Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible IoT device infection


  • Please log in to reply
5 replies to this topic

#1 ind3siszive

ind3siszive

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 16 May 2017 - 08:12 PM

I thought I was infected by a friend I talk about here

 

However I have been getting emails from my ISP that is saying there is suspicious activity originating from my account.  I think my computer is relatively clean but I think there is an infection on my router or perhaps my security camera.  

 

I am gonna go ahead and factory reset my modem, I also have arlo security cameras.  I just wanted to make sure that my computer is clean and that IoT devices aren't infected.


Dear Cox Subscriber,

Cox has identified that one or more Internet-connected devices (DVRs, security cameras, refrigerators, etc.) using your Cox High Speed Internet service is likely infected with the Mirai malware.  Cox security cameras installed as part of Cox HomeLife service are not affected.  

This malware spreads by scanning the web for vulnerable devices that have either a default or hard-coded username or password.  The vulnerable device can be accessed through publicly-available credentials.  Once under Mirai's control, it can be used to launch Distributed Denial of Service attacks on other devices on the Internet and cause significant disruption.  

Please take the following action as soon as possible:  

1.  Where possible, please change the default administrator password on ALL Internet-connected devices to a strong, unique password.  Consult the device manual or contact the device vendor or the manufacturer can assist you.  
2.  Please change or remove any non-administrator logins on these devices.  Contact the device vendor or the manufacturer if you need assistance.
3.  Please do not connect any "Smart" devices directly to the modem with an Ethernet cable without using a router.  
    a.  For Advanced Users: Please do not use port forwarding on your router to forward telnet traffic to these devices (typically port 23 or 2323).  

If you need additional support to change passwords, Cox offers technical support services for an additional charge.  
Visit Cox Tech Solutions at http://www.coxtechsolutions.com/ or call 877.TEC.SOLV (832.7658) to get started.  

If you would like additional information on the Mirai malware:  
http://malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html

If you have any questions regarding this matter, you may call Cox Communications at 800-753-6085.  

Regards, 

Cox Customer Safety

 

 

Dear Subscriber,



We have received data or complaints showing a possible attack, probe or
trojan-generated spam activity originating from your Cox.net IP address. Details
of this activity are included below.



If you are unaware of how this occurred, we suggest that you speak with any
other persons whom you may share your Cox Internet Service with. If you are
operating a wireless network, we recommend enabling encryption to prevent
unauthorized parties from using your service. You should also update your
anti-virus software and run a full scan on your systems.



You might also try scanning your systems with these free trojan removal tools:



Malware Bytes

http://www.malwarebytes.org/



Microsoft Malicious Software Removal Tool

http://www.microsoft.com/security/pc-security/malware-removal.aspx



Thank you for your prompt attention to this matter.

    

- Cox Customer Safety



--- The following material was provided to us as evidence ---





[Part 0 (plain text)]



To whom it may concern,



Pursuant to Sony Interactive Entertainment LLC ("SIE") corporate policy, the
below IP addresses were blacklisted from using our services because SIE detected
activity that is abusive to our network services. In our determination, the
abusive activity was not related to velocity or volume (many users behind the
same IP address, i.e. NAT), but matched the specific patterns of known abuse of
our publicly available services. This abuse may be the result of a computer on
your network that has been compromised and is participating in a botnet abuse of
our services.



The following table of IP addresses, dates and times should help you correlate
the origin of the abusive activity. The time stamps are approximate from our
logs. The actual timing of the events depend on the signature matched. It is
very likely to have occurred both before, during and following the times listed.



Approximate Time Range (UTC), IP Address, Reason

2017-04-16 23:26 ~ 2017-04-16 23:56 (UTC), X.X.X.X, Account Takeover
Attempts

2017-04-16 23:30 ~ 2017-04-17 00:00 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-16 23:30 ~ 2017-04-17 00:00 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-16 23:31 ~ 2017-04-17 00:01 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-16 23:56 ~ 2017-04-17 00:26 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:05 ~ 2017-04-17 00:35 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:05 ~ 2017-04-17 00:35 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:05 ~ 2017-04-17 00:35 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:05 ~ 2017-04-17 00:35 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:10 ~ 2017-04-17 00:40 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:12 ~ 2017-04-17 00:42 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:12 ~ 2017-04-17 00:42 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:25 ~ 2017-04-17 00:55 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:25 ~ 2017-04-17 00:55 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:41 ~ 2017-04-17 01:11 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 00:58 ~ 2017-04-17 01:28 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 01:00 ~ 2017-04-17 01:30 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 01:05 ~ 2017-04-17 01:35 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 01:11 ~ 2017-04-17 01:41 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 01:15 ~ 2017-04-17 01:45 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 01:15 ~ 2017-04-17 01:45 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 01:16 ~ 2017-04-17 01:46 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 01:36 ~ 2017-04-17 02:06 (UTC), X.X.X.X, Account Takeover
Attempts

2017-04-17 01:43 ~ 2017-04-17 02:13 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 01:55 ~ 2017-04-17 02:25 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:11 ~ 2017-04-17 02:41 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:11 ~ 2017-04-17 02:41 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:12 ~ 2017-04-17 02:42 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:15 ~ 2017-04-17 02:45 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:16 ~ 2017-04-17 02:46 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:20 ~ 2017-04-17 02:50 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:20 ~ 2017-04-17 02:50 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:20 ~ 2017-04-17 02:50 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:30 ~ 2017-04-17 03:00 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 02:40 ~ 2017-04-17 03:10 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 03:12 ~ 2017-04-17 03:42 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 04:36 ~ 2017-04-17 05:06 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 05:21 ~ 2017-04-17 05:51 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 06:21 ~ 2017-04-17 06:51 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 07:55 ~ 2017-04-17 08:25 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 08:15 ~ 2017-04-17 08:45 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 08:28 ~ 2017-04-17 08:58 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 09:15 ~ 2017-04-17 09:45 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 09:52 ~ 2017-04-17 10:22 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 10:56 ~ 2017-04-17 11:26 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 11:56 ~ 2017-04-17 12:26 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 12:16 ~ 2017-04-17 12:46 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 12:32 ~ 2017-04-17 13:02 (UTC), X.X.X.X, Account Takeover
Attempts

2017-04-17 12:45 ~ 2017-04-17 13:15 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 13:10 ~ 2017-04-17 13:40 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 14:41 ~ 2017-04-17 15:11 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 15:20 ~ 2017-04-17 15:50 (UTC), 70.178.172.233, Account Takeover
Attempts

2017-04-17 15:38 ~ 2017-04-17 16:08 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 15:55 ~ 2017-04-17 16:25 (UTC), X.X.X.X, Account Takeover
Attempts

2017-04-17 16:04 ~ 2017-04-17 16:34 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 17:26 ~ 2017-04-17 17:56 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 17:36 ~ 2017-04-17 18:06 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 18:26 ~ 2017-04-17 18:56 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 18:50 ~ 2017-04-17 19:20 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 19:45 ~ 2017-04-17 20:15 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 20:20 ~ 2017-04-17 20:50 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 20:29 ~ 2017-04-17 20:59 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 20:31 ~ 2017-04-17 21:01 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 20:40 ~ 2017-04-17 21:10 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 20:50 ~ 2017-04-17 21:20 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 21:25 ~ 2017-04-17 21:55 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 21:31 ~ 2017-04-17 22:01 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 21:54 ~ 2017-04-17 22:24 (UTC), X.X.X.X, Account Takeover
Attempts

2017-04-17 21:56 ~ 2017-04-17 22:26 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 22:00 ~ 2017-04-17 22:30 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 22:01 ~ 2017-04-17 22:31 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 22:03 ~ 2017-04-17 22:33 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 22:10 ~ 2017-04-17 22:40 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 22:31 ~ 2017-04-17 23:01 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 22:55 ~ 2017-04-17 23:25 (UTC), X.X.X.X, Account Takeover
Attempts

2017-04-17 23:18 ~ 2017-04-17 23:48 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 23:18 ~ 2017-04-17 23:48 (UTC), X.X.X.X, Account Takeover Attempts

2017-04-17 23:18 ~ 2017-04-17 23:48 (UTC), X.X.X.X, Account Takeover Attempts



It is most likely the attack traffic is directed at one of the following
endpoints:



account.sonyentertainmentnetwork.com

auth.np.ac.playstation.net

auth.api.sonyentertainmentnetwork.com

auth.api.np.ac.playstation.net



These endpoints on our network are resolved by Geo DNS, so the IP addresses they
resolve to will depend on the originating IP address.



The destination port will be TCP 443.



Please take the necessary measures to correct the malicious activity from the
above-listed IP addresses as soon as possible to avoid any further disruptions.
If we were to remove any of these IP addresses from the blacklist and subsequent
abusive activity is detected, the IP address will be promptly blacklisted again.





We thank you for your prompt attention to this matter. If you require assistance
or additional information please contact X@X.X and include the IP address in
question.



Thank you



P.S. If you would prefer an individual email for each IP address on this list,
please let us know.
 

Edited by ind3siszive, 16 May 2017 - 08:23 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,133 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:19 PM

Posted 17 May 2017 - 09:42 AM

Just about every device that connects to the internet is being infected. According to this, however, Arlo cameras are not subject to attack: Solved: Miria Maleware vulnerable? - NETGEAR Communities

I don't know if you can change passwords in the cams...do you know? Can the firmware be updated?

 

Once you have reset router be sure to resecure it...new password...block remote control....enable firewall, etc.

 

What security programs have you scanned the computer with...if any?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 ind3siszive

ind3siszive
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 21 May 2017 - 05:00 PM

I have kasperski, and malware bytes, i scanned them and recently came here and did everything described in this thread. https://www.bleepingcomputer.com/forums/t/646038/virus/#entry4235104.  I also have a Synology NAS 1515+ and I had DDWRT running on my router  the ddwrt was setup by my friend and he used the simple root toor login info so I think that was the problem.  If the router was infected is it likely that it spread to some of my other equipment? The router has been set to factory defaults, I restored it to the newest available Asus firmware.  I was getting quite a few of those suspicious activity  emails, and havens gotten one since I restored and recovered  the firmware



#4 buddy215

buddy215

  • Moderator
  • 13,133 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:19 PM

Posted 22 May 2017 - 04:45 AM

You didn't finish up there. Suggest you respond to nasdaq's last post.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 ind3siszive

ind3siszive
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 24 May 2017 - 10:56 AM

The topic was closed and i'm not sure if I should start a new one.



#6 buddy215

buddy215

  • Moderator
  • 13,133 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:19 PM

Posted 24 May 2017 - 11:28 AM

Send a Private Message/ PM to nasdaq asking nasdaq to reopen.


Edited by buddy215, 24 May 2017 - 11:30 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users