Internet suspension warning, but unable to find malware

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Fastknute
I've Been Here Awhile
Posts: 2

Re: Internet suspension warning, but unable to find malware

I have received same warning from Rogers.. With no help from tech support.. Any answers to this problem that work?
dave454545
I've Been Around
Posts: 1

Re: Internet suspension warning, but unable to find malware

Using my fathers account for this, as he is at work and has put me in charge of getting this issue resolved.

 

To my knowledge this morning rogers notified him that a virus was detected on one of devices, and that our internet maybe subject to suspended or terminated as part of the rogers terms of service. rogers was contacted and the email is confirmed legitimate.

 

I have been doing what i can to resolve the problem. I have checked as many devices as i could to detect the virus but nothing has turned up. phones and computers i have access to currently have been checked, such as mine and my sisters. these were diagnosed 3 times each with multiple anti-virus and malware software's such as McAfee, Avast and Malwarebytes. nothing was detected. smart tv's and such were also checked, we don't run a very smart tech home, so very few additional devices needed checking.

 

it could however still as of this moment be on my parents phones or computers which i don't have access to. Hopefully those will be checked as soon as possible. I have also gotten into contact with rogers directly through help services, but very little information was useful other than being told to repeat the above actions. the only useful information i gained from the call was that the virus is a Zloader, what is does, and how it could have gotten onto a device.

 

many people on this forum have asked for help for similar circumstances, such as not being able to detect to virus in question before their internet gets shutdown. email provided below, hopefully the issue is resolved before Monday the 18th when i have online classes for my college course. thank you for any and all help.

_______________________________________________________________________________________________________

 

Dear Valued Customer,

 There's a problem with an internet-connected device in your home that's interfering with the Rogers network in your area. This may be a computer, phone, tablet, sensors or any other device connected to your Wi-Fi. Unfortunately, we're unable to help you identify the problem device.

The problem device in your home is infected with a virus. You need to remove the infection to strengthen the security of your information and ensure that only authorized users have access to your network.

Because the problem is with your device and not the Rogers network, Rogers can't offer you additional support in this matter. We need you to take the necessary steps to resolve this issue.

We recommend you:
1. Run an anti-virus program to remove any infections.
2. Speak to a third-party computer repair technician.

Under the Rogers Terms of Service and Acceptable Use Policy, you are responsible for the security of any device you connect to the service.

If you fail to correct this issue, your service may be suspended and/or terminated as per the Rogers Terms of Service and Acceptable Use Policy. 

If you have services that require an internet connection (eg. Rogers Smart Home Monitoring) and your internet is suspended and/or terminated, these services will no longer work.

Please click here <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rogers.com%2Fcms%2Fpdf%2Fen%2FRo...> to review the Acceptable Use Policy specific to this issue.

If you would like to contact us about this, visit rogers.com/contactus to see how you can reach us.

Thank you for your cooperation and for being a Rogers customer.
Please do not reply to this email, as this email inbox is not monitored.

^Trademarks of Rogers Communications, Rogers Communications, 855 York Mills Road, Don Mills ON, M3B 1Z1. © 2016

Please Be Advised: Rogers will never ask you for your password or other confidential personal information via email or phone.
If you would like to verify that this email is from Rogers you can contact us at the information listed on your monthly bill

Any emails/phone calls you receive purporting to be from Rogers that you believe to be fake, can be reported to abuse@rogers.com

 

***EDITED LABELS***

maximus
I Plan to Stick Around
Posts: 10

Re: Internet suspension warning, but unable to find malware

Has anyone else gotten one of these recently?   I've gotten a couple, complaining about:


IP: 173.xx.xx.59
PROTOCOL: udp
PORT: 111
HOSTNAME: cpeXXXXXXXXXXXXXXXXad.cpe.net.cable.rogers.com
TAG: portmapper

 

Here's the thing.  My modem is in bridge mode.  My public IP reported by my main router (ASUS) is x.x.x.78.  No ports open, everything locked down.   At first I thought this wasn't my IP, so why are they bothering me?

 

However, I can still connect to my modem from 10.0.0.1 from inside my network to check things out.  Alas, it ALSO seems to be getting it's OWN public IP even though there are no devices connected to it (wifi/everything disabled).  Sure enough, the modem is getting a second external IP (x.x.x.59) AND I got a port scanner and it is seeing port 111 open.. 

 

I turned off bridge mode, made sure firewall was full-on HIGH, everything else DISABLED, back into bridge mode, and boom, port still shows up.  Didn't find anything like this on this forum, but found this:

https://forums.redflagdeals.com/rogers-internet-security-message-2385144/6/

 

Is this really a known firmware issue?  Should I ignore the notices?  Has anyone ever seen this before?

 

-G-
Resident Expert
Resident Expert
Posts: 1,939

Re: Internet suspension warning, but unable to find malware


@maximus wrote:

Has anyone else gotten one of these recently?   I've gotten a couple, complaining about:


IP: 173.xx.xx.59
PROTOCOL: udp
PORT: 111
HOSTNAME: cpeXXXXXXXXXXXXXXXXad.cpe.net.cable.rogers.com
TAG: portmapper

 

Here's the thing.  My modem is in bridge mode.  My public IP reported by my main router (ASUS) is x.x.x.78.  No ports open, everything locked down.   At first I thought this wasn't my IP, so why are they bothering me?


You are absolutely correct.  This is not due to a problem with your router's configuration.

 

I have also seen other reports of port 111 being open and active on the Ignite gateway with Bridge Mode enabled: https://www.dslreports.com/forum/r33092465-Internet-Rogers-XB6-Ignite-modem-bridge-mode-leaves-port-...

 

(This is also yet another reason why I sometimes DETEST the Ignite gateways.  I would much rather be using a simple modem rather than a modem/gateway that I have very little actual control over.)

 

However, I can still connect to my modem from 10.0.0.1 from inside my network to check things out.  Alas, it ALSO seems to be getting it's OWN public IP even though there are no devices connected to it (wifi/everything disabled).  Sure enough, the modem is getting a second external IP (x.x.x.59) AND I got a port scanner and it is seeing port 111 open.. 

 

I turned off bridge mode, made sure firewall was full-on HIGH, everything else DISABLED, back into bridge mode, and boom, port still shows up.  Didn't find anything like this on this forum, but found this:

https://forums.redflagdeals.com/rogers-internet-security-message-2385144/6/

 

Is this really a known firmware issue?  Should I ignore the notices?  Has anyone ever seen this before?


The Ignite gateways run other services internally, even when Bridge Mode is enabled, so they are still active on the network and will still obtain their own IPv4 and IPv6 addresses.  Log into your Ignite gateway, go to "Gateway > Connection > Rogers Network" and double-check the gateway's WAN IPv4 address to see if it matches the one in your alert.

 

You need to report this to Rogers immediately, either by telephone or by sending a private message to @CommunityHelps 

 

Best of luck with getting this resolved!!



maximus
I Plan to Stick Around
Posts: 10

Re: Internet suspension warning, but unable to find malware

I tried with online chat support and response was "you must have a virus on your computer".  Well... (a) fully scanned all machines with BitDefender, (b) report is coming from IP of the the modem (no devices connected) and my router is locked down and no issues on that IP.   Best way to escalate?

-G-
Resident Expert
Resident Expert
Posts: 1,939

Re: Internet suspension warning, but unable to find malware


@maximus wrote:

I tried with online chat support and response was "you must have a virus on your computer".  Well... (a) fully scanned all machines with BitDefender, (b) report is coming from IP of the the modem (no devices connected) and my router is locked down and no issues on that IP.   Best way to escalate?


Did you confirm that the IP address on your security report matches the WAN IPv4 address that the Ignite Gateway obtains with Bridge Mode enabled?  If so, you can escalate this issue by sending a private message to @CommunityHelps .

 

@RogersAndy  FYI, I can confirm this.  I used PortQry to test my own XB6, with Bridge Mode enabled, and can confirm that it does have an open port (and perhaps an active listener) on UDP port 111.  I don't get a response but the connection attempt should have failed with an ICMP Port Unreachable.



Datalink
Resident Expert
Resident Expert
Posts: 7,196

Re: Internet suspension warning, but unable to find malware

Here's a good description of the current state of affairs for this issue.  It comes from DSLReports post tonight:

 

https://www.dslreports.com/forum/r33089500-Rogers-FTTH-now-available-Is-the-modem-standalone~start=3...

 

scroll down to Eug's post that he titled:  Rogers gives two IPv4 address per internet customer

 

"

All of us with the Rogers Ignite XB6 in bridge mode get two public WAN IPv4 addresses. Dunno about the other modems.

 

In bridge mode the modem still gets a unique public WAN IPv4 address, and the router you are using also gets a public WAN IPv4 address. It's not a shared address.

 

I only realized this when I got an email from Rogers telling me I was violating their terms of service because I had a port open. However, the IP address in the email didn't match my router's WAN IP address. Turns out it was the WAN IP address of my modem, and there was a bug in one specific Rogers' XB6 firmware that left one port open. So basically, they pushed out a firmware that had a major bug which left a port open, and then some other department at Rogers sent us warning letters saying we are a security risk because we had a port open."

 

So, the left hand issues the firmware while the right hand slaps the customers around for running an open port, over which they have no control as its due to the modem's firmware.  

 

You would think when a large number of customers started to show open port 111, all at the same time, that someone would review the daily results and think that something was afoot.  That would be the logical conclusion.  This is probably all automated, but, someone should be in charge of (read "responsible for") the system, not the other way around. 



-G-
Resident Expert
Resident Expert
Posts: 1,939

Re: Internet suspension warning, but unable to find malware


@Datalink wrote:

You would think when a large number of customers started to show open port 111, all at the same time, that someone would review the daily results and think that something was afoot.  That would be the logical conclusion.  This is probably all automated, but, someone should be in charge of (read "responsible for") the system, not the other way around. 


I don't know how often these scans are run but I have not received this bogus security alert from Rogers yet so,  Rogers has not yet scanned their entire complement of Ignite "bridge mode" customers who, themselves, are only a minute percentage of the overall population.  Rogers probably do not have anywhere near enough data to identify a trend, even if they tried to.

 

What matters now is how quickly Rogers can get this issue fixed, especially since their own security tools flagged it.  At this point, I am also seriously considering a switch to Business Internet, or any service that will allow me to use a simple modem.  The Ignite gateway has too many annoying quirks, and it frustrates me to no end that I do not really have any control over it or its configuration.



maximus
I Plan to Stick Around
Posts: 10

Re: Internet suspension warning, but unable to find malware

yes, confirmed.  Started discussion with @CommunityHelps 

 

-G-
Resident Expert
Resident Expert
Posts: 1,939

Re: Internet suspension warning, but unable to find malware


@maximus wrote:

yes, confirmed.  Started discussion with @CommunityHelps 


Thanks!  I also sent them a PM.  Hopefully, Rogers can get this fixed soon.