Are there any known Exploits on Netonix?
I just logged into one and found these processes running:
2875 admin 196 R ./Demon.mpsl
3294 admin 196 S ./Demon.mpsl
3379 admin 196 S ./badbox
4038 admin 188 S ./loligang.mpsl
4039 admin 188 S ./loligang.mpsl
4041 admin 472 R ./loligang.mpsl
4043 admin 472 R ./loligang.mpsl
Netonix Exploit?
-
mhoppes - Associate
- Posts: 664
- Joined: Thu Apr 10, 2014 9:14 pm
- Location: Pennsylvania
- Has thanked: 10 times
- Been thanked: 125 times
Re: Netonix Exploit?
Do files loaded into the file system through scp survive reboot? Would be nice to get a reply to this considering the security implications. I found these processes sending about 20 megabits of traffic to Russia.
-
sirhc - Employee
- Posts: 7416
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: Netonix Exploit?
Not aware of any current security holes, last hole was a vulnerability in the web service we use but was patched, but:
Your using v1.5.0 which is 15 months old, we are on v1.5.4 or v1.5.5rcX
Also I would never have my switches on a public IP and if I did for some strange reason I would use the access control list, that is what the access control list is for.
https://forum.netonix.com/viewtopic.php?f=17&t=5610&p=30090&hilit=+firmware+security#p30090
No one else has reported a hack as of yet, I can ask Stephen and Eric to check if there is new hack for any of the services like web or SSH as they are open source packages we do not write them.
But as I said I would never put infrastructure on a routable IP and if I had to I would use the Access Control list to lock it down and that was improved in I think v1.5.1 - Fixed UI bug in Access Control List
Your using v1.5.0 which is 15 months old, we are on v1.5.4 or v1.5.5rcX
Also I would never have my switches on a public IP and if I did for some strange reason I would use the access control list, that is what the access control list is for.
https://forum.netonix.com/viewtopic.php?f=17&t=5610&p=30090&hilit=+firmware+security#p30090
No one else has reported a hack as of yet, I can ask Stephen and Eric to check if there is new hack for any of the services like web or SSH as they are open source packages we do not write them.
But as I said I would never put infrastructure on a routable IP and if I had to I would use the Access Control list to lock it down and that was improved in I think v1.5.1 - Fixed UI bug in Access Control List
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
sirhc - Employee
- Posts: 7416
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: Netonix Exploit?
mhoppes wrote:Do files loaded into the file system through scp survive reboot? Would be nice to get a reply to this considering the security implications. I found these processes sending about 20 megabits of traffic to Russia.
To clear uploaded scripts you need to factory default it.
Why is your switch even routable to the world?
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
mhoppes - Associate
- Posts: 664
- Joined: Thu Apr 10, 2014 9:14 pm
- Location: Pennsylvania
- Has thanked: 10 times
- Been thanked: 125 times
Re: Netonix Exploit?
So I take that back. It’s on 1.5.4.
It’s a special case - not my network.
Working slowly on getting things squared away. But yes, it’s on a public IP with a complex password.
It’s a special case - not my network.
Working slowly on getting things squared away. But yes, it’s on a public IP with a complex password.
-
sirhc - Employee
- Posts: 7416
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: Netonix Exploit?
mhoppes wrote:So I take that back. It’s on 1.5.4.
It’s a special case - not my network.
Working slowly on getting things squared away. But yes, it’s on a public IP with a complex password.
So if it is behind a NAT with a port mapping then you need to setup an access list on the router as the switch Access Control list will always see the NAT router as the source IP.
If it has a valid direct rout-able IP address you can simply use the built in Access Control List.
The programmers are coming up here for a week soon so I will have them look for any patches to any open source packages we uses like web and SSH and have them compiled in the next release.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
mhoppes - Associate
- Posts: 664
- Joined: Thu Apr 10, 2014 9:14 pm
- Location: Pennsylvania
- Has thanked: 10 times
- Been thanked: 125 times
Re: Netonix Exploit?
I understand about the access list -- but that doesn't change the fact that I found rouge code on this unit.
-
sirhc - Employee
- Posts: 7416
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: Netonix Exploit?
mhoppes wrote:I understand about the access list -- but that doesn't change the fact that I found rouge code on this unit.
Matt at this point we have no idea if this is an exploit or not.
I told you how to clear the scripts (factory default unit - may need to do power on factory default) and that you should apply an access control list to prevent future hacks, which is the best I can do for now.
What is known:
- So far you are the first and only one to report this since the last exploit was patched.
- You have the unit accessible from the web without an access control list which is a big no no in my opinion for WISP's but still we should always try to make sure they are as secure as possible.
Possibilities:
- They hacked your password.
- One of your computers that access the switch has malware that gave them the IP and password of your switch.
- Their is another exploit to one of the modules we use such as the web service or SSH.
We have said we will look for any known exploits to the services we use in the firmware and if there is and there is a new patch we will release a new code with the new modules compiled in as soon as possible like last time.
So in the past year I have seen security exploits to UBNT gear and Cisco, it happens. The best a manufacturer can do is patch them when they are discovered and reported. UBNT and Cisco are BILLION dollar companies and it happens to them. As well as banks, Amazon, and so on. Are we supposed to be better and never have exploits? Not to mention at this point we are not sure what happened, or if it is an exploit to a package we did not write but simply use in our firmware build.
What would you like us to do that is differnt than I said we would do?
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Who is online
Users browsing this forum: No registered users and 44 guests