The odd thing is, he says port 80 and 22 are blocked at his routers. The only time I've seen UBNT radios get infected was when I accidentally left port 80 open on an IP block.
On Wed, May 4, 2016 at 9:00 PM, Josh Luthman <j...@imaginenetworksllc.com> wrote: > Public IP on Ubnt. What else do you need to know? > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote: > >> The thread got this far and noone has wondered how the CPE was pwned in >> the first place? >> >> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com> >> wrote: >> >>> Yeah, I looked at setting it up that way at one point, but something >>> didn't look like it was going to work quite the way I wanted it to... but I >>> probably spent all of five minutes on it, so it may very well be possible. >>> The way ePMP does it is really nice though... and simple. >>> >>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman < >>> j...@imaginenetworksllc.com> wrote: >>> >>>> People do it for sure. I want to say there was an example on the >>>> forums or some where... >>>> >>>> Josh Luthman >>>> Office: 937-552-2340 >>>> Direct: 937-552-2343 >>>> 1100 Wayne St >>>> Suite 1337 >>>> Troy, OH 45373 >>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote: >>>> >>>>> I have our ePMP's setup to get their public IP via PPPoE, and the >>>>> radio also gets a completely separate private management IP via DHCP, >>>>> which >>>>> is the only way you can remotely access the radio, and it doesn't even >>>>> have >>>>> to be in a separate vlan unless you want it to be... and it's one checkbox >>>>> to configure it. >>>>> >>>>> I'm not sure if that can be duplicated on UBNT or not, since I haven't >>>>> really tried yet, but at the very least it's a lot more complicated to >>>>> configure. >>>>> >>>>> >>>>> >>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman < >>>>> j...@imaginenetworksllc.com> wrote: >>>>> >>>>>> It does...you just need to set it up that way. >>>>>> >>>>>> >>>>>> Josh Luthman >>>>>> Office: 937-552-2340 >>>>>> Direct: 937-552-2343 >>>>>> 1100 Wayne St >>>>>> Suite 1337 >>>>>> Troy, OH 45373 >>>>>> >>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> I really wish Ubiquiti radios had a separate management vlan option >>>>>>> (in router mode), like ePMP does... >>>>>>> >>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com> >>>>>>> wrote: >>>>>>> >>>>>>>> I would encourage you to put your CPEs on a management vlan, in >>>>>>>> RFC1918 space. >>>>>>>> >>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband >>>>>>>> <li...@smarterbroadband.com> wrote: >>>>>>>> > Hi Tushar >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > We run all radios in NAT mode. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Adam >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel >>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM >>>>>>>> > To: af@afmug.com >>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions? >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Radios could be put on private ip so nobody from outside world >>>>>>>> can access >>>>>>>> > it. That is what we do. >>>>>>>> > >>>>>>>> > Tushar >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband < >>>>>>>> li...@smarterbroadband.com> >>>>>>>> > wrote: >>>>>>>> > >>>>>>>> > I have received a number of emails for ab...@light-gap.net >>>>>>>> saying certain of >>>>>>>> > our IP address are being used for attacks (see email text below). >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > All IP addresses are in UBNT radios. We are unable to remote >>>>>>>> access any of >>>>>>>> > the these radios now. We see that the radio we are unable to >>>>>>>> access >>>>>>>> > rebooted a couple of days ago. A number of other radios show >>>>>>>> they rebooted >>>>>>>> > around the same time (in sequence) on the AP. We are unable to >>>>>>>> remote >>>>>>>> > access any of those either. Other radios with longer uptime on >>>>>>>> the AP’s are >>>>>>>> > fine. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > We have a tech on route to one of the customer sites. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > We think the radios are being made into bots. Anyone seen this >>>>>>>> or anything >>>>>>>> > like this? Do the hackers need a username and password to hack a >>>>>>>> radio? >>>>>>>> > I.E. Would a change of the password stop the changes being made >>>>>>>> to the >>>>>>>> > radios? Any other thoughts, suggestions or ideas? >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Thanks >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Adam >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Email Text below: >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > “This is a semi-automated e-mail from the LG-Mailproxy >>>>>>>> authentication >>>>>>>> > system, all requests have been approved manually by the >>>>>>>> > system-administrators or are obviously unwanted (eg. requests to >>>>>>>> our >>>>>>>> > spamtraps). >>>>>>>> > >>>>>>>> > For further questions or if additional information is needed >>>>>>>> please reply to >>>>>>>> > this email. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to >>>>>>>> suspicious >>>>>>>> > behaviour on our system. >>>>>>>> > >>>>>>>> > This happened already 1 times. >>>>>>>> > >>>>>>>> > It might be be part of a botnet, infected by a trojan/virus or >>>>>>>> running >>>>>>>> > brute-force attacks. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Our affected destination servers: smtp.light-gap.net, >>>>>>>> imap.light-gap.net >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP >>>>>>>> with 6 >>>>>>>> > different usernames and wrong password: >>>>>>>> > >>>>>>>> > 2016-05-04T23:48:40+02:00 with username " >>>>>>>> downloads.openscience.or.at" >>>>>>>> > (spamtrap account) >>>>>>>> > >>>>>>>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap >>>>>>>> account) >>>>>>>> > >>>>>>>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account) >>>>>>>> > >>>>>>>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account) >>>>>>>> > >>>>>>>> > 2016-05-03T20:57:19+02:00 with username " >>>>>>>> downloads.openscience.or.at" >>>>>>>> > (spamtrap account) >>>>>>>> > >>>>>>>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap >>>>>>>> account) >>>>>>>> > >>>>>>>> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap >>>>>>>> account) >>>>>>>> > Ongoing failed/unauthorized logins attempts will be logged and >>>>>>>> sent to you >>>>>>>> > every 24h until the IP will be permanently banned from our >>>>>>>> systems after 72 >>>>>>>> > hours. >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > The Light-Gap.net Abuse Team.” >>>>>>>> > >>>>>>>> > >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>> >>
