a few points i've seen / made note of: all it takes is one public facing radio on an old firmware and anything can get hit. i've heard reports even of 5.6.3 internally - but most of those reports the thought is the radio had been previously infected. once a public facing radio is infected it'll talk to other radios near that subnet. then it'll randomly go trying to infect things for, i believe, and you hafta love this. 66,666 seconds. (roughly 18 hours).
after 18 hours, it resets to factory defaults, i believe. if you can't get into a radio that has been infected during the first 18 hours, try login username mother with password of f*cker... yah. that's original. ----- Original Message ----- From: That One Guy /sarcasm To: [email protected] Sent: Monday, May 16, 2016 8:37 PM Subject: Re: [AFMUG] ubnt malware are we talking can see layer two, can see via device discovery, thats a broad term Is there any direct thread on specific symptoms beyond devices offline and any traces of what takes place post infection, ive seen some comments theyre doing port 53 vpns to send spam, just curios what else. Ive read claims of infections as high as 5.6.4, we are mostly 5.6.2 and 3 We only have a handful of air routers with public IPs on them, everything else is internal space the self replication is what im wondering about, the devices on each network segment are subnet isolated, but still on the same layer2 On Mon, May 16, 2016 at 8:31 PM, Mike Hammett <[email protected]> wrote: Initially... then every other radio (and switch) that radio can see. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ---------------------------------------------------------------------------- From: "Josh Reynolds" <[email protected]> To: [email protected] Sent: Monday, May 16, 2016 8:30:12 PM Subject: Re: [AFMUG] ubnt malware It's self replicating. They patched this long ago. It hits people with radios on public IPs. On May 16, 2016 8:19 PM, "That One Guy /sarcasm" <[email protected]> wrote: From what im reading in their forums something set off over the weekend? or is it ubnt douche nozzles? It sounds almost as if this malware is actively being manipulated (changing from key access to foul username/password, wandering control ports, etc, like script kiddies found a new toy? is this thing self propagating from the device? -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
