Compromised UniFi Controller

General pointers on where to look for configuration files and/or logs when investigating a compromised UniFi controller.

For tips on acquiring a full disk image via SSH, please see Acquiring Linux VPS via SSH

This page only provides a summary of files of interest, and where you may look for specific information. It doesn't include any information on how to investigate the initial compromise itself (ie username/password bruteforcing over SS

Files of interest

➡️ UniFi controller log /var/log/unifi/server.log (and server.log.* for archived/pruned logs)

This contains the following;

  1. Failed and successful authentication attempts (with reason, for example 'Invalid Credential', 'Invalid Username'

  2. Username associated with those attempts

  3. IP address of remote host attempting to authenticate

  4. MAC address of device syncing with controller

  5. WAN & local IP address of devices synced with controller

  6. Logs for system upgrades

  7. INFO/WARN level for API and DEV (device) associations

  8. Controller site identifier (appears to be 8 alpha-numeric character string)

➡️ /var/lib/unifi/db/collection-*-*.wt

Appears to be WiredTiger log files before they're committed to the core server logs

(.wt is the file extension associated with the files, WiredTiger appears to be the engine contained within mongoDB)

➡️ /var/lib/unifi/

  1. /backup; meta.json file for time/date when backup was created, 5.x.x.unf for backup itself

  2. /backup/autobackup; autobackup_meta.json for time/date when autobackup was created, and a series of .unf auto backups.

  3. /db; series of WiredTiger collection logs, index logs, version control logs, etc.

  4. /db/diagnostic.data & /db/journal; self-explanatory - journal and diagnostic information.

  5. /sites/*; folder for each site configured on the controller (8 alpha-numeric character identifer, plus a folder for the default site)

  6. /sites/abcd1234/maps; map photograph/layout associated with the site ID

➡️ /tmp/hsperfdata_root/control/0

Not strictly a UniFi controller related file as such, but it's part of the Java performance counter which still includes sensitive information (usernames, email addresses, password hash, local performance statistics)

➡️ /tmp/.unifi-********/db.gz/db

I'm not too sure why this file & hidden directory (.unifi-***) is generated, but nevertheless it still contains sensitive information & database contents relative to an investigation (usernames, emails, IP addresses, etc). It's the contents of the mongoDB (ace) associated with the UniFi controller.

➡️ /usr/lib/unifi

  1. /usr/lib/unifi/logs (symlink to /var/log/unifi)

  2. /usr/lib/unifi/run (symlink to /var/run/unifi)

  3. /usr/lib/unifi/data (symlink to /var/lib/unifi)

  4. /usr/lib/unifi/bin (binaries for ubnt-apttool and unifi.init, including a symlink to /usr/bin/mongod)

  5. /usr/lib/unifi/dl/firmware (bundles.json for different firmware revisions for specific models)

  6. /usr/lib/unifi/lib/* - jar files for specific java archives)

  7. /usr/lib/unifi/webapps/ROOT (root for web interface, including angular & react files)

To list accounts associated with the UniFi controller database (if you suspect a backdoor administrator account has been added), either check through the controller interface itself, or SSH into the host and execute the following command. This will list each account, password hash, epoch time created, email address, name, etc)

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

mongoDB only listens on the localhost for connections (which is great, it's not exposed to the greater internet like most other mongoDB instances), so if you want to acquire a copy of the database and interrogate it locally, you'll need to export/dump the database first.

PreviousLogging Powershell activitiesNextAnyDesk Remote Access

Last updated