Malware on WUG PCs

spin · October 9, 2017, 7:16pm

I’ve become aware of some malware on various CTWUG PCs.

Symptoms that you are affected is that your PCs is attempting to crack passwords on your Mikrotik router (but via ftp). If you have lots of this in your router logs (but from your own PC) then you probably have an issue:

It’s unclear but I don’t wish to speculate here. I will leave speculation to this thread. Do not speculate here

I will post below on possibly affected PCs. Please have a look and scan your PCs. Also be careful what you open on these PCs. E.g. avoid banking and sensitive applications.

Potential Source

Can those people below confirm whether they run Avast? Apparently this does some bruteforcing on your own routers? Bit dodgy if you ask me (thanks @angryplum)

spin · October 9, 2017, 7:29pm

@Camelrock

172.26.46.252 a.k.a. reserved.camelrock.ctwug.za.net logging into rb1.camelrock.camelrock.ctwug.za.net

Router logs on NMS. (ctwug/ctwug login).

Can anyone who knows him make sure he fixes this.

spin · October 9, 2017, 7:35pm

@hunter

pc1.hunter.ctwug.za.net. logging into rb2-sxt-spitfire187.hunter.ctwug.za.net

Router logs on NMS. (ctwug/ctwug login).

Can anyone who knows him make sure he fixes this.

spin · October 9, 2017, 7:38pm

Nick here??

172.18.177.114 a.k.a. dhcp2.whisperer.ctwug.za.net logging into rb1.whisperer.ctwug.za.net

Router logs on NMS.

spin · October 9, 2017, 7:40pm

@Deathgod

172.18.177.241 a.k.a. pc1.deathgod.ctwug.za.net logging into rb1.deathgod.ctwug.za.net

Router logs.

spin · October 9, 2017, 7:44pm

@Zoska

172.18.153.124 / pc.zoska.ctwug.za.net logging into pc.zoska.ctwug.za.net.

Zoska · October 9, 2017, 9:27pm

I was running avast…unistalled

Deathgod · October 10, 2017, 12:38am

i am using avast aswell do i need a diffrent anti vrus?

Deathgod · October 10, 2017, 12:42am

I will uninstall it to be safe thanks for the heads up @spin

LeeDeane · October 10, 2017, 3:34am

I can confirm Hunter is using avast aswell. I have informed him to remove it aswell.

razor1 · October 10, 2017, 4:15am

u can still use it just do a custom install and untick the stuff u do not need or disable it in the settings

spin · October 10, 2017, 7:28am

Yeah it’s a weird feature checking if your home routers have default passwords set. I’d be happy if anyone wants to continue using Avast as long as you disable Wifi Inspector feature. At least on routers running WMS.

razor1 · October 10, 2017, 8:30am

It scans with common logins and when it scans your network and it can login with any of the details then it should warn you so u can change it to avoid anyone logging in with weak/default usernames and passwords this if from Avast site >

Wi-Fi Inspector scans your network for vulnerabilities and identifies potential security issues that open the door to threats. This feature checks the status of your network, devices connected to the network, and router settings. Wi-Fi Inspector helps you secure your network to prevent attackers from accessing it and misusing your personal data

spin · October 10, 2017, 9:26am

Which feature should guys disable to stop the login attempts? I thought it was WiFi Inspector? Can one disable it?

spin · October 10, 2017, 9:56am

Here you go:

You can disable Wi-Fi Inspector from Settings ▸ Components. Next to Wi-Fi Inspector, click the ON slider so that it changes to OFF.

From:
https://help.avast.com/en/av_free/17/securitynetwork.html