[caiu] RES: Virus UBNT

Diego Canton de Brito diegocanton em ensite.com.br
Qua Maio 18 12:01:26 BRT 2016


Olá, se vc usou meu script nas primeiras versões, pode ter se deparado com isso, infelizmente eu escrevi um >> numa linha que fez duplicar.
Assim que voltar pra um computador passo um comando para arrumar, qualquer coisa adiciono naquele GIT ;)
Mas basicamente tens que ler o arquivo e passar num uniq
Outros equipamentos que tiverem DMZ precisarão de alterar a linha do DMZ no arquivo, não achei um meio seguro de fazer isso "/
--
Enviado do aplicativo myMail para Android quarta-feira, 18 maio 2016, 11:51AM -03:00 de Otávio Costa < otavioacosta em gmail.com> :

>​Jonas, notei isso em alguns rádios.
>Apenas resetei o equipamento e as linhas duplicadas sumiram.​
>
>
>
>*--*
>
>Em 18 de maio de 2016 11:19, Jonas Sampaio <
>jonas.informatica em domalberto.edu.br > escreveu:
>
>> Bom dia,
>>
>>
>> Alguém está notando que os paramentos, do arquivo /tmp/system.cfg estão
>> duplicados em rádios infectados, e mesmo após atualizar a versão para
>> v5.6.5, em alguns casos tivemos que acessar equipamentos por SSH e apagar
>> linhas duplicadas para conseguir acesso Web novamente.
>>
>> ebtables.sys.vlan.status=disabled
>> ebtables.sys.vlan.status=disabled
>> ebtables.sys.vlan.status=disabled
>> gui.language=pt_PT
>> gui.language=pt_PT
>> gui.language=pt_PT
>> gui.language=pt_PT
>> httpd.port=80
>> httpd.port=80
>> httpd.session.timeout=900
>> httpd.session.timeout=900
>> httpd.status=enabled
>> httpd.status=enabled
>>
>> Se alguém conseguir ajudar agradecemos.
>>
>>
>> Em 18 de maio de 2016 07:55, Werneck Costa < werneck.costa em gmail.com >
>> escreveu:
>>
>> > Recebi, em um comunicado de uma empresa que vende Ubnt, este link com as
>> > informações específicas:
>> >
>> >
>>  http://tecwi.envemkt.com.br/ver_mensagem.php?id=H |2015|200059783|143023926142581300
>> >
>> >
>> > - - -
>> > *Werneck Costa*
>> > Analista de Suporte
>> > e-mail/Skype/GTalk:  werneck.costa em gmail.com
>> >
>> > Em 17 de maio de 2016 10:27, Edinilson - ATINET < edinilson em atinet.com.br
>> >
>> > escreveu:
>> >
>> > > Não sei se serviria para o proposito atual, mas no passado precisei
>> fazer
>> > > uma atualização em massa e utilizei esse script:
>> > >  https://github.com/sudomesh/ubi-flasher
>> > >
>> > > É fácil de customizar.
>> > >
>> > >
>> > > Edinilson
>> > >
>> > > ------------------------------------------
>> > > ATINET
>> > > Tel Voz: (0xx11) 4412-0876
>> > >  http://www.atinet.com.br
>> > >
>> > >
>> > > ----- Original Message ----- From: "Alexandre J. Correa (Onda)" <
>> > >  alexandre em onda.net.br >
>> > > To: "Lista das indisponibilidades da Internet brasileira" <
>> > >  caiu em eng.registro.br >
>> > > Sent: Tuesday, May 17, 2016 10:20 AM
>> > > Subject: Re: [caiu] RES: Virus UBNT
>> > >
>> > >
>> > >
>> > > Na 'tuada' que o negócio ta indo, acho que vai ser melhor mesclar os 2
>> > > projetos ..
>> > >
>> > >
>> > > Em 17/05/2016 04:49, Diego Canton de Brito escreveu:
>> > >
>> > >> Então deu certo o uso de trigger_url (do airos) :D
>> > >>
>> > >> Alexandre, fiz uma alteração no meu GIT do seu código de update, para
>> > >> que o pessoal possa cambiar entre URL de firmware, seria legal fazer
>> ai
>> > >> tbm.
>> > >>
>> > >> URL='
>> > >>
>> >
>>  http://dl.ubnt.com/firmwares/XN-fw/v5.6.5/XM.v5.6.5.29033.160515.2119.bin
>> > >> '
>> > >> #
>> > >> URL='
>> > >>
>> >
>>  http://dl.ubnt.com/firmwares/XN-fw/v5.6.4/XM.v5.6.4.28924.160331.1253.bin
>> > >> '
>> > >> wget $URL -O /tmp/firmware.bin
>> > >> ubntbox fwupdate.real -m /tmp/firmware.bin
>> > >>
>> > >> Para mais exemplos  https://github.com/diegocanton/remove_ubnt_mf/
>> > >>
>> > >> Em 2016-05-17 01:48, Alexandre J. Correa (Onda) escreveu:
>> > >>
>> > >>  https://github.com/ajcorrea/cleanmf
>> > >>>
>> > >>> Migrei para GITHUB, inclui também Compliance test e Alteração de
>> portas
>> > >>> padrão (Diego Canton)
>> > >>>
>> > >>> O script agora utiliza o github como base para download, utilizando a
>> > >>> função trigger_url !!!
>> > >>>
>> > >>> Em 16/05/2016 22:09, marcio petarnella escreveu: Já perdi a paciência
>> > >>> com esse aircontrol, já instalei o server agora o
>> > >>> cliente só da erro de login e senha, não funciona nem por decreto, já
>> > >>> troquei java , já fiz de tudo, não vou mais perder tempo com isso, já
>> > não
>> > >>> basta essa ferramenta da ubiquiti q também não funciona.
>> > >>> Em 16/05/2016 9:51 PM, "Geeek Masters" < rgeeek em gmail.com > escreveu:
>> > >>>
>> > >>> Se você fizer pelo AirControl sim.
>> > >>>
>> > >>> 2016-05-16 21:43 GMT-03:00 marcio petarnella <
>>  marcio em mgptelecom.com.br
>> > >:
>> > >>>
>> > >>> Algum script q verifica a versão se xm ou xw e faz a atualização
>> > >>> automática ?
>> > >>> Em 16/05/2016 9:08 PM, "Geeek Masters" < rgeeek em gmail.com > escreveu:
>> > >>>
>> > >>> [image: Ubiquiti Networks]
>> > >>> <
>> > >>>
>> > >>
>> > >>
>> >
>>  http://ubnt.us8.list-manage1.com/track/click?u=bc856e62a9254399365d0277b&id=e0bce9c5c5&e=fca1226044
>> > >>
>> > >>
>> > >> BROADBAND
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=d98a23213c&e=fca1226044
>> > >>
>> > >>
>> > >> ENTERPRISE
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage1.com/track/click?u=bc856e62a9254399365d0277b&id=1c98dce54c&e=fca1226044
>> > >>
>> > >>
>> > >> PRODUCTS
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=a326d664b7&e=fca1226044
>> > >>
>> > >>
>> > >> SUPPORT
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=2230187878&e=fca1226044
>> > >>
>> > >>
>> > >> BUY
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage1.com/track/click?u=bc856e62a9254399365d0277b&id=1ac11f1e55&e=fca1226044
>> > >>
>> > >>
>> > >> IMPORTANT
>> > >>>> What We Know
>> > >>>>
>> > >>>> In recent days, we've seen virus activity taking network devices
>> > >>>>
>> > >>>   offline.
>> > >>
>> > >> In most cases, devices are reset to factory defaults. In other cases,
>> > >>>> devices are still operational, but inaccessible. The virus is using
>> an
>> > >>>> HTTP/HTTPS exploit that doesn't require authentication. Simply
>> having
>> > a
>> > >>>> radio with out-of-date firmware and having its HTTP (port 80)/HTTPS
>> > >>>>
>> > >>>   (port
>> > >>
>> > >> 443) interface exposed to the Internet is enough to get infected.
>> > >>>> Checking Your Devices
>> > >>>>
>> > >>>> Devices running the following firmware are *NOT* affected:
>> > >>>>
>> > >>>> Ensure the Safety of Your Devices
>> > >>>>
>> > >>>> Ubiquiti takes these threats seriously and has created a patch and
>> an
>> > >>>> Android app to diagnose and fix the problem. To check your devices
>> and
>> > >>>> remove the virus, please use *the removal tool*
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=4444e56b2c&e=fca1226044
>> > >>
>> > >>
>> > >> .
>> > >>>>
>> > >>>> Note: The tool has the ability to upgrade airMAX M series devices to
>> > >>>> airOS(R) v5.6.5,
>> > >>>> which completely disables custom script usage.
>> > >>>> If a device is inaccessible, TFTP recovery will be required to reset
>> > it
>> > >>>>
>> > >>> to
>> > >>>
>> > >>> factory defaults.
>> > >>>>
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=821cdb27dc&e=fca1226044
>> > >>
>> > >>
>> > >> For further discussions, check our *community page *
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=da02fcd1ca&e=fca1226044
>> > >>
>> > >>
>> > >> or contact our *support team
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=8a12f2fc13&e=fca1226044
>> > >>
>> > >>
>> > >> * .
>> > >>> Copyright (c) 2016, Ubiquiti Networks, Inc. All Rights Reserved.
>> > >>> Ubiquiti Networks 2580 Orchard Parkway San Jose, CA 95131 USA
>> > >>>
>> > >>> Share this on:
>> > >>> <
>> > >>>
>> > >>
>> > >>
>> >
>>  http://www.facebook.com/share.php?u=http%3A%2F%2Fus8.campaign-archive2.com%2F%3Fu%3Dbc856e62a9254399365d0277b%26id%3Dd674aca0a1&t=Important%20Information%20Regarding%20Devices%20Running%20Older%20airOS%C2%A0Software
>> > >>
>> > >>
>> > >> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://twitter.com/intent/tweet?text=Important%20Information%20Regarding%20Devices%20Running%20Older%20airOS%C2%A0Software%20-%20http%3A%2F%2Feepurl.com%2Fb10cX1
>> > >>
>> > >>
>> > >> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://www.linkedin.com/shareArticle?mini=true&url=http%3A%2F%2Fus8.campaign-archive1.com%2F%3Fu%3Dbc856e62a9254399365d0277b%26id%3Dd674aca0a1&title=Important%20Information%20Regarding%20Devices%20Running%20Older%20airOS%C2%A0Software
>> > >>
>> > >>
>> > >> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://us8.forward-to-friend.com/forward?u=bc856e62a9254399365d0277b&id=d674aca0a1&e=fca1226044
>> > >>
>> > >>
>> > >> Unsubscribe
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/unsubscribe?u=bc856e62a9254399365d0277b&id=1c1b02cb37&e=fca1226044&c=d674aca0a1
>> > >>
>> > >>
>> > >> |    Update Preferences
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage2.com/profile?u=bc856e62a9254399365d0277b&id=1c1b02cb37&e=fca1226044
>> > >>
>> > >>
>> > >> |    View in browser
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://us8.campaign-archive2.com/?u=bc856e62a9254399365d0277b&id=d674aca0a1&e=fca1226044
>> > >>
>> > >>
>> > >> Follow: Facebook
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=e7237e0c93&e=fca1226044
>> > >>
>> > >>
>> > >> |    Twitter
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=7e60518caa&e=fca1226044
>> > >>
>> > >>
>> > >> |    YouTube
>> > >>>> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=f50704a90c&e=fca1226044
>> > >>
>> > >>
>> > >> <
>> > >>>>
>> > >>>
>> > >>
>> >
>>  http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=f36406c247&e=fca1226044
>> > >>
>> > >>
>> > >> Em 16 de maio de 2016 15:56, Lucas Fernandes <
>> > >>>>
>> > >>>  lucas em jotaftelecom.com.br >
>> > >>
>> > >> escreveu:
>> > >>>
>> > >>> SSH
>> > >>>
>> > >>> touch /etc/persistent/ ct
>> > >>>
>> > >>> Só isso ja volta o complience test
>> > >>>
>> > >>> Obrigado
>> > >>> Atenciosamente,
>> > >>>
>> > >>> JotaF.Telecom
>> > >>>
>> > >>> *Lucas Fernandes*
>> > >>> Gerente de Redes
>> > >>>
>> > >>> *T: *19 3913-9797 *C: *19 9 7163-3676
>> > >>>  www.jotaftelecom.com.br [1]
>> > >>>
>> > >>> JotaF.Telecom
>> > >>>
>> > >>> Em 16/05/2016 15:52, Alexandre Silva Nano escreveu:
>> > >>>
>> > >>> Em 16 de maio de 2016 15:37, Rogerio Alves <
>> > >>>
>> > >>  rogerioapedroso em gmail.com
>> > >>
>> > >> escreveu:
>> > >>>
>> > >>> Venho aqui agradecer ao Alexandre J. Correa, pois graças ao
>> > >>>
>> > >>   esforço  e
>> > >>
>> > >> inteligência dele, estou conseguindo dar uma organizada na bagunça
>> > >>>
>> > >>   que
>> > >>
>> > >> a UBNT fez e não conseguiu ao menos fazer uma ferramenta que preste!
>> > >>>
>> > >>> Show de bola! Gostei também do script! Agora, Alexandre. Quem utiliza
>> > >>> Compliance Test, como faz pra
>> > >>>
>> > >>   continuar a
>> > >>
>> > >> utilizar? Se atualizar para a versão que você colocou no script, o
>> > >>>
>> > >>   CT
>> > >>
>> > >> será inibido.
>> > >>>
>> > >>> _______________________________________________
>> > >>> caiu mailing list
>> > >>>  caiu em eng.registro.br
>> > >>>  https://eng.registro.br/mailman/listinfo/caiu
>> > >>>
>> > >>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>> > >>>
>> > >>>  https://eng.registro.br/mailman/options/caiu
>> > >>>
>> > >> --
>> > >>
>> > >> <
>> > >>
>> > >>
>> > >>
>> >
>>  https://ubnt.zendesk.com/attachments/token/cSQI60Oj1xSqnAmT4s2bmyCXj/?name=Rodrigo+Gregorio+C.+de+Paula+%28Geeek%29.pdf
>> > >>
>> > >>
>> > >> [image: IPV6 Ready?] < http://geeekzone.com/ >[image: IPV6 Ready?]
>> > >>> < https://ipv6.he.net/certification/scoresheet.php?pass_name=Geeek >
>> > >>> _______________________________________________
>> > >>> caiu mailing list
>> > >>>  caiu em eng.registro.br
>> > >>>  https://eng.registro.br/mailman/listinfo/caiu
>> > >>>
>> > >>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>> > >>>
>> > >>>  https://eng.registro.br/mailman/options/caiu
>> > >>>
>> > >>   _______________________________________________
>> > >> caiu mailing list
>> > >>  caiu em eng.registro.br
>> > >>  https://eng.registro.br/mailman/listinfo/caiu
>> > >>
>> > >> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>> > >>
>> > >>  https://eng.registro.br/mailman/options/caiu
>> > >>
>> > >> --
>> > >>
>> > >> <
>> > >>
>> > >>
>> >
>>  https://ubnt.zendesk.com/attachments/token/cSQI60Oj1xSqnAmT4s2bmyCXj/?name=Rodrigo+Gregorio+C.+de+Paula+%28Geeek%29.pdf
>> > >>
>> > >>
>> > >> [image:
>> > >>>
>> > >>   IPV6 Ready?] < http://geeekzone.com/ >[image: IPV6 Ready?]
>> > >> < https://ipv6.he.net/certification/scoresheet.php?pass_name=Geeek >
>> > >> _______________________________________________
>> > >> caiu mailing list
>> > >>  caiu em eng.registro.br
>> > >>  https://eng.registro.br/mailman/listinfo/caiu
>> > >>
>> > >> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>> > >>
>> > >>  https://eng.registro.br/mailman/options/caiu
>> > >>   _______________________________________________
>> > >> caiu mailing list
>> > >>  caiu em eng.registro.br
>> > >>  https://eng.registro.br/mailman/listinfo/caiu
>> > >>
>> > >> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>> > >>
>> > >>  https://eng.registro.br/mailman/options/caiu
>> > >>
>> > >>
>> > >
>> > > --
>> > > Sds.
>> > >
>> > > Alexandre Jeronimo Correa
>> > > Onda Internet
>> > > Office: +55 34 3351 3077
>> > >  www.onda.net.br
>> > >
>> > > _______________________________________________
>> > > caiu mailing list
>> > >  caiu em eng.registro.br
>> > >  https://eng.registro.br/mailman/listinfo/caiu
>> > >
>> > >
>> > > --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>> > >
>> > >  https://eng.registro.br/mailman/options/caiu
>> > >
>> > > _______________________________________________
>> > > caiu mailing list
>> > >  caiu em eng.registro.br
>> > >  https://eng.registro.br/mailman/listinfo/caiu
>> > >
>> > >
>> > > --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>> > >
>> > >  https://eng.registro.br/mailman/options/caiu
>> > >
>> > _______________________________________________
>> > caiu mailing list
>> >  caiu em eng.registro.br
>> >  https://eng.registro.br/mailman/listinfo/caiu
>> >
>> >
>> > --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>> >
>> >  https://eng.registro.br/mailman/options/caiu
>> >
>>
>>
>>
>> --
>>
>>
>> *ATT,Jonas Sampaio*Coordenação de Software.
>> Faculdade Dom Alberto (51) 21066362.
>> _______________________________________________
>> caiu mailing list
>>  caiu em eng.registro.br
>>  https://eng.registro.br/mailman/listinfo/caiu
>>
>>
>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>
>>  https://eng.registro.br/mailman/options/caiu
>>
>_______________________________________________
>caiu mailing list
>caiu em eng.registro.br
>https://eng.registro.br/mailman/listinfo/caiu
>
>
>--> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>
>https://eng.registro.br/mailman/options/caiu


Mais detalhes sobre a lista de discussão caiu