Emerging Member
Posts: 49
Registered: ‎10-07-2013
Kudos: 33
Accepted Solution
Virus attack - URGENT @UBNT

Hi there,

 

since this afternoon MET we have on all AiRMAX antenas with access to/from the Internet virus attacks.

It's a self-distributing virus, so, once it can "see" neighbour antenas within the same subnet, it attacks the others.

Like all other viruses, it's within the /etc/persistant path and creates a subpath ./.mf and a tarball mf.tar and uses of course the rc.poststart

 

Here the path structure:

 

XM.v5.5.2# cd /etc/persistent/

 

XM.v5.5.2# ls
cardlist.txt dropbear_rsa_host_key rc.poststart
dropbear_dss_host_key mf.tar

 

XM.v5.5.2# cat rc.poststart
cd /etc/persistent ; tar -xf mf.tar ; /etc/persistent/.mf/mother

 

XM.v5.5.2# ls -al
drwxr-xr-x 3 root admin 160 Aug 16 2012 .
drwxr-xr-x 10 root admin 820 Aug 16 2012 ..
drwxrwxr-x 2 1001 1001 320 May 13 11:23 .mf
lrwxrwxrwx 1 root admin 21 Jan 1 1970 cardlist.txt -> /usr/etc/cardlist.txt
-rw------- 1 root admin 457 Aug 16 2012 dropbear_dss_host_key
-rw------- 1 root admin 427 Aug 16 2012 dropbear_rsa_host_key
-rw------- 1 root admin 20480 May 13 11:21 mf.tar

-rwxr-xr-x 1 root admin 65 May 13 11:21 rc.poststart

 

XM.v5.5.2# cd .mf

 

XM.v5.5.2# ls -al
drwxrwxr-x 2 1001 1001 320 May 13 11:23 .
drwxr-xr-x 3 root admin 160 Aug 16 2012 ..
-rwxr-xr-x 1 root admin 64372 May 19 2009 curl
-rwxrwxr-x 1 1001 1001 670 May 12 20:39 download
-rwxrw-r-- 1 1001 1001 747 May 12 20:44 f u c k
-rwxrw-r-- 1 1001 1001 199 May 12 20:44 f u c k e r
-rwxrw-r-- 1 1001 1001 480 May 12 23:30 i
-rwxrwxr-x 1 1001 1001 944 May 12 22:28 infect
-rw-r--r-- 1 root admin 1062608 May 19 2009 libcrypto.so.0.9.8
-rwxr-xr-x 1 root admin 207852 May 19 2009 libcurl.so.4
-rw-r--r-- 1 root admin 223552 May 19 2009 libssl.so.0.9.8
-rw------- 1 root admin 20480 Aug 16 2012 mf.tar
-rw-r--r-- 1 1001 1001 427 May 12 19:38 mfid
-rw-rw-r-- 1 1001 1001 232 May 12 19:39 mfid.pub
-rwxrw-r-- 1 1001 1001 952 May 13 06:39 mother
-rwxrwxr-x 1 1001 1001 1434 May 13 06:36 search

 

We're just cleaning thousands of CPEs ...

 

Hope it's helpfull...

 

@ubnt

It's attacking any FW-Version. I think it's using ssh port 22...Please investigate!!!

 

Greez

AMX

Who Me Too'd this topic