HELP- Netonix Virus?
-
wtm - Experienced Member
- Posts: 262
- Joined: Sun Jan 11, 2015 12:17 am
- Location: Arizona
- Has thanked: 41 times
- Been thanked: 36 times
HELP- Netonix Virus?
Getting a FBI seizure notice on EVERY Netonix switch we have in our network. Says that they have been used as DDOS attack platforms. I am now seeing that other ISP's across the USA are also getting this. Firmware is 1.5.14 on most units. Units are a mixture of various Netonix models.
-
wtm - Experienced Member
- Posts: 262
- Joined: Sun Jan 11, 2015 12:17 am
- Location: Arizona
- Has thanked: 41 times
- Been thanked: 36 times
Re: HELP- Netonix Virus?
Do all Netonix units have some sort of programming that tells them to go to a certain IP to leave stats, or check on new firmware or something link that ? (Call Home?)
THat's the only thing that I can see that would allow ALL Netonix devices to get this bug !
THat's the only thing that I can see that would allow ALL Netonix devices to get this bug !
- Digitexwireless
- Member
- Posts: 24
- Joined: Mon Aug 22, 2016 11:20 pm
- Location: Cleburne, TX
- Has thanked: 0 time
- Been thanked: 2 times
Re: HELP- Netonix Virus?
I have one displaying this same crap. I am reluctant to reboot it until i know what i am dealing with. I am guessing the WISP switch is running 1.5.11 as i last updated for the HTTPS update.
---------------------------------------------------------------------------
Tommy A.
Network Administrator
Digitex.com
Tommy A.
Network Administrator
Digitex.com
Re: HELP- Netonix Virus?
Anyone got any more scope on this? Like how it has happened for starters and possibly how to recover via CLI etc?
Re: HELP- Netonix Virus?
wtm wrote:Getting a FBI seizure notice on EVERY Netonix switch we have in our network. Says that they have been used as DDOS attack platforms. I am now seeing that other ISP's across the USA are also getting this. Firmware is 1.5.14 on most units. Units are a mixture of various Netonix models.
and not only that, 'it' send the switch into freefall where Im guessing its overloaded with other tasks that have been added...
- Digitexwireless
- Member
- Posts: 24
- Joined: Mon Aug 22, 2016 11:20 pm
- Location: Cleburne, TX
- Has thanked: 0 time
- Been thanked: 2 times
Re: HELP- Netonix Virus?
We only have this on one with a public IP address. It is not accessible on SSH any longer either. I figure a simple reset to default and pop the backup on will fix, but as we all need to know, how did it happen. All my switches on private IP's across the network for now are fine.
---------------------------------------------------------------------------
Tommy A.
Network Administrator
Digitex.com
Tommy A.
Network Administrator
Digitex.com
Re: HELP- Netonix Virus?
If you construct a specific URL of https://xxx.xxx.xxx.xxx/main.html it bypasses the default page and gives you the login page. Anyone know how far down the manipulation goes? should you login via html or is that just gunna cause other issues?
-
sirhc - Employee
- Posts: 7414
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: HELP- Netonix Virus?
Well you should be on v1.5.16
But to recover you go to switch console into it backup config
Factory default
Import config
Upgrade to latest firmware.
There is a firewall / Access Control section under Device Tab to restrict UI and SSH access.
So far all reports are version 1.5.14, anyone on v1.5.16
Also more details on how you set this up.
We have management non routable IPs obviously routable within our network but not with customer IPs or blocked in Access Control.
But to recover you go to switch console into it backup config
Factory default
Import config
Upgrade to latest firmware.
There is a firewall / Access Control section under Device Tab to restrict UI and SSH access.
So far all reports are version 1.5.14, anyone on v1.5.16
Also more details on how you set this up.
We have management non routable IPs obviously routable within our network but not with customer IPs or blocked in Access Control.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
sirhc - Employee
- Posts: 7414
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: HELP- Netonix Virus?
ted.walsh wrote:If you construct a specific URL of https://xxx.xxx.xxx.xxx/main.html it bypasses the default page and gives you the login page. Anyone know how far down the manipulation goes? should you login via html or is that just gunna cause other issues?
If you can use this to login and do an upgrade of firmware it will clear any hacks on switch.
EVEN IF UPGRADING TO SAME VERSION
PLEASE REPORT IF YOU HAVE THIS ISSUE WITH v1.5.16 or just OLDER firmware
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
sdwisp - Member
- Posts: 20
- Joined: Tue May 19, 2015 11:21 am
- Location: San Diego Ca
- Has thanked: 4 times
- Been thanked: 3 times
Re: HELP- Netonix Virus?
We got hit last night and I'm asking the same questions ..How did this happen ? we have over 10 switches on 3 deferent network all running 1.5.14. My IT guy found and back door SSL was in to remove what was downloaded. Lest me see if he can get me the details to share.
From IT... Dot ask me I'm only the messenger!
Fix via SSH
prereqs
SSH needs to be enabled before hand the hack
Need to install WinSCP -> https://winscp.net/eng/index.php
Need to set the SCP/Shell to /bin/ash -> https://forum.netonix.com/viewtopic.php?f=6&t=7409
Need to set Environment - Directories -> Remote directory: to /www
Connect to your netonix and look for an index.html(not index.php) that was recently added to the list.
Select the file and click delete.
Refresh the login page and it should come backup.
There maybe other files that have been modified/added to the netonix, I have not found any yet.
From IT... Dot ask me I'm only the messenger!
Fix via SSH
prereqs
SSH needs to be enabled before hand the hack
Need to install WinSCP -> https://winscp.net/eng/index.php
Need to set the SCP/Shell to /bin/ash -> https://forum.netonix.com/viewtopic.php?f=6&t=7409
Need to set Environment - Directories -> Remote directory: to /www
Connect to your netonix and look for an index.html(not index.php) that was recently added to the list.
Select the file and click delete.
Refresh the login page and it should come backup.
There maybe other files that have been modified/added to the netonix, I have not found any yet.
Last edited by sdwisp on Thu Aug 01, 2024 6:53 pm, edited 1 time in total.
Eric Williams
619-468-9600
SDWISP
619-468-9600
SDWISP
Who is online
Users browsing this forum: Bing [Bot] and 6 guests