HELP- Netonix Virus?

[sirhc]

I worded things not exact but close enough but I'm on my phone driving so will put up better more exact post soon.

[sakita]

Could SSH be used to add the firewall settings? Then after that would upgrading either using Netonix Manager or going to https://xxx.xxx.xxx.xxx/main.html (to avoid running the bad html) be advisable / practical?

Getting a game plan together to go with the upcoming firmware updates...

[sirhc]

Yea you can do everything via ssh and do the upgrade via SSH there is a thread on how.

But if you ssh into it and index.html is not there just use a known clean computer to UI in then logout then SSH back in or still connected and if index.html is not there just use log back in with UI and do what you want contantly checking via SSH for index.html???

[ted.walsh]

I’m sorry, I just don’t buy the whole ‘you must have an infected pc’ thing. there are just too many of us with the problem. I also dont buy the public access to the switch UI. I’ve been through my public gateways and none of them have anything relating to port forwarded etc configured to our management network.
I became concerned that the switch OS was in some way ‘phoning home’ for what ever reason as this fit the likelihood so as part of trying to stop whatever it is I configured a black hole ip as the switch gateway, after all why should it need a gateway?. all of a sudden the switch stated to perform as expected i.e the previously reported ping drops and constant pauses/restarts etc went away and things got ‘back to normal’ the only problem was it trashed some other element of the stack or hung an internal process and now I cannot ping or log into the switch but it continues to function as you would expect. In the one proven case I have the switch is 700 miles away so not one to ‘pop round’ for a quick factory reset….

[sirhc]

With AVAST antivirus blocking our switch UI its not because it is infected it blocks it because of the lighttpd version, this was a very recent upgrade from Avast.

So instead of disabling Avast or disabling Avast Core/Web Shield you can simply add an exception in Avast for your switch addresses.

To add exceptions click MENU then select Settings then Exceptions and add your switch IPs

[sirhc]

I’m sorry, I just don’t buy the whole ‘you must have an infected pc’ thing. there are just too many of us with the problem. I also dont buy the public access to the switch UI. I’ve been through my public gateways and none of them have anything relating to port forwarded etc configured to our management network.
I became concerned that the switch OS was in some way ‘phoning home’ for what ever reason as this fit the likelihood so as part of trying to stop whatever it is I configured a black hole ip as the switch gateway, after all why should it need a gateway?. all of a sudden the switch stated to perform as expected i.e the previously reported ping drops and constant pauses/restarts etc went away and things got ‘back to normal’ the only problem was it trashed some other element of the stack or hung an internal process and now I cannot ping or log into the switch but it continues to function as you would expect. In the one proven case I have the switch is 700 miles away so not one to ‘pop round’ for a quick factory reset….

Ok then, simple Example:
Say you have a switch inside your network on an INVALID IP address, 10.0.0.1

How could the hacker get to the switch from outside your network.

If your switch is at an INVLID NON ROUTABLE IP please tell me how it could get infected from outside your network UNLESS you have a computer that has internet access plus access to your private network?

If your switch is located on a PUBLIC routed network and you enabled our Access Control list and it can only be accessed by your IP address(es) then how did the hacker get to it?

Explain any situation that would permit that?

In my case I had 2 switches at my WISP office inside a NAT but I had an OLD linux server there that runs the OLD AirControl and a couple little things. It can be reached from the web from a valid IP and can reach inside my NAT so that is how I had those 2 switches compromised. I think that is my hole / springboard inside my network.

But please feel free to give me your hypothesis on another scenario that would allow a hacker access to a switch inside a NAT or on a non routed IP or even a routed IP but with an Access Control List restricting access to limited IPs?

Our switches DO NOT PHONE home.

You can verify this by simply putting up a spare switch and monitoring it with wire shark.

WE DO NOT HAVE THE SWITCHES PHONE HOME, PERIOD!

If we did and claim not to we would be liable, and we have and still do 100% state we do not have the switch try to communicate with us or anyone.

Now you did read about AVAST latest update blocks our UI even if not infected, if not read above in thread.

But clear your mind of our switches phoning home or initiating communications out, your not helping, and your wasting your time and getting us off point.

[Stephen]

We have new firmware out, wispswitch-1.5.17rc1
viewtopic.php?f=17&t=240 - firmware download
viewtopic.php?f=17&t=8069 - firmware thread

This one might prevent the malicious code from reaching the switch as we have fixed a few CVE's. But we think it's more likely it may help reduce the impact of the malicious code while we work on a more permanent solution. Stay tuned, rc2 is coming. But this version does not prevent the index.html file from being placed there it just will not execute it so should have no adverse effects on the switch.

If using AVAST you still need an exception for the switch IP in their exception list until we get lightttpd upgraded a few more versions as it will refuse to talk to this version of lighttpd.

[Dawizman]

Without going through all the back and forth in this thread, is it safe to assume that this is akin to the MFer worm for ubiquiti, and requires at least one Netonix device with management access exposed to the internet?

[rockhead]

Walking way out on a limb here ...
This is not like the mf worm in that it had no notable L2 propagation on my network. I will bet $1 (my maximum bet on tech issues) that the attack vector was based on studious webcrawling / IP /port scans and then from that compiled list the attack was performed.
I had a long forgotten port forward setup where I got bit ie time to polish up my security audit.

[rockhead]

So this 'symptom' appeared in the log on a unit that was cleaned and upgraded to 1.5.16 ...


Aug 6 06:23:35 monitor: restarting shellinaboxd
Aug 6 06:23:48 monitor: restarting shellinaboxd
Aug 6 06:24:01 monitor: restarting shellinaboxd
Aug 6 06:24:15 monitor: restarting shellinaboxd
Aug 6 06:24:28 monitor: restarting shellinaboxd
Aug 6 06:24:41 monitor: restarting shellinaboxd
Aug 6 06:24:55 monitor: restarting shellinaboxd
Aug 6 06:25:08 monitor: restarting shellinaboxd
Aug 6 06:25:22 monitor: restarting shellinaboxd
Aug 6 06:25:36 monitor: restarting shellinaboxd
Aug 6 06:25:49 monitor: restarting shellinaboxd
Aug 6 06:26:02 monitor: restarting shellinaboxd
Aug 6 06:26:16 monitor: restarting shellinaboxd
Aug 6 06:26:29 monitor: restarting shellinaboxd
Aug 6 06:26:42 monitor: restarting shellinaboxd