Blog Informático

0
0
0
s2smodern

UBNT Primary Logo RGB

Virus en equipos Ubiquiti

Desde el pasado viernes 13 de mayo los equipos de Ubiquiti Networks ( muy extendidos en su uso en España) han sufrido unas olas de ataques que han afectado a muchos clientes españoles y operadores internacionales.

Todo apunta a que se trata de un virus de alcance global que explota una vulnerabilidad localizada y fué solucionada durante el año pasado así como en los productos legacy de la compañia, y que repercute especialmente a equipos Ubiquiti airMAX y AirFiber con firmware anterior a:

Airmax 5.6.4(XM/XW), 4.0.4(XS) 

AirFiber AF24/AF24HD 2.2.1 or 3.2.  

AirFiber AF5X 3.0.2.1+

Como limpiar equipos Ubiquiti

 

Como medidas preventivas, podemos actualizar cuanto antes la última versión de firmware publicada de cada modelo, bloquear el acceso HTTP(S) y SSH a los equipos, y seguir atentamente el hilo del foro de Ubiquiti oficial para la "limpieza" del virus:

https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

 

Proceso de Limpieza

There have been several reports of infected airOS M devices over the last week.  From the samples we have seen, there are 2-3 different variations.  We have confirmed at least two of these variations are using a known exploit that was reported and fixed last year.

This is an HTTP/HTTPS exploit that doesn't require authentication.  Simply having a radio on out of date firmware and having it's http/https interface exposed to the Internet is enough to get infected.

We will be posting this in the airMAX Blog as well, but wanted to get out ASAP.

Devices running the following firmware are OK, but we recommend updating to 5.6.5 unless using legitimate rc. scripts.

airMAX M

5.5.11 XM/TI

5.5.10u2 XM

5.6.2+ XM/XW/TI

AirMAX AC

7.1.3+

ToughSwitch

1.3.2

airGateway

1.1.5+

airFiber 

2.2.1+ AF24/AF24HD

3.0.2.1+ AF5x 

Removal tool.

CureMalware-0.7.jar 

This tool requires Java.  It will search for and remove both variants we have seen, remove them (and their baggage).  It has the option to upgrade firmware to 5.6.5.  Beware that 5.6.5 removes _all_ rc.scripts and the ability to use them.

Usage:

java -jar CureMalware-0.7.jar

Example:

C:\Users\ubnt\Downloads>java -jar CureMalware-0.7.jar
Skynet/PimPamPum/ExploitIM malware removal tool v0.7 for Ubiquiti devices

Copyright 2006-2016, Ubiquiti Networks, Inc. <Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.;

This program is proprietary software; you can not redistribute it and/or modify
it without signed agreement with Ubiquiti Networks, Inc.


Possible formats for IP(s):
IP <192.168.1.1>
IP list <192.168.1.1, 192.168.1.2>
IP range <192.168.1.1-192.168.1.254>
Enter IP(s): 192.168.1.31
Possible actions:
Check [1]
Check and Cure [2]
Check, Cure and Update [3]
Enter action <1|2|3>: 3
Enter ssh port [22]:
Enter user name [ubnt]: ubnt
Reuse password <y|n>[y]: y
Processing Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.:22 ...
Password for Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.:
Checking...
CRITICAL: Infected by exploitim
WARNING: User Script(s) is(are) installed:
/etc/persistent/rc.poststart
Review/remove manually!
Done.
Cleaning...
Done.
IT IS STRONGLY RECOMMENDED TO CHANGE PASSWORD ON CURED DEVICE!
IT IS STRONGLY RECOMMENDED TO RUN CURED+UPDATE PROCEDURE!
Preparing Upgrade...
Done.
Uploading firmware: /firmwares/XM.bin ...
Sending... [%100]
Done.
Upgrading...
Current ver: 329220
New version: 329221
No need to fix.
Writing 'u-boot         ' to /dev/mtd0(u-boot         ) ...  [%100]
Writing 'kernel         ' to /dev/mtd2(kernel         ) ...  [%100]
Writing 'rootfs         ' to /dev/mtd3(rootfs         ) ...  [%100]
Done.

Firmware:


We are releasing 5.6.5 with the following changes.

- New: Disable custom scripts usage
- New: Enable syslog by default
- Fix: Security updates (malware scripts check and removal)

http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XW.v5.6.5.29033.160515.2108.bin
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XM.v5.6.5.29033.160515.2119.bin
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/TI.v5.6.5.29033.160515.2058.bin

For users running Verizon fix firmware on XM based devices.

http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XM.v5.6.5-cpu400.29033.160515.2119.bin

We are working on a few different solutions for all three variations, but users with the mf variant (/etc/persistent/.mf + mf.tar) can use THIS manual script posted by @rocket_man.  @sabueso has also posted an automated option that uses Ansible HERE.  You'll need to first install Ansible on Linux. @mhammett  Has put together a removal guide using @sabueso's solution HERE.

EDIT: Another removal method using sshpass posted by @diegocanton

EDIT2: @UBNT-Vlad  Has created an unofficial Android app to help with removal HERE.  Direct link to download via Google Play store HERE.

EDIT3:


UBNT-James wrote:

Just a quick updated.

We are testing a utility to cure both payloads.

In addition, we will be removing support for persistent rc.scripts. All rc. scripts will be removed in a future firmware version.  We know there are many users out there that have legitimate uses for these, so we will have a firmware that supports rc.scripts upon user request.

Mas info y Autores originales de la solucion aqui aplicada: Fuente original

 

Si ha sido infectado y necesita soporte informático no dude en ponerse en contacto con nosotros...podemos ayudarle.

 

 

Las mejores opciones en Viagra genérico en Europa. Siga estas páginas para obtener las mejores opciones en su país. Qué es el Viagra genérico | Pilules de Viagra en France | Viagra rezeptfrei | Viagra kopen Online in Nederland | Le pillole di Viagra
X

Mantenimientos Informáticos a Empresas

Copyright Protegido por sus respectivos dueños.