can query them with SNMP, and they pass traffic, but I can't log into them on normal ports for http/https/ssh. Unfortunately, I don't recall what software version they were on last time I could access them.
I eventually resorted to running some port scans of one of them; this looks a little odd (see attached NMAP xml saves).
In particular, it seems to be running SSH on a non-standard port (9132), and there seem to be services running on UDP that I wouldn't necessarily expect:
443/udp open|filtered https
684/udp open|filtered corba-iiop-ssl
776/udp open|filtered wpages
1030/udp open|filtered iad1
1050/udp open|filtered cma
9000/udp open|filtered cslistener
18821/udp open|filtered unknown
20518/udp open|filtered unknown
49170/udp open|filtered unknown
49176/udp open|filtered unknown
49184/udp open|filtered unknown
50099/udp open|filtered unknown
Irritatingly, they're in very inaccessible locations.
08-17-2016 08:33 AM
If it's M5, you need firmware 5.6.2 or later. See here:
08-17-2016 08:59 AM - edited 08-17-2016 09:01 AM
Thanks, flipper - I strongly suspect I'm going to be climbing on some roofs soon for some factory reset action...!
It's a shame the malware script doesn't offer to "brute force" through known malware login credential variants. Helpfully, none of the ones I'm aware of worked, nor did our original logins. :/