Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I Plan to Stick Around
Posts: 8

Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Hi, I've been working on removing a nasty Botnet infection from my network and I've noticed through OpenDNS' domain stats logger that several hits per day go through *.phub.net.cable.rogers.com at various times.  I know this should be a normal redirect with Rogers, but I was curious if that was directly attributable to a Botnet drone?  PCs on the network are on all the time and software of course is always quering the Internet at various times, for various reasons.

 

My connection was already shutdown once, finally hoping it's gone now after lots of cleaning/maintenance/prevention.  OpenDNS might be taking the strain off of the Rogers network now anyway, but no one really wants to leave a system infected and offload the problem elsewhere.

 

Thanks for the input.

 

 

***edited labels***

Solved! Go to Solution.
Community Manager
Community Manager
Posts: 3,359

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Is any Community member able to assist @bwsur ?

 

RogersDarrell

I Plan to Stick Around
Posts: 8

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Anyone? We were shut down again 2 days ago. I replaced the router on the suggestion of the Rogers Security team. I just logged into my opendns account and there are still hundreds of requests over night to *.phub.net.cable.rogers.com. Do you think it has something to do with this ancient Scientific Atlanta modem (dpx2100) and potential exploits?

Thanks

I Plan to Stick Around
Posts: 124

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

If you turn off ALL of your internal devices...desktops, laptops, tablets, phones etc etc for an extended amount of time(eg couple hrs) do the hits still exist? Sounds like an internal machine has some malware and is part of a botnet doing network sweeps.

Resident Expert
Resident Expert
Posts: 13,884

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?


@sbenninger wrote:

If you turn off ALL of your internal devices...desktops, laptops, tablets, phones etc etc for an extended amount of time(eg couple hrs) do the hits still exist? Sounds like an internal machine has some malware and is part of a botnet doing network sweeps.


I agree with this.  Probably the best way of sorting it out.
Turn it ALL off.. Then only turn one back on at a time.. for an extended period (this may take a few days to test then)... add one... check if activity, check the next, etc.
Untill/if you find the one causing it.

Only other possibility.. while not overly large..it is still possible and does happen sometimes.. is MAC cloning.. malicious groups cloning the mac address of the modem, and having it elsewhere on the network, causing issues.. but at the same time then appears from you. (though this scenario is alot less likely)



I Plan to Stick Around
Posts: 152

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

This may be a bit more granular than you would like, but I would recommend running something like wireshark on your internal network, which can let you visualize and quantify the traffic that is moving between devices onyour network as well as across your router. It's free and relatively easy to use.

 

L.

I Plan to Stick Around
Posts: 124

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Wireshark can be difficult to use...especially trying to decipher good from bad traffic if you dont know how to parse the captures.

 

The other issue is in a switched environment (including the switch on the router) is that you will not see all of the traffic...only the trafic in and out of the specific switch port you are connected to be it unicast or broadcast traffic. Afaik there is no way to turn on port mirroring any any residential gateways that i know of. 

 

It can help if you run it on each pc or laptop but again you still need to know what to look for in the captures.

I Plan to Stick Around
Posts: 8

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Thanks for all the assistance here.  I'm going to try the suggestion of shutting down the machines and re-enabling them one by one.  I also have a few boot-time scanning utilities I might try running to see what they can detect.  I tried Wireshark from my laptop, and it did seem a little daunting.  What is everyone's thoughts on Tcpview?  Here is the information from Rogers in the email:

 

"Please be advised that we have received a report that your provisioned Rogers IP address is operating as an Open DNS server permitting unrestricted Recursive DNS Queries from anywhere on the Internet.

Open recursive DNS resolvers; have been used to generate an increasing number of extremely large reflective DDoS attacks, without needing a large number of infected hosts to launch the attacks."

 

and

 

"IP XX.XXX.XXX.XXX seen acting as Botnet drone.
  data: TIMESTAMP: 2014-01-04 03:31:30
IP: XX.XXX.XXX.XXX
ASN: 812
GEO: CA
REGION: XXXXXXXXXXXXXXXXXX
CITY: XXXXXXXXX
PORT: 53
PROTOCOL: udp
HOSTNAME: XXXXXXXXXXXXXXXXXXXXX.cpe.net.cable.rogers.com
MIN_AMPLIFICATION: 5.0000"

 

Just blanked out some personal stuff. This is a mixed system environment containing OS'es from 1x Windows 98SE machine all the way up to Windows 8 (98, XP, 7, 8).  I'm always a little worried about that Windows 98SE machine so I may start there.  There's some old software they like to use on it..

Highlighted
I Plan to Stick Around
Posts: 124

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Interesting. That to me looks like your router may be allowing DNS requests from External IP addresses. For that to happen you would need to have firewall rules allowing inbound DNS requests.

 

These IP's in the email:

"IP XX.XXX.XXX.XXX seen acting as Botnet drone.
  data: TIMESTAMP: 2014-01-04 03:31:30
IP: XX.XXX.XXX.XXX

 

Are they Internal IP's of your machines or IP's of external hosts?

 

 

 

 

I Plan to Stick Around
Posts: 8

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

That is the external IP address from Rogers. I just replaced the router as well yesterday. Rogers is coming tomorrow to replace the Scientific Atlanta DPX2100 with the new Gateway/Modem. We'll see what that does.