Nanostation 5 Malware?


  • D
    Beta Testers

    It looks like two of my nanostations may well have fallen for some kind of malware (both in the same subnet, connected to each other).

    I can ping them, I can query them with SNMP, and they pass traffic, but I can't log into them on normal ports for http/https/ssh. Unfortunately, I don't recall what software version they were on last time I could access them.

    I eventually resorted to running some port scans of one of them; this looks a little odd (see attached NMAP xml saves).

    In particular, it seems to be running SSH on a non-standard port (9132), and there seem to be services running on UDP that I wouldn't necessarily expect:

    443/udp open|filtered https
    684/udp open|filtered corba-iiop-ssl
    776/udp open|filtered wpages
    1030/udp open|filtered iad1
    1050/udp open|filtered cma
    9000/udp open|filtered cslistener
    18821/udp open|filtered unknown
    20518/udp open|filtered unknown
    49170/udp open|filtered unknown
    49176/udp open|filtered unknown
    49184/udp open|filtered unknown
    50099/udp open|filtered unknown

    Irritatingly, they're in very inaccessible locations.


  • Super Users

    Nanostation 5, or M5? If it's 5, you need to be on firmware 4.0.4

    If it's M5, you need firmware 5.6.2 or later. See here:

    http://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949


  • D
    Beta Testers

    Thanks, flipper - I strongly suspect I'm going to be climbing on some roofs soon for some factory reset action…!

    It's a shame the malware script doesn't offer to "brute force" through known malware login credential variants. Helpfully, none of the ones I'm aware of worked, nor did our original logins. :/


Posts 3Views 2
Log in to reply

Looks like your connection to Ubiquiti Networks Community was lost, please wait while we try to reconnect.