HELP- Netonix Virus?

[sirhc]

So this 'symptom' appeared in the log on a unit that was cleaned and upgraded to 1.5.16 ...

Yes if you read the thread you would know v1.5.16 does not fix it

There is a v1.5.17rc1 which helps and prevents THIS hack from running. We are working on a complete fix to plug the hole and will be released as soon as possible.

[Stephen]

Quick update. rc2 is coming along, it has several dramatic upgrade's that should greatly improve the security of the switch, we are hoping to have it ready soon, ideally, by the end of this week.

[Stephen]

rc2 is now up. These upgrades should hopefully close this hole.

However, please read the release notes before upgrading:
viewtopic.php?f=17&t=8069

rc2 download - firmware/wispswitch-1.5.17rc2.bin

[sdwisp]

Hacked again this morning right at midnight running 1.5.17rc2. Anyone have have a fix for this? same log
restarting lighttpd
Jan 2 09:31:14 monitor: restarting vtss_appl
Jan 2 09:31:49 monitor: restarting vtss_appl
Jan 2 09:32:13 monitor: restarting vtss_appl
Jan 2 09:32:49 monitor: restarting vtss_appl
Jan 2 09:33:02 monitor: restarting vtss_appl
Jan 2 09:33:38 monitor: restarting vtss_appl
Jan 2 09:33:50 monitor: restarting vtss_appl
Jan 2 09:35:01 monitor: restarting vtss_appl
Jan 2 09:35:01 monitor: restarting shellinaboxd


All time/date and power settings are also now wrong

[sirhc]

You had the FBI page?

[sdwisp]

No, there is no FBI page this time but same virus... high cpu and same log

[allstarcomps]

Same hack different IP: 209.141.51.21 DNS: mails0.lillekarrmaleri.se

Netonix switches with outbound connections to that IP on port 36508.

we changed the firewall to block outbound connections to 36508.

[sirhc]

It's not the same vulnerability, that has been patched.

Are your switches on accessible IPs and if so are you using the access control list? If not someone can be pounding your switch trying to access it which can burry the small embedded cpu and bad things can happen.

Are you polling this switch with SNMP, if so how often. You should not poll the switch more then once every minute as the switches little cpu gets overwhelmed and bad things happen.

[bryant]

We have also had to cases of the FBI warning pop occur and as of today we had the following:

hello netonix staff team, the vulnerability is for sale contact me on session to negotiate: "05362fccbb42e38b5f7ab3568801dc688c41ca97589ec58bead6535823cc8ccc26"


Do we know what the specific root cause is and when a permanent fix is coming?

[sirhc]

We have also had to cases of the FBI warning pop occur and as of today we had the following:

hello netonix staff team, the vulnerability is for sale contact me on session to negotiate: "05362fccbb42e38b5f7ab3568801dc688c41ca97589ec58bead6535823cc8ccc26"


Do we know what the specific root cause is and when a permanent fix is coming?

The vulnerability that caused the fake FBI page HAS BEEN FIXED in v1.5.17rc2

The cause was a vulnerability in the following modules we use: lighttpd and openssl

We upgraded those modules in v1.5.17rc2

If your running v1.5.17rc2 then your good.