<div dir="ltr"><div><div>There's people on that forum running these radios with public addressing - I'm assuming with poor firewalling also (considering the fact that they got infected). The affected firmware is 12-18 months old.<br></div>I reckon if you're running radios accessible from the internet, with old software, you're asking to get compromised.<br><br></div>Ben<br><div><br><div class="gmail_quote"><div dir="ltr">On Sun, May 15, 2016 at 5:08 PM Skeeve Stevens <<a href="mailto:skeeve%2Bausnog@eintellegonetworks.com" target="_blank">skeeve+ausnog@eintellegonetworks.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Oh oh,<br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:12.8000001907349px"><div style="font-size:12.8000001907349px"><br>...Skeeve</div><div style="font-size:12.8000001907349px"><br></div><div style="font-size:12.8000001907349px"><div><b style="font-size:13px;font-family:Calibri">Skeeve Stevens - Founder & The Architect</b><span style="font-family:Calibri;font-size:13px"> - eintellego Networks Pty Ltd</span></div><div><span style="font-size:13px;font-family:Calibri">Email: </span><a href="mailto:skeeve@eintellegonetworks.com" style="font-family:Calibri;font-size:13px" target="_blank">skeeve@eintellegonetworks.com</a><span style="font-family:Calibri;font-size:13px"> ; Web: </span><a href="http://eintellegonetworks.com/" style="font-family:Calibri;font-size:13px" target="_blank">eintellegonetworks.com</a></div><div><p style="color:rgb(0,0,0);font-family:Calibri;font-size:13px;margin:0px">Cell +61 (0)414 753 383 ; S<a>kype: skeeve ; </a>LinkedIn: <a href="http://linkedin.com/in/skeeve" target="_blank">/in/skeeve</a> ; Expert360: <a href="https://expert360.com/profile/d54a9" target="_blank">Profile</a> ; Keybase: <a href="https://keybase.io/skeeve" target="_blank">https://keybase.io/skeeve</a></p></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Phil Regnauld</b> <span dir="ltr"><<a href="mailto:regnauld@nsrc.org" target="_blank">regnauld@nsrc.org</a>></span><br>Date: Sun, May 15, 2016 at 4:59 PM<br>Subject: [SANOG] Ubiquiti AirOS/AirMax worm in the wild<br>To: <a href="mailto:sanog@sanog.org" target="_blank">sanog@sanog.org</a><br><br><br>Forwarding this from a colleague. The reference to the PHP exploit could<br>
be related, but either way, it's happening now.<br>
<br>
- - - -<br>
<br>
I'm told that the local WISP operator community is dealing with a new<br>
worm[1] that exploits Ubiquiti AirOS devices running older firmwares.<br>
This could potentially be a lot of devices.<br>
<br>
<a href="http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940" rel="noreferrer" target="_blank">http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940</a><br>
has ISPs from Spain, Brasil, and the US reporting infections in the<br>
last 24 hours.<br>
<br>
Versions prior to these are vulnerable:<br>
<br>
5.5.11 XM/TI.<br>
5.5.10u2 XW<br>
5.6.2 XW/XM/TI<br>
<br>
There looks to be some more information here:<br>
<a href="https://hackerone.com/reports/73491" rel="noreferrer" target="_blank">https://hackerone.com/reports/73491</a><br>
<br>
If you know anyone who makes use of UBNT AirOS products, now might be<br>
a time to give them a nudge.<br>
<br>
<br>
[1] quote from the forums "It's a self-distributing virus, so, once it<br>
can "see" neighbour antenas within the same subnet, it attacks the<br>
others."<br>
<br>
- - - -<br>
_______________________________________________<br>
sanog mailing list<br>
<a href="mailto:sanog@sanog.org" target="_blank">sanog@sanog.org</a><br>
<a href="https://lists.sanog.org/mailman/listinfo/sanog" rel="noreferrer" target="_blank">https://lists.sanog.org/mailman/listinfo/sanog</a><br>
</div><br></div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div></div></div>