Hi Tushar
We run all radios in NAT mode. Adam From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel Sent: Wednesday, May 04, 2016 3:34 PM To: af@afmug.com Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions? Radios could be put on private ip so nobody from outside world can access it. That is what we do. Tushar On May 4, 2016, at 5:22 PM, SmarterBroadband <li...@smarterbroadband.com> wrote: I have received a number of emails for ab...@light-gap.net saying certain of our IP address are being used for attacks (see email text below). All IP addresses are in UBNT radios. We are unable to remote access any of the these radios now. We see that the radio we are unable to access rebooted a couple of days ago. A number of other radios show they rebooted around the same time (in sequence) on the AP. We are unable to remote access any of those either. Other radios with longer uptime on the AP’s are fine. We have a tech on route to one of the customer sites. We think the radios are being made into bots. Anyone seen this or anything like this? Do the hackers need a username and password to hack a radio? I.E. Would a change of the password stop the changes being made to the radios? Any other thoughts, suggestions or ideas? Thanks Adam Email Text below: “This is a semi-automated e-mail from the LG-Mailproxy authentication system, all requests have been approved manually by the system-administrators or are obviously unwanted (eg. requests to our spamtraps). For further questions or if additional information is needed please reply to this email. The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to suspicious behaviour on our system. This happened already 1 times. It might be be part of a botnet, infected by a trojan/virus or running brute-force attacks. Our affected destination servers: smtp.light-gap.net, imap.light-gap.net Currently 7 failed/unauthorized logins attempts via SMTP/IMAP with 6 different usernames and wrong password: 2016-05-04T23:48:40+02:00 with username "downloads.openscience.or.at" (spamtrap account) 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap account) 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account) 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account) 2016-05-03T20:57:19+02:00 with username "downloads.openscience.or.at" (spamtrap account) 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap account) 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap account) Ongoing failed/unauthorized logins attempts will be logged and sent to you every 24h until the IP will be permanently banned from our systems after 72 hours. The Light-Gap.net Abuse Team.”
