Lots of weird traffic from CCR1009 to UBNT Nanostation

RouterOS General
1

Hi guys

I first posted over on the UBNT forums: https://community.ubnt.com/t5/airOS-Software-Configuration/Tonnes-of-Dropbear-log-entries-from-my-default-gateway/m-p/2148484#M48642

I noticed this when setting up my new UNMS server for AirMax monitoring. After some Torch analysis I say that a lot of the random ports listed in the other post were to do with DNS but there were also a couple of SSH entries.

All the traffic is coming from the management subnets default gateway, namely the CCR1009. There’s no port forwarding rules going to any nanostations, and there is a block rule for intervlan chatter as well as as rule to block vlan traffic from the management subnet.

Can anyone identify what is going on here? Happy to post extra info at your request.

Cheers

2

Hi,

Can you maybe post a screenshot of that strange traffic you see when running torch?

3

Sure, here you go:
unms dropbear.PNG

4

Although that image seems to think the nanostation is trying to establish SSH with the router :neutral_face:

5

Your Ubiquiti has been hacked? There are worms for those devices that spread through your network.

6

Thanks

The firmware is already up to date, I changed the password but the logs persisted, then I changed the default SSH port and the logs stopped.

Does that tell me that it was something externally trying to get in or is it still likely an infected radio?

Just to test the router I disabled all but my admin account and reset the password, then set SSH on the nanostation back to 22. Logs started again.

7

Here’s torch running on management subnet looking for SSH connections

mikrotik ssh.PNG

8

I think it is an infected radio attempting to spread the worm to others.
I don’t know how you can repair that, info should be on the UBNT forums.
(I only read about this problem and the many attempts UBNT have made to secure their radios, every time still not fixing it completely)

9

Thanks, I’ve asked on the other UBNT thread what they think.

The latest news I can see of a UBNT worm was early last year, and these points were installed well after that so hopefully it’s not a worm. I’m not ruling anything out though.

10

UPDATE

It was The Dude Server! I’m an idiot.