HELP- Netonix Virus?

[ted.walsh]

Doing as suggested by initiating the connection with the constructed URL (https://xxx.xxx.xxx.xxx/main.html) allowed me to login as normal. I took the usual upgrade path and it completed as expected. Once the switch restarted everything came back online as normal and the client complaints went away. FYI this switch was on 1.5.11

All of our other Netonix switches didn't seem to be affected, they were on 1.5.14 - I upgraded all of them first including the DC ones and changed the passwords for good measure.

all in all another 12 years removed from my projected lifespan but it would be really useful to understand the attack vector on this. the switch didnt have any incoming public access so how was the hack made possible?

[sirhc]

Doing as suggested by initiating the connection with the constructed URL (https://xxx.xxx.xxx.xxx/main.html) allowed me to login as normal. I took the usual upgrade path and it completed as expected. Once the switch restarted everything came back online as normal and the client complaints went away. FYI this switch was on 1.5.11

All of our other Netonix switches didn't seem to be affected, they were on 1.5.14 - I upgraded all of them first including the DC ones and changed the passwords for good measure.

all in all another 12 years removed from my projected lifespan but it would be really useful to understand the attack vector on this. the switch didnt have any incoming public access so how was the hack made possible?

Thanks for the update
I am looking st it now and contacted Stephen is out of position but will be back in an hour or so.

So it has been reported up to v1.5.14 ???
I saw it on v1.5.12 in my net did what you did to 1 of 2 switches leaving the other for Stephen to look deeper at it.

I assume one could do an SSH upgrade as well.

Question is did v1.5.16 patch it or will we have to release a patch????

Will keep you all posted.

But more feed back from users on versions infected I assume v1.5.14 and older, did upgrade recover things.

If v1.5.16 is not vulnerable it will come back.

[Digitexwireless]

My only infected unit is on .14. The /main.html works and will upgrade tonight when the customer usage is lower. CPU is running close to 100%. SSH on this unit was disabled already.

[sirhc]

My only infected unit is on .14. The /main.html works and will upgrade tonight when the customer usage is lower. CPU is running close to 100%. SSH on this unit was disabled already.

Well the CPU does spike to 100% when you first login (small cpu) then calms down in 10-20 seconds.

So we have found that the switch is infected with a file that does not belong there which is "index.html"

If you SSH into the switch and drop to shell with the "cmd" or via the browser console and drop to to shell with the same command. Then delete index.html with "rm index.html"

Then issue this command to restart lighttpd "/etc/init.d/lighttpd restart"

It will clear this file from the system. You should be able to then login to the website like normal and the excess usage blocking other service's will stop.

You can check that this worked as well by running:
ps aux | grep lighttpd

If virtual memory usage is greater than 10K, then it is still infected, when it's gone it will be at around 7K per process (usually 3 or more).

At this point we are not sure how they are getting access to write the file.

But there is a vulnerability in the switch that allows this we are not sure but think it has to do with the web server version. Potentially openssl as well, but based on our analysis so far it appears to be the server.

We will continue to research this and hopefully figure it out and post more info here and then a patch after we figure it out.

Anyone want to copy that file off their switch "/www/index.html" and analyze it feel free.

Look at the time stamp on your index.html (IF INFECTED) it should say Aug 1 2024 5AM+/- EST. If you notice a vastly different time please let us know. This indicates a PUSH. If your switch is inside a NAT or on a non routed IP this means you have a hole, an infected machine with a malware or such that allows them inside.

As stated we will be looking into this to find the hole in our firmware and fix but you now know you can easily fix a switch as instructed above and do not need to upgrade (but should be up to date) or even reboot your switch, so your net does not need to go down.

[sirhc]

Also another note:

Some anti-virus software such as Avast "MAY" prevent you from connecting to the switch UI. We think this is from them trying to detect sites with vulnerability or once it sees an infected switch may create a quasi list of sites that look like this.

So if you can not connect to the switch site {UI} at all in the case of Avast you have do disable it or disable "Web Shield" under "Core Shields" under "Protection" in the Avast Control Center.

All my computers at my PA house have AVAST and 1 had to disable Web Shield the others NOT???

Im headed down to my Florida house today to get my son ready to enroll in college but Stephen will be working on this today.

We are pretty sure this is a vulnerability in our switch web server lighttpd and this infection is generic in nature and would infect any embedded device using it that did not change the default config on first files to run so had we changed the default "main.html" would not have been in the list of pages to run first as we do not use it.

UPDATE - IF AVAST IS FULLY UPGRADED AND YOU REBOOT IT AS REQUESTED IT PREVENTS SWITCH WEB UI ACCESS SEE POST BELOW

[mhoppes]

We are pretty sure this is a vulnerability in our switch web server lighttpd and this infection is generic in nature and would infect any embedded device using it that did not change the default config on first files to run so had we changed the default "main.html" would not have been in the list of pages to run first as we do not use it.

But how was a new file uploaded?

I will say I've noticed something odd in the way the Netonix switches handle session authentication in that I can get information to/from the switch with an invalid session (At least for a brief period of time) before it kicks me back to the login page.

So -- if I HAD a session established with the switch, say close my browser and go back a few days later and open it up, I will start to see data from the switch ports and can briefly interact with the switch before being dumped out to the login page with a session timeout telling me I have to log back in. Not sure if that might be related.

REGARDLESS -- Vulnerability or otherwise.... this still says that the individual did not properly isolate their management network and has other infected machines on the network that infected the switch I would think.

[mhoppes]

So... I am NOT a programmer... but from a very quick look at main.html it *seems* to me like security is being handled by a Javascript entry???? Why is it not being handled by PHP sessions on the webserver side. Rather, it *seems* to be handled by the browser on the local side.

This would explain why I can see switch information on an invalid session, until the local script realizes I should have to login again.

This seems like a serious security issue if it's the case.

[mhoppes]

One more quick note... even things like the tarpitting seem to be handled on the browser side of things, rather than the webserver side of things. Never gave any of this a second thought, because management isolation... but just my thoughts and comments this morning.

[mhoppes]

I just verified... I can log into a switch, destroy the session on the local browser side.... and still interact with the web interface and see real-time information updating (this shouldn't be able to happen if the session is destroyed and appears to be an attack vector).

[sirhc]

So... I am NOT a programmer... but from a very quick look at main.html it *seems* to me like security is being handled by a Javascript entry???? Why is it not being handled by PHP sessions on the webserver side. Rather, it *seems* to be handled by the browser on the local side.

This would explain why I can see switch information on an invalid session, until the local script realizes I should have to login again.

This seems like a serious security issue if it's the case.

Yea, no, security is NEVER handled on client side. I could go into long discussion why you get stats after session but not now, getting ready for flight but that is not the issue.

If you want to learn more about lighttpd vulnerability. It effects millions upon millions of devices and was recently discovered. You will more then likely hear about this on the news soon and not focused on tiny little netonix. Its simply a hack into a VERY popular web server used on embed devices.

Similar to the porn hack many years ago on UBNT devices that directed WISP customers to a porn picture no matter what site destination his customer went to. Luckily this can be fixed remotely he had to visit each device and flash the radio.