Netonix Exploit?

[mhoppes]

Are there any known Exploits on Netonix?

I just logged into one and found these processes running:

2875 admin 196 R ./Demon.mpsl
3294 admin 196 S ./Demon.mpsl
3379 admin 196 S ./badbox
4038 admin 188 S ./loligang.mpsl
4039 admin 188 S ./loligang.mpsl
4041 admin 472 R ./loligang.mpsl
4043 admin 472 R ./loligang.mpsl

[rockhead]

What firmware version ?

[mhoppes]

1.5.0

[mhoppes]

Do files loaded into the file system through scp survive reboot? Would be nice to get a reply to this considering the security implications. I found these processes sending about 20 megabits of traffic to Russia.

[sirhc]

Not aware of any current security holes, last hole was a vulnerability in the web service we use but was patched, but:

Your using v1.5.0 which is 15 months old, we are on v1.5.4 or v1.5.5rcX

Also I would never have my switches on a public IP and if I did for some strange reason I would use the access control list, that is what the access control list is for.

https://forum.netonix.com/viewtopic.php?f=17&t=5610&p=30090&hilit=+firmware+security#p30090

No one else has reported a hack as of yet, I can ask Stephen and Eric to check if there is new hack for any of the services like web or SSH as they are open source packages we do not write them.

But as I said I would never put infrastructure on a routable IP and if I had to I would use the Access Control list to lock it down and that was improved in I think v1.5.1 - Fixed UI bug in Access Control List

[sirhc]

Do files loaded into the file system through scp survive reboot? Would be nice to get a reply to this considering the security implications. I found these processes sending about 20 megabits of traffic to Russia.

To clear uploaded scripts you need to factory default it.

Why is your switch even routable to the world?

[mhoppes]

So I take that back. It’s on 1.5.4.

It’s a special case - not my network.

Working slowly on getting things squared away. But yes, it’s on a public IP with a complex password.

[sirhc]

So I take that back. It’s on 1.5.4.

It’s a special case - not my network.

Working slowly on getting things squared away. But yes, it’s on a public IP with a complex password.

So if it is behind a NAT with a port mapping then you need to setup an access list on the router as the switch Access Control list will always see the NAT router as the source IP.

If it has a valid direct rout-able IP address you can simply use the built in Access Control List.

The programmers are coming up here for a week soon so I will have them look for any patches to any open source packages we uses like web and SSH and have them compiled in the next release.

[mhoppes]

I understand about the access list -- but that doesn't change the fact that I found rouge code on this unit.

[sirhc]

I understand about the access list -- but that doesn't change the fact that I found rouge code on this unit.

Matt at this point we have no idea if this is an exploit or not.

I told you how to clear the scripts (factory default unit - may need to do power on factory default) and that you should apply an access control list to prevent future hacks, which is the best I can do for now.

What is known:
- So far you are the first and only one to report this since the last exploit was patched.

- You have the unit accessible from the web without an access control list which is a big no no in my opinion for WISP's but still we should always try to make sure they are as secure as possible.

Possibilities:
- They hacked your password.
- One of your computers that access the switch has malware that gave them the IP and password of your switch.
- Their is another exploit to one of the modules we use such as the web service or SSH.

We have said we will look for any known exploits to the services we use in the firmware and if there is and there is a new patch we will release a new code with the new modules compiled in as soon as possible like last time.

So in the past year I have seen security exploits to UBNT gear and Cisco, it happens. The best a manufacturer can do is patch them when they are discovered and reported. UBNT and Cisco are BILLION dollar companies and it happens to them. As well as banks, Amazon, and so on. Are we supposed to be better and never have exploits? Not to mention at this point we are not sure what happened, or if it is an exploit to a package we did not write but simply use in our firmware build.


What would you like us to do that is differnt than I said we would do?