HELP- Netonix Virus?

[wtm]

Getting a FBI seizure notice on EVERY Netonix switch we have in our network. Says that they have been used as DDOS attack platforms. I am now seeing that other ISP's across the USA are also getting this. Firmware is 1.5.14 on most units. Units are a mixture of various Netonix models.

[wtm]

Do all Netonix units have some sort of programming that tells them to go to a certain IP to leave stats, or check on new firmware or something link that ? (Call Home?)
THat's the only thing that I can see that would allow ALL Netonix devices to get this bug !

[Digitexwireless]

I have one displaying this same crap. I am reluctant to reboot it until i know what i am dealing with. I am guessing the WISP switch is running 1.5.11 as i last updated for the HTTPS update.

[ted.walsh]

Anyone got any more scope on this? Like how it has happened for starters and possibly how to recover via CLI etc?

[ted.walsh]

Getting a FBI seizure notice on EVERY Netonix switch we have in our network. Says that they have been used as DDOS attack platforms. I am now seeing that other ISP's across the USA are also getting this. Firmware is 1.5.14 on most units. Units are a mixture of various Netonix models.

and not only that, 'it' send the switch into freefall where Im guessing its overloaded with other tasks that have been added...

[Digitexwireless]

We only have this on one with a public IP address. It is not accessible on SSH any longer either. I figure a simple reset to default and pop the backup on will fix, but as we all need to know, how did it happen. All my switches on private IP's across the network for now are fine.

[ted.walsh]

If you construct a specific URL of https://xxx.xxx.xxx.xxx/main.html it bypasses the default page and gives you the login page. Anyone know how far down the manipulation goes? should you login via html or is that just gunna cause other issues?

[sirhc]

Well you should be on v1.5.16

But to recover you go to switch console into it backup config

Factory default

Import config

Upgrade to latest firmware.

There is a firewall / Access Control section under Device Tab to restrict UI and SSH access.

So far all reports are version 1.5.14, anyone on v1.5.16

Also more details on how you set this up.

We have management non routable IPs obviously routable within our network but not with customer IPs or blocked in Access Control.

[sirhc]

If you construct a specific URL of https://xxx.xxx.xxx.xxx/main.html it bypasses the default page and gives you the login page. Anyone know how far down the manipulation goes? should you login via html or is that just gunna cause other issues?

If you can use this to login and do an upgrade of firmware it will clear any hacks on switch.

EVEN IF UPGRADING TO SAME VERSION

PLEASE REPORT IF YOU HAVE THIS ISSUE WITH v1.5.16 or just OLDER firmware

[sdwisp]

We got hit last night and I'm asking the same questions ..How did this happen ? we have over 10 switches on 3 deferent network all running 1.5.14. My IT guy found and back door SSL was in to remove what was downloaded. Lest me see if he can get me the details to share.

From IT... Dot ask me I'm only the messenger!


Fix via SSH
prereqs
SSH needs to be enabled before hand the hack
Need to install WinSCP -> https://winscp.net/eng/index.php
Need to set the SCP/Shell to /bin/ash -> https://forum.netonix.com/viewtopic.php?f=6&t=7409
Need to set Environment - Directories -> Remote directory: to /www

Connect to your netonix and look for an index.html(not index.php) that was recently added to the list.
Select the file and click delete.
Refresh the login page and it should come backup.

There maybe other files that have been modified/added to the netonix, I have not found any yet.