[caiu] RES: Virus UBNT

Alexandre J. Correa (Onda) alexandre em onda.net.br
Qua Maio 18 12:04:20 BRT 2016


Usaram algum script para tentar tirar o 'vírus' ?

Como alguns usam ECHO no lugar do SEDs, podem duplicar os dados...


Em 18/05/2016 11:51, Otávio Costa escreveu:
> ​Jonas, notei isso em alguns rádios.
> Apenas resetei o equipamento e as linhas duplicadas sumiram.​
>
>
>
> *--*
>
> Em 18 de maio de 2016 11:19, Jonas Sampaio <
> jonas.informatica at domalberto.edu.br> escreveu:
>
>> Bom dia,
>>
>>
>> Alguém está notando que os paramentos, do arquivo /tmp/system.cfg estão
>> duplicados em rádios infectados, e mesmo após atualizar a versão para
>> v5.6.5, em alguns casos tivemos que acessar equipamentos por SSH e apagar
>> linhas duplicadas para conseguir acesso Web novamente.
>>
>> ebtables.sys.vlan.status=disabled
>> ebtables.sys.vlan.status=disabled
>> ebtables.sys.vlan.status=disabled
>> gui.language=pt_PT
>> gui.language=pt_PT
>> gui.language=pt_PT
>> gui.language=pt_PT
>> httpd.port=80
>> httpd.port=80
>> httpd.session.timeout=900
>> httpd.session.timeout=900
>> httpd.status=enabled
>> httpd.status=enabled
>>
>> Se alguém conseguir ajudar agradecemos.
>>
>>
>> Em 18 de maio de 2016 07:55, Werneck Costa <werneck.costa at gmail.com>
>> escreveu:
>>
>>> Recebi, em um comunicado de uma empresa que vende Ubnt, este link com as
>>> informações específicas:
>>>
>>>
>> http://tecwi.envemkt.com.br/ver_mensagem.php?id=H|2015|200059783|143023926142581300
>>>
>>> - - -
>>> *Werneck Costa*
>>> Analista de Suporte
>>> e-mail/Skype/GTalk: werneck.costa at gmail.com
>>>
>>> Em 17 de maio de 2016 10:27, Edinilson - ATINET <edinilson at atinet.com.br
>>>
>>> escreveu:
>>>
>>>> Não sei se serviria para o proposito atual, mas no passado precisei
>> fazer
>>>> uma atualização em massa e utilizei esse script:
>>>> https://github.com/sudomesh/ubi-flasher
>>>>
>>>> É fácil de customizar.
>>>>
>>>>
>>>> Edinilson
>>>>
>>>> ------------------------------------------
>>>> ATINET
>>>> Tel Voz: (0xx11) 4412-0876
>>>> http://www.atinet.com.br
>>>>
>>>>
>>>> ----- Original Message ----- From: "Alexandre J. Correa (Onda)" <
>>>> alexandre at onda.net.br>
>>>> To: "Lista das indisponibilidades da Internet brasileira" <
>>>> caiu at eng.registro.br>
>>>> Sent: Tuesday, May 17, 2016 10:20 AM
>>>> Subject: Re: [caiu] RES: Virus UBNT
>>>>
>>>>
>>>>
>>>> Na 'tuada' que o negócio ta indo, acho que vai ser melhor mesclar os 2
>>>> projetos ..
>>>>
>>>>
>>>> Em 17/05/2016 04:49, Diego Canton de Brito escreveu:
>>>>
>>>>> Então deu certo o uso de trigger_url (do airos) :D
>>>>>
>>>>> Alexandre, fiz uma alteração no meu GIT do seu código de update, para
>>>>> que o pessoal possa cambiar entre URL de firmware, seria legal fazer
>> ai
>>>>> tbm.
>>>>>
>>>>> URL='
>>>>>
>> http://dl.ubnt.com/firmwares/XN-fw/v5.6.5/XM.v5.6.5.29033.160515.2119.bin
>>>>> '
>>>>> #
>>>>> URL='
>>>>>
>> http://dl.ubnt.com/firmwares/XN-fw/v5.6.4/XM.v5.6.4.28924.160331.1253.bin
>>>>> '
>>>>> wget $URL -O /tmp/firmware.bin
>>>>> ubntbox fwupdate.real -m /tmp/firmware.bin
>>>>>
>>>>> Para mais exemplos https://github.com/diegocanton/remove_ubnt_mf/
>>>>>
>>>>> Em 2016-05-17 01:48, Alexandre J. Correa (Onda) escreveu:
>>>>>
>>>>> https://github.com/ajcorrea/cleanmf
>>>>>> Migrei para GITHUB, inclui também Compliance test e Alteração de
>> portas
>>>>>> padrão (Diego Canton)
>>>>>>
>>>>>> O script agora utiliza o github como base para download, utilizando a
>>>>>> função trigger_url !!!
>>>>>>
>>>>>> Em 16/05/2016 22:09, marcio petarnella escreveu: Já perdi a paciência
>>>>>> com esse aircontrol, já instalei o server agora o
>>>>>> cliente só da erro de login e senha, não funciona nem por decreto, já
>>>>>> troquei java , já fiz de tudo, não vou mais perder tempo com isso, já
>>> não
>>>>>> basta essa ferramenta da ubiquiti q também não funciona.
>>>>>> Em 16/05/2016 9:51 PM, "Geeek Masters" <rgeeek at gmail.com> escreveu:
>>>>>>
>>>>>> Se você fizer pelo AirControl sim.
>>>>>>
>>>>>> 2016-05-16 21:43 GMT-03:00 marcio petarnella <
>> marcio at mgptelecom.com.br
>>>> :
>>>>>> Algum script q verifica a versão se xm ou xw e faz a atualização
>>>>>> automática ?
>>>>>> Em 16/05/2016 9:08 PM, "Geeek Masters" <rgeeek at gmail.com> escreveu:
>>>>>>
>>>>>> [image: Ubiquiti Networks]
>>>>>> <
>>>>>>
>>>>>
>> http://ubnt.us8.list-manage1.com/track/click?u=bc856e62a9254399365d0277b&id=e0bce9c5c5&e=fca1226044
>>>>>
>>>>> BROADBAND
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=d98a23213c&e=fca1226044
>>>>>
>>>>> ENTERPRISE
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage1.com/track/click?u=bc856e62a9254399365d0277b&id=1c98dce54c&e=fca1226044
>>>>>
>>>>> PRODUCTS
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=a326d664b7&e=fca1226044
>>>>>
>>>>> SUPPORT
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=2230187878&e=fca1226044
>>>>>
>>>>> BUY
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage1.com/track/click?u=bc856e62a9254399365d0277b&id=1ac11f1e55&e=fca1226044
>>>>>
>>>>> IMPORTANT
>>>>>>> What We Know
>>>>>>>
>>>>>>> In recent days, we've seen virus activity taking network devices
>>>>>>>
>>>>>>    offline.
>>>>> In most cases, devices are reset to factory defaults. In other cases,
>>>>>>> devices are still operational, but inaccessible. The virus is using
>> an
>>>>>>> HTTP/HTTPS exploit that doesn't require authentication. Simply
>> having
>>> a
>>>>>>> radio with out-of-date firmware and having its HTTP (port 80)/HTTPS
>>>>>>>
>>>>>>    (port
>>>>> 443) interface exposed to the Internet is enough to get infected.
>>>>>>> Checking Your Devices
>>>>>>>
>>>>>>> Devices running the following firmware are *NOT* affected:
>>>>>>>
>>>>>>> Ensure the Safety of Your Devices
>>>>>>>
>>>>>>> Ubiquiti takes these threats seriously and has created a patch and
>> an
>>>>>>> Android app to diagnose and fix the problem. To check your devices
>> and
>>>>>>> remove the virus, please use *the removal tool*
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=4444e56b2c&e=fca1226044
>>>>>
>>>>> .
>>>>>>> Note: The tool has the ability to upgrade airMAX M series devices to
>>>>>>> airOS(R) v5.6.5,
>>>>>>> which completely disables custom script usage.
>>>>>>> If a device is inaccessible, TFTP recovery will be required to reset
>>> it
>>>>>> to
>>>>>>
>>>>>> factory defaults.
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=821cdb27dc&e=fca1226044
>>>>>
>>>>> For further discussions, check our *community page *
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=da02fcd1ca&e=fca1226044
>>>>>
>>>>> or contact our *support team
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=8a12f2fc13&e=fca1226044
>>>>>
>>>>> * .
>>>>>> Copyright (c) 2016, Ubiquiti Networks, Inc. All Rights Reserved.
>>>>>> Ubiquiti Networks 2580 Orchard Parkway San Jose, CA 95131 USA
>>>>>>
>>>>>> Share this on:
>>>>>> <
>>>>>>
>>>>>
>> http://www.facebook.com/share.php?u=http%3A%2F%2Fus8.campaign-archive2.com%2F%3Fu%3Dbc856e62a9254399365d0277b%26id%3Dd674aca0a1&t=Important%20Information%20Regarding%20Devices%20Running%20Older%20airOS%C2%A0Software
>>>>>
>>>>> <
>> http://twitter.com/intent/tweet?text=Important%20Information%20Regarding%20Devices%20Running%20Older%20airOS%C2%A0Software%20-%20http%3A%2F%2Feepurl.com%2Fb10cX1
>>>>>
>>>>> <
>> http://www.linkedin.com/shareArticle?mini=true&url=http%3A%2F%2Fus8.campaign-archive1.com%2F%3Fu%3Dbc856e62a9254399365d0277b%26id%3Dd674aca0a1&title=Important%20Information%20Regarding%20Devices%20Running%20Older%20airOS%C2%A0Software
>>>>>
>>>>> <
>> http://us8.forward-to-friend.com/forward?u=bc856e62a9254399365d0277b&id=d674aca0a1&e=fca1226044
>>>>>
>>>>> Unsubscribe
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/unsubscribe?u=bc856e62a9254399365d0277b&id=1c1b02cb37&e=fca1226044&c=d674aca0a1
>>>>>
>>>>> |    Update Preferences
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage2.com/profile?u=bc856e62a9254399365d0277b&id=1c1b02cb37&e=fca1226044
>>>>>
>>>>> |    View in browser
>>>>>>> <
>>>>>>>
>> http://us8.campaign-archive2.com/?u=bc856e62a9254399365d0277b&id=d674aca0a1&e=fca1226044
>>>>>
>>>>> Follow: Facebook
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=e7237e0c93&e=fca1226044
>>>>>
>>>>> |    Twitter
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=7e60518caa&e=fca1226044
>>>>>
>>>>> |    YouTube
>>>>>>> <
>>>>>>>
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=f50704a90c&e=fca1226044
>>>>>
>>>>> <
>> http://ubnt.us8.list-manage.com/track/click?u=bc856e62a9254399365d0277b&id=f36406c247&e=fca1226044
>>>>>
>>>>> Em 16 de maio de 2016 15:56, Lucas Fernandes <
>>>>>>    lucas at jotaftelecom.com.br>
>>>>> escreveu:
>>>>>> SSH
>>>>>>
>>>>>> touch /etc/persistent/ ct
>>>>>>
>>>>>> Só isso ja volta o complience test
>>>>>>
>>>>>> Obrigado
>>>>>> Atenciosamente,
>>>>>>
>>>>>> JotaF.Telecom
>>>>>>
>>>>>> *Lucas Fernandes*
>>>>>> Gerente de Redes
>>>>>>
>>>>>> *T: *19 3913-9797 *C: *19 9 7163-3676
>>>>>> www.jotaftelecom.com.br [1]
>>>>>>
>>>>>> JotaF.Telecom
>>>>>>
>>>>>> Em 16/05/2016 15:52, Alexandre Silva Nano escreveu:
>>>>>>
>>>>>> Em 16 de maio de 2016 15:37, Rogerio Alves <
>>>>>>
>>>>>    rogerioapedroso at gmail.com
>>>>>
>>>>> escreveu:
>>>>>> Venho aqui agradecer ao Alexandre J. Correa, pois graças ao
>>>>>>
>>>>>    esforço  e
>>>>>
>>>>> inteligência dele, estou conseguindo dar uma organizada na bagunça
>>>>>    que
>>>>>
>>>>> a UBNT fez e não conseguiu ao menos fazer uma ferramenta que preste!
>>>>>> Show de bola! Gostei também do script! Agora, Alexandre. Quem utiliza
>>>>>> Compliance Test, como faz pra
>>>>>>
>>>>>    continuar a
>>>>>
>>>>> utilizar? Se atualizar para a versão que você colocou no script, o
>>>>>    CT
>>>>>
>>>>> será inibido.
>>>>>> _______________________________________________
>>>>>> caiu mailing list
>>>>>> caiu at eng.registro.br
>>>>>> https://eng.registro.br/mailman/listinfo/caiu
>>>>>>
>>>>>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>>>>>
>>>>>> https://eng.registro.br/mailman/options/caiu
>>>>>>
>>>>> --
>>>>>
>>>>> <
>>>>>
>>>>>
>>>>>
>> https://ubnt.zendesk.com/attachments/token/cSQI60Oj1xSqnAmT4s2bmyCXj/?name=Rodrigo+Gregorio+C.+de+Paula+%28Geeek%29.pdf
>>>>>
>>>>> [image: IPV6 Ready?] <http://geeekzone.com/>[image: IPV6 Ready?]
>>>>>> <https://ipv6.he.net/certification/scoresheet.php?pass_name=Geeek>
>>>>>> _______________________________________________
>>>>>> caiu mailing list
>>>>>> caiu at eng.registro.br
>>>>>> https://eng.registro.br/mailman/listinfo/caiu
>>>>>>
>>>>>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>>>>>
>>>>>> https://eng.registro.br/mailman/options/caiu
>>>>>>
>>>>>    _______________________________________________
>>>>> caiu mailing list
>>>>> caiu at eng.registro.br
>>>>> https://eng.registro.br/mailman/listinfo/caiu
>>>>>
>>>>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>>>>
>>>>> https://eng.registro.br/mailman/options/caiu
>>>>>
>>>>> --
>>>>>
>>>>> <
>>>>>
>>>>>
>> https://ubnt.zendesk.com/attachments/token/cSQI60Oj1xSqnAmT4s2bmyCXj/?name=Rodrigo+Gregorio+C.+de+Paula+%28Geeek%29.pdf
>>>>>
>>>>> [image:
>>>>>    IPV6 Ready?] <http://geeekzone.com/>[image: IPV6 Ready?]
>>>>> <https://ipv6.he.net/certification/scoresheet.php?pass_name=Geeek>
>>>>> _______________________________________________
>>>>> caiu mailing list
>>>>> caiu at eng.registro.br
>>>>> https://eng.registro.br/mailman/listinfo/caiu
>>>>>
>>>>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>>>>
>>>>> https://eng.registro.br/mailman/options/caiu
>>>>>    _______________________________________________
>>>>> caiu mailing list
>>>>> caiu at eng.registro.br
>>>>> https://eng.registro.br/mailman/listinfo/caiu
>>>>>
>>>>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>>>>
>>>>> https://eng.registro.br/mailman/options/caiu
>>>>>
>>>>>
>>>> --
>>>> Sds.
>>>>
>>>> Alexandre Jeronimo Correa
>>>> Onda Internet
>>>> Office: +55 34 3351 3077
>>>> www.onda.net.br
>>>>
>>>> _______________________________________________
>>>> caiu mailing list
>>>> caiu at eng.registro.br
>>>> https://eng.registro.br/mailman/listinfo/caiu
>>>>
>>>>
>>>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>>>
>>>> https://eng.registro.br/mailman/options/caiu
>>>>
>>>> _______________________________________________
>>>> caiu mailing list
>>>> caiu at eng.registro.br
>>>> https://eng.registro.br/mailman/listinfo/caiu
>>>>
>>>>
>>>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>>>
>>>> https://eng.registro.br/mailman/options/caiu
>>>>
>>> _______________________________________________
>>> caiu mailing list
>>> caiu at eng.registro.br
>>> https://eng.registro.br/mailman/listinfo/caiu
>>>
>>>
>>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>>
>>> https://eng.registro.br/mailman/options/caiu
>>>
>>
>>
>> --
>>
>>
>> *ATT,Jonas Sampaio*Coordenação de Software.
>> Faculdade Dom Alberto (51) 21066362.
>> _______________________________________________
>> caiu mailing list
>> caiu at eng.registro.br
>> https://eng.registro.br/mailman/listinfo/caiu
>>
>>
>> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>>
>> https://eng.registro.br/mailman/options/caiu
>>
> _______________________________________________
> caiu mailing list
> caiu at eng.registro.br
> https://eng.registro.br/mailman/listinfo/caiu
>
>
> --> PARA SAIR DA LISTA SIGA AS INSTRUÇÕES em:
>
> https://eng.registro.br/mailman/options/caiu


-- 
Sds.

Alexandre Jeronimo Correa
Onda Internet
Office: +55 34 3351 3077
www.onda.net.br



Mais detalhes sobre a lista de discussão caiu