don't think i've come across that - - except maybe the http port was changed? perhaps hammett can chime in, i think he's read all 30 pages too lol
----- Original Message ----- From: TJ Trout To: [email protected] Sent: Monday, May 16, 2016 9:13 PM Subject: Re: [AFMUG] ubnt malware Anyone have luck fixing a unit that won't respond to ssh or http? On Mon, May 16, 2016 at 7:11 PM, CBB - Jay Fuller <[email protected]> wrote: Yup. Spent 3 hours reading it all last night.... ----- Original Message ----- From: Josh Reynolds To: [email protected] Sent: Monday, May 16, 2016 8:56 PM Subject: Re: [AFMUG] ubnt malware There's a huge like 27 page forum thread on it. On May 16, 2016 8:38 PM, "That One Guy /sarcasm" <[email protected]> wrote: are we talking can see layer two, can see via device discovery, thats a broad term Is there any direct thread on specific symptoms beyond devices offline and any traces of what takes place post infection, ive seen some comments theyre doing port 53 vpns to send spam, just curios what else. Ive read claims of infections as high as 5.6.4, we are mostly 5.6.2 and 3 We only have a handful of air routers with public IPs on them, everything else is internal space the self replication is what im wondering about, the devices on each network segment are subnet isolated, but still on the same layer2 On Mon, May 16, 2016 at 8:31 PM, Mike Hammett <[email protected]> wrote: Initially... then every other radio (and switch) that radio can see. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ---------------------------------------------------------------------- From: "Josh Reynolds" <[email protected]> To: [email protected] Sent: Monday, May 16, 2016 8:30:12 PM Subject: Re: [AFMUG] ubnt malware It's self replicating. They patched this long ago. It hits people with radios on public IPs. On May 16, 2016 8:19 PM, "That One Guy /sarcasm" <[email protected]> wrote: From what im reading in their forums something set off over the weekend? or is it ubnt douche nozzles? It sounds almost as if this malware is actively being manipulated (changing from key access to foul username/password, wandering control ports, etc, like script kiddies found a new toy? is this thing self propagating from the device? -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
