Re: [AFMUG] ubnt malware

[CBB - Jay Fuller]

don't think i've come across that - - except maybe the http port was changed?
perhaps hammett can chime in, i think he's read all 30 pages too lol

  ----- Original Message ----- 
  From: TJ Trout 
  To: af@afmug.com 
  Sent: Monday, May 16, 2016 9:13 PM
  Subject: Re: [AFMUG] ubnt malware


  Anyone have luck fixing a unit that won't respond to ssh or http?


  On Mon, May 16, 2016 at 7:11 PM, CBB - Jay Fuller <par...@cyberbroadband.net> 
wrote:


    Yup. Spent 3 hours reading it all last night....

      ----- Original Message ----- 
      From: Josh Reynolds 
      To: af@afmug.com 
      Sent: Monday, May 16, 2016 8:56 PM
      Subject: Re: [AFMUG] ubnt malware


      There's a huge like 27 page forum thread on it.

      On May 16, 2016 8:38 PM, "That One Guy /sarcasm" 
<thatoneguyst...@gmail.com> wrote:

        are we talking can see layer two, can see via device discovery, thats a 
broad term 


        Is there any direct thread on specific symptoms beyond devices offline 
and any traces of what takes place post infection, ive seen some comments 
theyre doing port 53 vpns to send spam, just curios what else.


        Ive read claims of infections as high as 5.6.4, we are mostly 5.6.2 and 
3


        We only have a handful of air routers with public IPs on them, 
everything else is internal space


        the self replication is what im wondering about, the devices on each 
network segment are subnet isolated, but still on the same layer2


        On Mon, May 16, 2016 at 8:31 PM, Mike Hammett <af...@ics-il.net> wrote:

          Initially...  then every other radio (and switch) that radio can see.




          -----
          Mike Hammett
          Intelligent Computing Solutions

          Midwest Internet Exchange

          The Brothers WISP






----------------------------------------------------------------------

          From: "Josh Reynolds" <j...@kyneticwifi.com>
          To: af@afmug.com
          Sent: Monday, May 16, 2016 8:30:12 PM
          Subject: Re: [AFMUG] ubnt malware 



          It's self replicating. They patched this long ago. It hits people 
with radios on public IPs.

          On May 16, 2016 8:19 PM, "That One Guy /sarcasm" 
<thatoneguyst...@gmail.com> wrote:

            From what im reading in their forums something set off over the 
weekend? or is it ubnt douche nozzles? 


            It sounds almost as if this malware is actively being manipulated 
(changing from key access to foul username/password, wandering control ports, 
etc, like script kiddies found a new toy?


            is this thing self propagating from the device?



            -- 

            If you only see yourself as part of the team but you don't see your 
team as part of yourself you have already failed as part of the team.







        -- 

        If you only see yourself as part of the team but you don't see your 
team as part of yourself you have already failed as part of the team.