Removing exploits from Ubiquiti devices

Once I noticed the spread of the virus/exploit on the network with Ubiquiti devices. Exploit using a vulnerability in older versions of firmware copied itself to other devices and from them attacked the following.

Under the attack in my case, the airMAX M devices with firmware below 5.6.2 XM/XW and http/https turned on look were caught.

The exploit is stored in /etc/persistant, creates a .mf subdirectory and the mf.tar file, and uses rc.poststart
The user’s password was changed to randomly generated, but could also be logged in using the moth3r exploit’s username and the password fuck.3r or fucker.

To see the generated password you can use the command below, but later it changed anyway:

grep -E "users|sshd.auth.key" /tmp/system.cfg

To uninstall, you need to connect to the device via SSH and run the following commands:

rm -fr /etc/persistent/rc.* /etc/persistent/profile
cfgmtd -w; reboot -f

After these commands, the login and password will return to the previous one, and you will also need to immediately update the firmware of the device, otherwise it may be re-infected.

Also there is an official healing utility written in JAVA, you can download it here:
It can scan the specified subnet, remove the exploit and update the firmware.

See also my article:
Restricting access to Ubiquiti by IP using Firewall

Leave a comment

Leave a Reply