05-24-2021 02:55 AM
I use Ruskuc R510, it works well until yesterday. Yesterday the wifi name not show as usual, it show "hacked by evil - config reset".
I reset and config with the different wifi name and long password but when i put it on ...it work just 5 minutes ---after that the wifi disappear it show "hacked by evil - config reset" again.
How could I do to solve this problem?
Please help me.
Thank you very much
05-24-2021 06:09 AM
Never seen such thing, but I also never allow access to AP management interface from Internet, APs are always on internal network, separated even from user traffic. If management interface is exposed on Internet, it will eventually happen. But anyway it sounds bad -- I suggest you contact Ruckus right away, I am quit sure they will be interested to investigate.
For starters, try to reset and configure AP, but not connect it to network -- check if SSID name will change again. If yes, it means that malware is on AP itself. If not, hacking happens remotely (may be script). If hacking is remote, need to exclude internal network (it may be exploit on infected client PC inside network, including your own PC, which probably has management password saved).
When you know where is the source, you can try to catch it (using some bridge or tap device and wireshark).
Anyway, Ruckus support will be give more specific instructions how to deal with this.
Hope it helps...
Try to re-image it (by different version or even by standalone image), reset again and
05-24-2021 05:54 PM
Thank you. It's not happens when I do not connect to the network.
05-24-2021 11:49 PM
So it's some vulnerability.
1. Make it unavailable from Internet. NAT router as a minimum. AP has no need to access Internet actually, so don't put Default Gateway in the configuration or input incorrect one, and access it for management directly from the same subnet.
2. Contact Ruckus anyway -- they should know about this threat.
3. Update to latest firmware available (manually, from file). May not be efficient to fix exact problem, but you should do it anyway.
What is current firmware version on R510 AP?
Anyway, you never want any your devices to be directly reachable from Internet - it is guarantee you will be hacked at some moment. Only device which must be exposed to Internet is your router / firewall external interface, and it must be secured and hardened as much as possible. There are bots, routinely scanning internet to find vulnerable devices , and when found, automated scripts are applied to hack this devices. In your case it was not that bad - it as visible, and seems to have no consequences. It seems to be a hactivist activity -- they make you aware that your network is insecure (and this is obviously true) so you can fix your security. Much worse would be if hacker would not show that he is in your network, but used it for some bad goals -- for example, forwarding spam form your address, hack your network devices or use your network for DDOS attacks, or even to hack into other networks. Than you could have real problems. It seems that you have no such issues yet, but as your network is obviously not secured, you can get them anytime. So fix your setup to be secure.
As an absolute minimum, you need to have some up-to-date NAT router facing Internet, and all other devices must be NATed, with no access from outside to them (I mean AP, switches, printers, etc). If you have any stupid appliances, which want to be connected to Internet - don't connect them, except you really need this. For example, there are no any benefits connecting printers so they can access Internet, but it is a known vector of hacking, and this is valid for any appliances and toys. If you really want to connect them, than you need modern UTM and managed switch (to separate them from other devices and block unwanted traffic). Appliances and toys (especially from small or China vendors) are rarely updated and usually not tested for security, and there are well-known example using them in botnets.
Of cause, users don't changing default passwords may make really any device insecure.
So -- if any device is available from internet and it is not a firewall, you can't reasonably expect that it will be not hacked at some moment. It most probably will, and most probably -- sooner than later...
05-25-2021 02:13 AM
Thank you very much sir. I will do as your advice.