HELP- Netonix Virus?

[sirhc]

Yea if you read thread one infected person had SSH disabled so doubt this came via SSH.

99% SURE ITS A LIGHTTPD VULNERABILITY

We pretty sure it's from a push from a bot net and switch has to be on public ip with no access control list or inside no public IP with an infected machine inside sub net.

It appears to only look for devices in same subnet as infected device that gave it access to subnet via layer 1 or probably layer 2 (sub net).

We did not determine if one switch in a subnet would replicate to another will be testing that when I get to house in Florida tomorrow.

[sirhc]

Well after going into the field all day yesterday and upgrading all our switches to 1.5.16.

If the device has 1.5.12 in it, then you MUST first upgrade to 1.5.14, then to 1.5.16, you can not go directly to 1.5.16, it will fail.

That's not always true depends on how old the switch is. On older units like 8+ years old that may happen.

But if your switch is not super old v1.5.12 to v1.5.16 works fine. You'll know it does not work as it hangs after file upload. If happens refresh page then try v1.5.14 then v1.5.16

Again how this happened is pretty well explained above. Read whole thread.

This hack will effect ANY embedded device using lighttpd older version or maybe all still investigating.

We are sorry but shit happens and this will not be limited to netonix and luckily the person was not an animal he could have been destructive.

[sirhc]

Not sure why you went into field this can be remotely fixed and if you don't want to upgrade can be fixed not patched without service interruption.

[Stephen]

One more note for anyone who is worried about it. This is NOT the FBI. They would have followed proper procedure and you would have been contacted before this occurred or quickly after. Operation PowerOFF has been in effect for several years so images like this are publically available and the attacker is just using it with the intent of causing panic.

Here is some more information about the image as evidence.
The image metadata seems to indicate that the original image was probably stored on facebook. So the attacker likely copied it from a post there and added it into the malicious program.

In case anyone else has some expertise in this area, I used exiftool to extract metadata from the image and it gives back the following information:

ExifTool Version Number : 12.92
File Name : FBI-image.jpg
Directory : .
File Size : 87 kB
File Modification Date/Time : 2024:08:01 22:37:02-04:00
File Access Date/Time : 2024:08:01 22:37:07-04:00
File Inode Change Date/Time : 2024:08:01 22:37:02-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Current IPTC Digest : de721e4e501311c7a62cd0d22c5bf37f
Special Instructions : FBMD0a000a7001000064190000c13e00001f490000bd4f0000d1950000f3d40000dfda000040e700007fef00007b520100
Image Width : 960
Image Height : 500
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 960x500
Megapixels : 0.480

It appears the "Special Instructions" tag is a known mark for images loaded to facebook:
https://stackoverflow.com/questions/311 ... n-facebook

[wtm]

So this is what we have in the log on some of our units this morning:


Aug 2 10:20:47 monitor: restarting lighttpd
Aug 2 10:20:59 monitor: restarting lighttpd
Aug 2 10:21:11 monitor: restarting lighttpd
Aug 2 10:21:23 monitor: restarting vtss_appl
Aug 2 10:21:24 monitor: restarting lighttpd
Aug 2 10:21:36 monitor: restarting vtss_appl
Aug 2 10:21:37 monitor: restarting lighttpd
Aug 2 10:21:50 monitor: restarting lighttpd
Aug 2 10:22:02 monitor: restarting lighttpd
Aug 2 10:22:15 monitor: restarting lighttpd
Aug 2 10:22:27 monitor: restarting lighttpd
Aug 2 10:22:39 monitor: restarting lighttpd
Aug 2 10:22:52 monitor: restarting lighttpd
Aug 2 10:23:05 monitor: restarting lighttpd
Aug 2 10:23:17 monitor: restarting lighttpd
(Times are Not accurate as NTP client does not see the internet to set time and date)


These units have been upgraded to version 1.5.16 firmware. Only some units are having the problem so far, not all. We also do not seem to be getting the FBI image on them, but we do seem to be getting a "Loop" on the incoming network port to them causing the unit to block the port for 180 seconds. Log states "loop back on self" for that port.

More:

Aug 2 10:29:31 monitor: restarting lighttpd
Aug 2 10:29:31 Loop protection: detected loop from port 2 to port 2, disabling port 2 for 180 seconds
Aug 2 10:29:32 monitor: restarting shellinaboxd
Aug 2 10:29:44 monitor: restarting vtss_appl
Aug 2 10:29:44 monitor: restarting lighttpd
Aug 2 10:29:46 monitor: restarting shellinaboxd
Aug 2 10:29:58 Loop protection: detected loop from port 2 to port 2, disabling port 2 for 180 seconds
Aug 2 10:29:58 monitor: restarting lighttpd

[joeyr-stc]

I had this happen to me and my switch is on 1.5.16.

Is the index.html file the only thing that was compromised?
If so, I can console in and delete that file.

Will a factory default restore the www directory back to what it should be (in other words, remove the index.html file and any other files that may have been compromised)?


Also, some insight into why this happened. PHP vulnerability (after all it is version 5)? Maybe a lighttpd vulnerability?

[wtm]

Just checked the version of Lighttpd in my "Upgraded 1.5.16 Netonix switch" it is 1.4.41 Lighttpd is currently using version 1.4.76 of which there has been several patches due to exploits to the program.

I think a new firmware upgrade is due from Netonix (hopefully quickly) with a newer version of Lighttpd in it !

[joeyr-stc]

I had this happen to me and my switch is on 1.5.16.

Is the index.html file the only thing that was compromised?
If so, I can console in and delete that file.

Will a factory default restore the www directory back to what it should be (in other words, remove the index.html file and any other files that may have been compromised)?


Also, some insight into why this happened. PHP vulnerability (after all it is version 5)? Maybe a lighttpd vulnerability?

I didn't realize this post was being updated so quickly and I posted without reading all the previous post.
I think Stephen has pretty much answered most of this.

FYI - We usually have our switches management locked down so only we can access them. However, this particular switch was not, and was therefore open to the Internet. That explains why it is the only one that was compromised (at least as far as I know).

Looking forward to that next firmware update .

[wtm]

Just updating them to the new firmware (1.5.16) is NOT fixing the problem. They still have a problem with Lighttpd, as per our logs the program keeps having to re-start about every minute. So there may still be some lagging exploit in the switch? The current Lighttpd program (1.4.41) in the Netonix is way behind what the Lighttpd developers have on their website (1.4.76). There has been several bugs and hacks that have been patched since then, this may have been one of them?

Just saying !

[sirhc]

Just updating them to the new firmware (1.5.16) is NOT fixing the problem. They still have a problem with Lighttpd, as per our logs the program keeps having to re-start about every minute. So there may still be some lagging exploit in the switch? The current Lighttpd program (1.4.41) in the Netonix is way behind what the Lighttpd developers have on their website (1.4.76). There has been several bugs and hacks that have been patched since then, this may have been one of them?

Just saying !

We never claimed it fixed the hole just cleared the hack. If you do not have the index.html your not hacked and problems can't linger not how it works.

Read whole thread and if the switch is not infected look at other issues.