There is also a Linux worm going around that exploits devices with default username and passwords the latest firmware for ubnt will force you to change the password
On Wed, May 4, 2016, 10:12 PM Eric Kuhnke <eric.kuh...@gmail.com> wrote: > I know about the very old firmware version for M series stuff that is > vulnerable to a known worm. > > But let's assume you do have ubnt devices with public IPs (which is a bad > idea). What's the attack surface? http, https, ssh, snmp > > Provided you have chosen a reasonably complex admin login and password > there are no *current, known* remote root exploits for current (or within > the past 2 years) ubnt firmware on M or AC devices, right? > > > On Wed, May 4, 2016 at 7:00 PM, Josh Luthman <j...@imaginenetworksllc.com> > wrote: > >> Public IP on Ubnt. What else do you need to know? >> >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> On May 4, 2016 9:59 PM, "Eric Kuhnke" <eric.kuh...@gmail.com> wrote: >> >>> The thread got this far and noone has wondered how the CPE was pwned in >>> the first place? >>> >>> On Wed, May 4, 2016 at 6:55 PM, Mathew Howard <mhoward...@gmail.com> >>> wrote: >>> >>>> Yeah, I looked at setting it up that way at one point, but something >>>> didn't look like it was going to work quite the way I wanted it to... but I >>>> probably spent all of five minutes on it, so it may very well be possible. >>>> The way ePMP does it is really nice though... and simple. >>>> >>>> On Wed, May 4, 2016 at 8:38 PM, Josh Luthman < >>>> j...@imaginenetworksllc.com> wrote: >>>> >>>>> People do it for sure. I want to say there was an example on the >>>>> forums or some where... >>>>> >>>>> Josh Luthman >>>>> Office: 937-552-2340 >>>>> Direct: 937-552-2343 >>>>> 1100 Wayne St >>>>> Suite 1337 >>>>> Troy, OH 45373 >>>>> On May 4, 2016 9:35 PM, "Mathew Howard" <mhoward...@gmail.com> wrote: >>>>> >>>>>> I have our ePMP's setup to get their public IP via PPPoE, and the >>>>>> radio also gets a completely separate private management IP via DHCP, >>>>>> which >>>>>> is the only way you can remotely access the radio, and it doesn't even >>>>>> have >>>>>> to be in a separate vlan unless you want it to be... and it's one >>>>>> checkbox >>>>>> to configure it. >>>>>> >>>>>> I'm not sure if that can be duplicated on UBNT or not, since I >>>>>> haven't really tried yet, but at the very least it's a lot more >>>>>> complicated >>>>>> to configure. >>>>>> >>>>>> >>>>>> >>>>>> On Wed, May 4, 2016 at 7:04 PM, Josh Luthman < >>>>>> j...@imaginenetworksllc.com> wrote: >>>>>> >>>>>>> It does...you just need to set it up that way. >>>>>>> >>>>>>> >>>>>>> Josh Luthman >>>>>>> Office: 937-552-2340 >>>>>>> Direct: 937-552-2343 >>>>>>> 1100 Wayne St >>>>>>> Suite 1337 >>>>>>> Troy, OH 45373 >>>>>>> >>>>>>> On Wed, May 4, 2016 at 7:54 PM, Mathew Howard <mhoward...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> I really wish Ubiquiti radios had a separate management vlan option >>>>>>>> (in router mode), like ePMP does... >>>>>>>> >>>>>>>> On Wed, May 4, 2016 at 6:10 PM, Josh Reynolds <j...@kyneticwifi.com >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> I would encourage you to put your CPEs on a management vlan, in >>>>>>>>> RFC1918 space. >>>>>>>>> >>>>>>>>> On Wed, May 4, 2016 at 6:00 PM, SmarterBroadband >>>>>>>>> <li...@smarterbroadband.com> wrote: >>>>>>>>> > Hi Tushar >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > We run all radios in NAT mode. >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > Adam >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > From: Af [mailto:af-boun...@afmug.com] On Behalf Of Tushar Patel >>>>>>>>> > Sent: Wednesday, May 04, 2016 3:34 PM >>>>>>>>> > To: af@afmug.com >>>>>>>>> > Subject: Re: [AFMUG] UBNT CPE being used for Abusive actions? >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > Radios could be put on private ip so nobody from outside world >>>>>>>>> can access >>>>>>>>> > it. That is what we do. >>>>>>>>> > >>>>>>>>> > Tushar >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > On May 4, 2016, at 5:22 PM, SmarterBroadband < >>>>>>>>> li...@smarterbroadband.com> >>>>>>>>> > wrote: >>>>>>>>> > >>>>>>>>> > I have received a number of emails for ab...@light-gap.net >>>>>>>>> saying certain of >>>>>>>>> > our IP address are being used for attacks (see email text below). >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > All IP addresses are in UBNT radios. We are unable to remote >>>>>>>>> access any of >>>>>>>>> > the these radios now. We see that the radio we are unable to >>>>>>>>> access >>>>>>>>> > rebooted a couple of days ago. A number of other radios show >>>>>>>>> they rebooted >>>>>>>>> > around the same time (in sequence) on the AP. We are unable to >>>>>>>>> remote >>>>>>>>> > access any of those either. Other radios with longer uptime on >>>>>>>>> the AP’s are >>>>>>>>> > fine. >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > We have a tech on route to one of the customer sites. >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > We think the radios are being made into bots. Anyone seen this >>>>>>>>> or anything >>>>>>>>> > like this? Do the hackers need a username and password to hack >>>>>>>>> a radio? >>>>>>>>> > I.E. Would a change of the password stop the changes being made >>>>>>>>> to the >>>>>>>>> > radios? Any other thoughts, suggestions or ideas? >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > Thanks >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > Adam >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > Email Text below: >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > “This is a semi-automated e-mail from the LG-Mailproxy >>>>>>>>> authentication >>>>>>>>> > system, all requests have been approved manually by the >>>>>>>>> > system-administrators or are obviously unwanted (eg. requests to >>>>>>>>> our >>>>>>>>> > spamtraps). >>>>>>>>> > >>>>>>>>> > For further questions or if additional information is needed >>>>>>>>> please reply to >>>>>>>>> > this email. >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > The IP xxx.xxx.xxx.xxx has been banned for 48 hours due to >>>>>>>>> suspicious >>>>>>>>> > behaviour on our system. >>>>>>>>> > >>>>>>>>> > This happened already 1 times. >>>>>>>>> > >>>>>>>>> > It might be be part of a botnet, infected by a trojan/virus or >>>>>>>>> running >>>>>>>>> > brute-force attacks. >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > Our affected destination servers: smtp.light-gap.net, >>>>>>>>> imap.light-gap.net >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > Currently 7 failed/unauthorized logins attempts via SMTP/IMAP >>>>>>>>> with 6 >>>>>>>>> > different usernames and wrong password: >>>>>>>>> > >>>>>>>>> > 2016-05-04T23:48:40+02:00 with username " >>>>>>>>> downloads.openscience.or.at" >>>>>>>>> > (spamtrap account) >>>>>>>>> > >>>>>>>>> > 2016-05-04T22:47:19+02:00 with username "sp_woq" (spamtrap >>>>>>>>> account) >>>>>>>>> > >>>>>>>>> > 2016-05-04T14:55:11+02:00 with username "info" (spamtrap account) >>>>>>>>> > >>>>>>>>> > 2016-05-03T21:24:22+02:00 with username "fips" (spamtrap account) >>>>>>>>> > >>>>>>>>> > 2016-05-03T20:57:19+02:00 with username " >>>>>>>>> downloads.openscience.or.at" >>>>>>>>> > (spamtrap account) >>>>>>>>> > >>>>>>>>> > 2016-05-03T10:13:59+02:00 with username "d10hw49WpH" (spamtrap >>>>>>>>> account) >>>>>>>>> > >>>>>>>>> > 2016-05-03T05:34:43+02:00 with username "12345678" (spamtrap >>>>>>>>> account) >>>>>>>>> > Ongoing failed/unauthorized logins attempts will be logged and >>>>>>>>> sent to you >>>>>>>>> > every 24h until the IP will be permanently banned from our >>>>>>>>> systems after 72 >>>>>>>>> > hours. >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > The Light-Gap.net Abuse Team.” >>>>>>>>> > >>>>>>>>> > >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>> >>> >