cancel
Showing results for 
Search instead for 
Did you mean: 

Internet suspension warning, but unable to find malware

TK2000
I've been here awhile

I've been contacted a few times in the last month by Rogers (after cutting off my internet, so I guess it's legit) that I have Malware on my network.  We took all of our computers to the shop and the technician said he found a thing and removed it, and so we though it was fixed.

 

It's not.  And I'm suppose to find this thing within 48 hours or my internet is suspended for a week.  I start teaching next week, and I do not think my students will be pleased if that happens... Heck, if they are just going to disconnect with no warning, I may have to just switch providers.

 

I ran Malwarebytes with Rootkit Scan on both my 2 Windows devices with no hits. I've also run full antivirus scans,  and the only hit I've found is on my university's emergency notification software that came preinstalled (guess I don't need that this semester).  I've run Malwarebytes (Full Scan) and Avast Mobile Security on my Android phone with no hits either.  I don't know what else I can do to find whatever it is they want me to look for. What else can I do to try to find this thing?  The Rogers person on the phone has been frustratingly vague about... any information.  She was only able to say that two dates (no times) and that it was labelled "Malware Virus", and pointed me to download Rogers Online Protection (which fails with "We were unable to complete your transaction at this time. Please call 1-888-ROGERS1 to order the service.", and I'm not sure it'll be better than an antivirus).

 

Is there someway for me to get more information on what device might be infected?  Or install something to monitor network traffic?  Or configure my modem to do something?  My modem is a CODA-4582U.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@TK2000  What specific malware did Rogers detect?  Was the source IP address, listed on the Rogers malware report, actually the WAN IP address of your modem?  If it is different, that would support the theory that this traffic might have originated from a cloned modem.

 

Did the report indicate that you have an infected device that was actually sending malicious traffic or that you have devices on your network that were responding to network scans which could be used by botnets to launch an attack?

 

How many devices do you have connected to your home network?  Can you trace each MAC address that is connected to your network to a specific device?  (You may find the MACVendors Lookup Tool or the Wireshark OUI Lookup Tool helpful to identify the manufacturer of the device.)

 

For malware the malware case, if you have ruled out your computers and smartphones, other likely culprits are smart TVs, media players or other devices where you can install (potentially infected) apps.  Also IoT devices can become infected from the apps that interact with them.

 

Hopefully, you are not dealing with an actual infection but a network configuration issue, or something that can be fixed through a firmware update.

View solution in original post

19 REPLIES 19

Re: Internet suspension warning, but unable to find malware

Gdkitty
Resident Expert
Resident Expert

I have seen quite a few people with this lately on here... 

I am wondering if there is one of two things going on here..

A ) That its triggering from another device, not a PC or phone.   That there can be a compromised device of another form on the network?  Do you have anything else internet connected on the network?  Wireless lights, cameras, etc?  Many of them have firmware updates (usually available to update through the app for it).

B)  That these are triggered from cloned modems.
Now that most people are on unlimited plans.. people are not necessarily watching their usage anymore.
That if someone out there is using a cloned modem, cloning your MAC address, it would look like any usage, etc is all coming from your account.   People using these illegal cloned modems, are usually using them for bad purposes.   Such as illegal downloading, as well as could be running MAILING, SPAM, VIRUS bots, which would trigger these warnings, on YOUR account.
In these cases.. your best bet would be to swap the modem. 
(though not as sure how easy that is right now with covid stuff, etc)

Re: Internet suspension warning, but unable to find malware

TK2000
I've been here awhile

Those are interesting hypotheses.  I have a VoIP phone that I've unplugged already (though not before the flagged dates).

 

How would I go about initiating a modem swap?  Do I just show up at a store?  Do I have to go through phone support?

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@TK2000  What specific malware did Rogers detect?  Was the source IP address, listed on the Rogers malware report, actually the WAN IP address of your modem?  If it is different, that would support the theory that this traffic might have originated from a cloned modem.

 

Did the report indicate that you have an infected device that was actually sending malicious traffic or that you have devices on your network that were responding to network scans which could be used by botnets to launch an attack?

 

How many devices do you have connected to your home network?  Can you trace each MAC address that is connected to your network to a specific device?  (You may find the MACVendors Lookup Tool or the Wireshark OUI Lookup Tool helpful to identify the manufacturer of the device.)

 

For malware the malware case, if you have ruled out your computers and smartphones, other likely culprits are smart TVs, media players or other devices where you can install (potentially infected) apps.  Also IoT devices can become infected from the apps that interact with them.

 

Hopefully, you are not dealing with an actual infection but a network configuration issue, or something that can be fixed through a firmware update.

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@TK2000 wrote:

How would I go about initiating a modem swap?  Do I just show up at a store?  Do I have to go through phone support?


I think that you can swap the CODA modem at your local Rogers store.  However, you will first need to call Rogers tech support.  They need to generate an order in the system for the swap; the store would then process the swap.  (Make sure that you get a receipt for any hardware that you return.)  Tech support can probably also arrange for a replacement to get shipped to you.

 

You should also ask the support tech if they have any way to investigate whether your modem could have been cloned, or if they check to see whether your modem's MAC address is currently active on multiple CMTSs.

Re: Internet suspension warning, but unable to find malware

TK2000
I've been here awhile

Thanks everyone.  I called tech support back again, and this time reached someone who was more helpful.   I'll post information here in case it is helpful for others.  They sent me a timestamped log entry that included the following fragment:

 

                MALWARE FAMILY: minerpanel

                TYPE: botnet drone

                DESCRIPTION: This host is most likely infected with malware.

                DESTINATION IP: 195.22.26.248

                DESTINATION PORT: 80

 

I did some digging and the IP address seems to be a sinkhole operated by Anubis.  Traffic to this IP may or may not be malicious.  More links from these links:

 

https://www.reddit.com/r/techsupport/comments/ifetyd/isp_stating_that_i_have_a_malware_infection_on/

https://www.reddit.com/r/antivirus/comments/hhwich/warning_from_isp_malware_on_my_infrastructure/

 

The timestamp seems to exclude my main devices.  The tech said there were open port configurations, and I don't think me or my family put those in, so we've reset the modem.  He think it should resolve the issue, and left a note on my account to that effect, and to ask them to warn me if they see suspicious before disconnecting from the network, so I'm not dropped mid-lecture.

 

Hopefully this will no longer be an issue.  Fingers crossed!

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@TK2000 wrote:

The timestamp seems to exclude my main devices.


If I remember correctly, the timestamp in the Rogers malware alert is shown for the "Zulu" time zone, which is equivalent to GMT.  You will need to subtract 4 hours to convert this to EDT or 5 hours to convert to EST.

Re: Internet suspension warning, but unable to find malware

TK2000
I've been here awhile

That's what I thought too.  The tech sent me one of the logs, which has the following timestamp.

 

> data: SOURCE TIME: 2020-08-26 01:02:57Z

 

But when I asked him for the time in EST of the latest event, he said 8-28 7AM.  Which, incidentally, was what the first tech also said.  So I'm guessing this timestamp is either something else, or there is another log entry they are referring to.

 

Regardless, the only actionable difference would be whether I will get my parents to scan their phones as well, and I'll have them do that just to be safe.

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@TK2000 wrote:

> data: SOURCE TIME: 2020-08-26 01:02:57Z


Converted to local time in Toronto, that would be 2020-08-25 9:02:57 PM EDT

 

As for tracking down the cause of these alerts, what you really need is a router/firewall that can do outbound connection logging.  You need some way to identify the IP address of the device on your internal network that is making connections to 195.22.26.248.  I don't know if your Hitron CODA modem will allow you to do that.

Re: Internet suspension warning, but unable to find malware

mkleung
I've been here awhile

Recently I got couple emails from Rogers saying that "The security problem is one of my devices trying to hack SONY and Roger is not unable to help me to identify the problem device."

 

They gave me the times :

 

2020-11-27 23:17:00 ~ 2020-11-28 00:17:00 (UTC),  My IP, Account Takeover Attempts  

2020-12-04 22:22:00 ~ 2020-12-04 23:22:00 (UTC),  My IP, Account Takeover Attempts    

 

From 

Sony Interactive Entertainment LLC on 

 

auth.api.sonyentertainmentnetwork.com

native-ps3.np.ac.playstation.net

account.sonyentertainmentnetwork.com

auth.np.ac.playstation.net

accounts.api.playstation.com

native.np.ac.playstation.net

 

The destination port will be TCP 443.

 

What I have done:

  1. I have scanned all  connected my devices  
  2. I have blocked access to mentioned Sony urls by setting "keyword filter" rules on Rogers Ignite modem

In order to identify which device caused the problem, is it possible to trace port 443 activities on my Roger modem?

 

Thanks

 

 

Re: Internet suspension warning, but unable to find malware

Fastknute
I've been here awhile
I have received same warning from Rogers.. With no help from tech support.. Any answers to this problem that work?

Re: Internet suspension warning, but unable to find malware

Using my fathers account for this, as he is at work and has put me in charge of getting this issue resolved.

 

To my knowledge this morning rogers notified him that a virus was detected on one of devices, and that our internet maybe subject to suspended or terminated as part of the rogers terms of service. rogers was contacted and the email is confirmed legitimate.

 

I have been doing what i can to resolve the problem. I have checked as many devices as i could to detect the virus but nothing has turned up. phones and computers i have access to currently have been checked, such as mine and my sisters. these were diagnosed 3 times each with multiple anti-virus and malware software's such as McAfee, Avast and Malwarebytes. nothing was detected. smart tv's and such were also checked, we don't run a very smart tech home, so very few additional devices needed checking.

 

it could however still as of this moment be on my parents phones or computers which i don't have access to. Hopefully those will be checked as soon as possible. I have also gotten into contact with rogers directly through help services, but very little information was useful other than being told to repeat the above actions. the only useful information i gained from the call was that the virus is a Zloader, what is does, and how it could have gotten onto a device.

 

many people on this forum have asked for help for similar circumstances, such as not being able to detect to virus in question before their internet gets shutdown. email provided below, hopefully the issue is resolved before Monday the 18th when i have online classes for my college course. thank you for any and all help.

_______________________________________________________________________________________________________

 

Dear Valued Customer,

 There's a problem with an internet-connected device in your home that's interfering with the Rogers network in your area. This may be a computer, phone, tablet, sensors or any other device connected to your Wi-Fi. Unfortunately, we're unable to help you identify the problem device.

The problem device in your home is infected with a virus. You need to remove the infection to strengthen the security of your information and ensure that only authorized users have access to your network.

Because the problem is with your device and not the Rogers network, Rogers can't offer you additional support in this matter. We need you to take the necessary steps to resolve this issue.

We recommend you:
1. Run an anti-virus program to remove any infections.
2. Speak to a third-party computer repair technician.

Under the Rogers Terms of Service and Acceptable Use Policy, you are responsible for the security of any device you connect to the service.

If you fail to correct this issue, your service may be suspended and/or terminated as per the Rogers Terms of Service and Acceptable Use Policy. 

If you have services that require an internet connection (eg. Rogers Smart Home Monitoring) and your internet is suspended and/or terminated, these services will no longer work.

Please click here <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rogers.com%2Fcms%2Fpdf%2Fen%2FRo...> to review the Acceptable Use Policy specific to this issue.

If you would like to contact us about this, visit rogers.com/contactus to see how you can reach us.

Thank you for your cooperation and for being a Rogers customer.
Please do not reply to this email, as this email inbox is not monitored.

^Trademarks of Rogers Communications, Rogers Communications, 855 York Mills Road, Don Mills ON, M3B 1Z1. © 2016

Please Be Advised: Rogers will never ask you for your password or other confidential personal information via email or phone.
If you would like to verify that this email is from Rogers you can contact us at the information listed on your monthly bill

Any emails/phone calls you receive purporting to be from Rogers that you believe to be fake, can be reported to abuse@rogers.com

 

***EDITED LABELS***

Re: Internet suspension warning, but unable to find malware

maximus
I plan to stick around

Has anyone else gotten one of these recently?   I've gotten a couple, complaining about:


IP: 173.xx.xx.59
PROTOCOL: udp
PORT: 111
HOSTNAME: cpeXXXXXXXXXXXXXXXXad.cpe.net.cable.rogers.com
TAG: portmapper

 

Here's the thing.  My modem is in bridge mode.  My public IP reported by my main router (ASUS) is x.x.x.78.  No ports open, everything locked down.   At first I thought this wasn't my IP, so why are they bothering me?

 

However, I can still connect to my modem from 10.0.0.1 from inside my network to check things out.  Alas, it ALSO seems to be getting it's OWN public IP even though there are no devices connected to it (wifi/everything disabled).  Sure enough, the modem is getting a second external IP (x.x.x.59) AND I got a port scanner and it is seeing port 111 open.. 

 

I turned off bridge mode, made sure firewall was full-on HIGH, everything else DISABLED, back into bridge mode, and boom, port still shows up.  Didn't find anything like this on this forum, but found this:

https://forums.redflagdeals.com/rogers-internet-security-message-2385144/6/

 

Is this really a known firmware issue?  Should I ignore the notices?  Has anyone ever seen this before?

 

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@maximus wrote:

Has anyone else gotten one of these recently?   I've gotten a couple, complaining about:


IP: 173.xx.xx.59
PROTOCOL: udp
PORT: 111
HOSTNAME: cpeXXXXXXXXXXXXXXXXad.cpe.net.cable.rogers.com
TAG: portmapper

 

Here's the thing.  My modem is in bridge mode.  My public IP reported by my main router (ASUS) is x.x.x.78.  No ports open, everything locked down.   At first I thought this wasn't my IP, so why are they bothering me?


You are absolutely correct.  This is not due to a problem with your router's configuration.

 

I have also seen other reports of port 111 being open and active on the Ignite gateway with Bridge Mode enabled: https://www.dslreports.com/forum/r33092465-Internet-Rogers-XB6-Ignite-modem-bridge-mode-leaves-port-...

 

(This is also yet another reason why I sometimes DETEST the Ignite gateways.  I would much rather be using a simple modem rather than a modem/gateway that I have very little actual control over.)

 

However, I can still connect to my modem from 10.0.0.1 from inside my network to check things out.  Alas, it ALSO seems to be getting it's OWN public IP even though there are no devices connected to it (wifi/everything disabled).  Sure enough, the modem is getting a second external IP (x.x.x.59) AND I got a port scanner and it is seeing port 111 open.. 

 

I turned off bridge mode, made sure firewall was full-on HIGH, everything else DISABLED, back into bridge mode, and boom, port still shows up.  Didn't find anything like this on this forum, but found this:

https://forums.redflagdeals.com/rogers-internet-security-message-2385144/6/

 

Is this really a known firmware issue?  Should I ignore the notices?  Has anyone ever seen this before?


The Ignite gateways run other services internally, even when Bridge Mode is enabled, so they are still active on the network and will still obtain their own IPv4 and IPv6 addresses.  Log into your Ignite gateway, go to "Gateway > Connection > Rogers Network" and double-check the gateway's WAN IPv4 address to see if it matches the one in your alert.

 

You need to report this to Rogers immediately, either by telephone or by sending a private message to @CommunityHelps 

 

Best of luck with getting this resolved!!

Re: Internet suspension warning, but unable to find malware

maximus
I plan to stick around

I tried with online chat support and response was "you must have a virus on your computer".  Well... (a) fully scanned all machines with BitDefender, (b) report is coming from IP of the the modem (no devices connected) and my router is locked down and no issues on that IP.   Best way to escalate?

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@maximus wrote:

I tried with online chat support and response was "you must have a virus on your computer".  Well... (a) fully scanned all machines with BitDefender, (b) report is coming from IP of the the modem (no devices connected) and my router is locked down and no issues on that IP.   Best way to escalate?


Did you confirm that the IP address on your security report matches the WAN IPv4 address that the Ignite Gateway obtains with Bridge Mode enabled?  If so, you can escalate this issue by sending a private message to @CommunityHelps .

 

@RogersAndy  FYI, I can confirm this.  I used PortQry to test my own XB6, with Bridge Mode enabled, and can confirm that it does have an open port (and perhaps an active listener) on UDP port 111.  I don't get a response but the connection attempt should have failed with an ICMP Port Unreachable.

Re: Internet suspension warning, but unable to find malware

Datalink
Resident Expert
Resident Expert

Here's a good description of the current state of affairs for this issue.  It comes from DSLReports post tonight:

 

https://www.dslreports.com/forum/r33089500-Rogers-FTTH-now-available-Is-the-modem-standalone~start=3...

 

scroll down to Eug's post that he titled:  Rogers gives two IPv4 address per internet customer

 

"

All of us with the Rogers Ignite XB6 in bridge mode get two public WAN IPv4 addresses. Dunno about the other modems.

 

In bridge mode the modem still gets a unique public WAN IPv4 address, and the router you are using also gets a public WAN IPv4 address. It's not a shared address.

 

I only realized this when I got an email from Rogers telling me I was violating their terms of service because I had a port open. However, the IP address in the email didn't match my router's WAN IP address. Turns out it was the WAN IP address of my modem, and there was a bug in one specific Rogers' XB6 firmware that left one port open. So basically, they pushed out a firmware that had a major bug which left a port open, and then some other department at Rogers sent us warning letters saying we are a security risk because we had a port open."

 

So, the left hand issues the firmware while the right hand slaps the customers around for running an open port, over which they have no control as its due to the modem's firmware.  

 

You would think when a large number of customers started to show open port 111, all at the same time, that someone would review the daily results and think that something was afoot.  That would be the logical conclusion.  This is probably all automated, but, someone should be in charge of (read "responsible for") the system, not the other way around. 

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@Datalink wrote:

You would think when a large number of customers started to show open port 111, all at the same time, that someone would review the daily results and think that something was afoot.  That would be the logical conclusion.  This is probably all automated, but, someone should be in charge of (read "responsible for") the system, not the other way around. 


I don't know how often these scans are run but I have not received this bogus security alert from Rogers yet so,  Rogers has not yet scanned their entire complement of Ignite "bridge mode" customers who, themselves, are only a minute percentage of the overall population.  Rogers probably do not have anywhere near enough data to identify a trend, even if they tried to.

 

What matters now is how quickly Rogers can get this issue fixed, especially since their own security tools flagged it.  At this point, I am also seriously considering a switch to Business Internet, or any service that will allow me to use a simple modem.  The Ignite gateway has too many annoying quirks, and it frustrates me to no end that I do not really have any control over it or its configuration.

Re: Internet suspension warning, but unable to find malware

maximus
I plan to stick around

yes, confirmed.  Started discussion with @CommunityHelps 

 

Re: Internet suspension warning, but unable to find malware

-G-
Resident Expert
Resident Expert

@maximus wrote:

yes, confirmed.  Started discussion with @CommunityHelps 


Thanks!  I also sent them a PM.  Hopefully, Rogers can get this fixed soon.

Topic Stats
  • 19 replies
  • 11764 views
  • 11 Likes
  • 8 in conversation