HELP- Netonix Virus?

DOWNLOAD THE LATEST FIRMWARE HERE
User avatar
wtm
Experienced Member
 
Posts: 262
Joined: Sun Jan 11, 2015 12:17 am
Location: Arizona
Has thanked: 41 times
Been thanked: 36 times

HELP- Netonix Virus?

Thu Aug 01, 2024 11:07 am

Getting a FBI seizure notice on EVERY Netonix switch we have in our network. Says that they have been used as DDOS attack platforms. I am now seeing that other ISP's across the USA are also getting this. Firmware is 1.5.14 on most units. Units are a mixture of various Netonix models.
Attachments
FBI-image.jpg

User avatar
wtm
Experienced Member
 
Posts: 262
Joined: Sun Jan 11, 2015 12:17 am
Location: Arizona
Has thanked: 41 times
Been thanked: 36 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 11:20 am

Do all Netonix units have some sort of programming that tells them to go to a certain IP to leave stats, or check on new firmware or something link that ? (Call Home?)
THat's the only thing that I can see that would allow ALL Netonix devices to get this bug !

Digitexwireless
Member
 
Posts: 24
Joined: Mon Aug 22, 2016 11:20 pm
Location: Cleburne, TX
Has thanked: 0 time
Been thanked: 2 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 12:46 pm

I have one displaying this same crap. I am reluctant to reboot it until i know what i am dealing with. I am guessing the WISP switch is running 1.5.11 as i last updated for the HTTPS update.
---------------------------------------------------------------------------
Tommy A.
Network Administrator
Digitex.com

ted.walsh
Member
 
Posts: 7
Joined: Mon Feb 08, 2016 2:29 pm
Has thanked: 1 time
Been thanked: 2 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 1:50 pm

Anyone got any more scope on this? Like how it has happened for starters and possibly how to recover via CLI etc?

ted.walsh
Member
 
Posts: 7
Joined: Mon Feb 08, 2016 2:29 pm
Has thanked: 1 time
Been thanked: 2 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 1:54 pm

wtm wrote:Getting a FBI seizure notice on EVERY Netonix switch we have in our network. Says that they have been used as DDOS attack platforms. I am now seeing that other ISP's across the USA are also getting this. Firmware is 1.5.14 on most units. Units are a mixture of various Netonix models.


and not only that, 'it' send the switch into freefall where Im guessing its overloaded with other tasks that have been added...

Digitexwireless
Member
 
Posts: 24
Joined: Mon Aug 22, 2016 11:20 pm
Location: Cleburne, TX
Has thanked: 0 time
Been thanked: 2 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 2:12 pm

We only have this on one with a public IP address. It is not accessible on SSH any longer either. I figure a simple reset to default and pop the backup on will fix, but as we all need to know, how did it happen. All my switches on private IP's across the network for now are fine.
---------------------------------------------------------------------------
Tommy A.
Network Administrator
Digitex.com

ted.walsh
Member
 
Posts: 7
Joined: Mon Feb 08, 2016 2:29 pm
Has thanked: 1 time
Been thanked: 2 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 2:13 pm

If you construct a specific URL of https://xxx.xxx.xxx.xxx/main.html it bypasses the default page and gives you the login page. Anyone know how far down the manipulation goes? should you login via html or is that just gunna cause other issues?

User avatar
sirhc
Employee
Employee
 
Posts: 7437
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1613 times
Been thanked: 1328 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 3:29 pm

Well you should be on v1.5.16

But to recover you go to switch console into it backup config

Factory default

Import config

Upgrade to latest firmware.

There is a firewall / Access Control section under Device Tab to restrict UI and SSH access.

So far all reports are version 1.5.14, anyone on v1.5.16

Also more details on how you set this up.

We have management non routable IPs obviously routable within our network but not with customer IPs or blocked in Access Control.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
sirhc
Employee
Employee
 
Posts: 7437
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1613 times
Been thanked: 1328 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 3:31 pm

ted.walsh wrote:If you construct a specific URL of https://xxx.xxx.xxx.xxx/main.html it bypasses the default page and gives you the login page. Anyone know how far down the manipulation goes? should you login via html or is that just gunna cause other issues?


If you can use this to login and do an upgrade of firmware it will clear any hacks on switch.

EVEN IF UPGRADING TO SAME VERSION

PLEASE REPORT IF YOU HAVE THIS ISSUE WITH v1.5.16 or just OLDER firmware
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
sdwisp
Member
 
Posts: 20
Joined: Tue May 19, 2015 11:21 am
Location: San Diego Ca
Has thanked: 4 times
Been thanked: 3 times

Re: HELP- Netonix Virus?

Thu Aug 01, 2024 5:15 pm

We got hit last night and I'm asking the same questions ..How did this happen ? we have over 10 switches on 3 deferent network all running 1.5.14. My IT guy found and back door SSL was in to remove what was downloaded. Lest me see if he can get me the details to share.

From IT... Dot ask me I'm only the messenger!


Fix via SSH
prereqs
SSH needs to be enabled before hand the hack
Need to install WinSCP -> https://winscp.net/eng/index.php
Need to set the SCP/Shell to /bin/ash -> https://forum.netonix.com/viewtopic.php?f=6&t=7409
Need to set Environment - Directories -> Remote directory: to /www

Connect to your netonix and look for an index.html(not index.php) that was recently added to the list.
Select the file and click delete.
Refresh the login page and it should come backup.

There maybe other files that have been modified/added to the netonix, I have not found any yet.
Last edited by sdwisp on Thu Aug 01, 2024 6:53 pm, edited 1 time in total.
Eric Williams
619-468-9600

SDWISP

Next
Return to Hardware and software issues

Who is online

Users browsing this forum: Google [Bot] and 15 guests