06-01-2016 07:36 PM - edited 06-01-2016 07:53 PM
I got an email from ubiquiti about the virus but did not bother about one AirRouter that faces the internet. Was thinking it did not count, but yes it does.
1) The symptom we got was that the SSID got changed to mo*therfu*cker. Only without the asterisks. The unit was NOT reset and traffic was pssing. Has anyone seen that sort of behavior from the virus?
2) Secondly, on the original I changed the wireless password. Afterwards I could not login to the airrouter with the admin password. I'm talking about loggin in to the airrouter hardwired. Weird
Put a second airrouter online, updated the FW to current, all went fine. Changed the wireless password again. Same thing happened. pasing traffic, can connect wirelessly, but can't login.
3) I did not update FW on other AirOS devices yet because they do not face the internet. If above symptoms are from the virus then everbody's likely infected. QUESTION: does upgrading the FW in and of itself eradicate the virus? Or must you run the separate tool anyway?
06-02-2016 09:28 AM - edited 06-02-2016 09:29 AM
I suspect there is the known virus that is propagating itself by installing code, and then there are just other folks getting their jollies finding Ubiquiti routers and messing with them. I suspect you got the latter for sure, and the other virus is almost a certainty as well.
For your second issue, not sure. I turned off SSH and CDP on one of my routers, and then the Web interface would never show up again. I had to reset the thing. Did the same to another one and it still worked fine. Flakey firmware I suppose.
The new firmware load is supposed to clean up the mess made by the know viruses.
06-02-2016 11:11 AM
I did find the radio infected when I ran the cleanup tool. There was a script. Thankfully it did not propagate to the other dozen or so AirOS devices on the backbone. That may be because the virus we got is a version that does not propagate (as you suggested), or the virus propagates at layer 3 only (which I doubt), as the infected radio was on an isolated IP network.
It's gone now, and I can login to the router even with the new password set.
06-03-2016 03:31 PM
I just updated some on our network today that had 5.5.10 The malare removal and firmware update went well. The password was reset to default, so I tried changing it, but cant. It tells me that the current password is wrong. I just logged into the router, so I know the current password is correct. Now I have patched routers, but cant secure them with a non factory password.
06-05-2016 08:44 AM
We have the same problem with SSID being changed as well. We have cleaned up 95% of our network remotely. If the SSID has changed on a station, it also changes it to an access point. We have found about 10 radios like this over the past couple of days. However if WPA2-AES is on when this happens we cannot access device remotely. We have suspicion's that the WPA2-AES key is changed as well.We will be doing truck rolls now to find out why. Anyone else have the same issue?