I don't believe there's any time that SSH stops working until it erases the config.
I didn't try the jar tool. I cobbled together my own method more quickly and my own method is more useful in that I can have it do anything. I got tied up with other work today, but working on a script to add firewall entries across all devices on the network. http://community.ubnt.com/t5/airMAX-General-Discussion/Infection-fix-via-ansible-Sticky-this-thread/m-p/1564746#U1564746 I had five devices that weren't patched, one on a Mikrotik AP and four that U-CRM somehow missed (continually) when scanning a subnet. Caught them all yesterday morning only a couple hours after being infected. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com> To: af@afmug.com Sent: Monday, May 16, 2016 9:50:22 PM Subject: Re: [AFMUG] ubnt malware As i understand it, if the jar tools works, the device had not been fully compromised yet? or it was scanning the rest of the network during the timeframe mentioned? Ive found two, cleaned them with the tool, but if the malware is fully active, ssh wont be accessible anyway On Mon, May 16, 2016 at 9:35 PM, That One Guy /sarcasm < thatoneguyst...@gmail.com > wrote: >From what Ive read so far, the majority of them make me look like a network >rockstar. Im telling the boss to give me a raise or ill send them a job app >for my job On Mon, May 16, 2016 at 9:33 PM, Mike Hammett < af...@ics-il.net > wrote: <blockquote> You've been reading comments from people that don't know what they're talking about. 5.6.2+, 5.5.10u2 and 5.5.11 can't be infected into an active state. If they have the files on them, they either weren't properly cleaned or the files were uploading into an inert portion of the system that is wiped on reboot. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "That One Guy /sarcasm" < thatoneguyst...@gmail.com > To: af@afmug.com Sent: Monday, May 16, 2016 8:37:59 PM Subject: Re: [AFMUG] ubnt malware are we talking can see layer two, can see via device discovery, thats a broad term Is there any direct thread on specific symptoms beyond devices offline and any traces of what takes place post infection, ive seen some comments theyre doing port 53 vpns to send spam, just curios what else. Ive read claims of infections as high as 5.6.4, we are mostly 5.6.2 and 3 We only have a handful of air routers with public IPs on them, everything else is internal space the self replication is what im wondering about, the devices on each network segment are subnet isolated, but still on the same layer2 On Mon, May 16, 2016 at 8:31 PM, Mike Hammett < af...@ics-il.net > wrote: <blockquote> Initially... then every other radio (and switch) that radio can see. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP From: "Josh Reynolds" < j...@kyneticwifi.com > To: af@afmug.com Sent: Monday, May 16, 2016 8:30:12 PM Subject: Re: [AFMUG] ubnt malware It's self replicating. They patched this long ago. It hits people with radios on public IPs. On May 16, 2016 8:19 PM, "That One Guy /sarcasm" < thatoneguyst...@gmail.com > wrote: <blockquote> >From what im reading in their forums something set off over the weekend? or is >it ubnt douche nozzles? It sounds almost as if this malware is actively being manipulated (changing from key access to foul username/password, wandering control ports, etc, like script kiddies found a new toy? is this thing self propagating from the device? -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. </blockquote> -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. </blockquote> -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. </blockquote> -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
