Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I Plan to Stick Around
Posts: 124

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

If the replacement of that old modem does not change anything I would suspect one or more of your PC's is infected with malware and participating in a Botnet. In the meantime I would try to narrow down what one by powering them off and back on one at a time.

 

Depending on the router you could also add an outbound block rule in the firewall settings so all traffic is blocked and logged. At that point assuming the router has decent logging you should see all the outbound requests in the block log and should be able to tell what machine(s) is the culprit. This option really depends on the router model you have.

I Plan to Stick Around
Posts: 152

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

How many computers to you have on your network? If it's a reasonably small network, you can probably just telnet on port 53 to each active IP address and see which machines are answering DNS requests.

 

You don't happen to have an AD or LDAP server on your network do you?

 

L.

I Plan to Stick Around
Posts: 8

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

It's 6 machines and no AD or LDAP.  The new router (DIR-655) supports syslog so I think I'll try the freeware tool logsniffer and just see what activity occurs as a 'quiet' time and from what IPs.  That should prove interesting.

 

Thanks for the help.  I'm going to be working on it in a few hours from now, so I'll update everyone how it goes.

I Plan to Stick Around
Posts: 8

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Well, I spent 4hrs working on site last night and I couldn't find anything out of the normal traffic-wise by doing a little sniffing around.  On the Windows 7/8 machines I could see relatively frequent requests to phub.cable.net.rogers.com from svchost (Network) and another process PID's 4 and 1214.  Everything seemed to be normal to me as they do have a lot of software that would connect to the Internet on a regular basis.  Nothing suspicious at all.. Smiley Frustrated

 

I performed very extensive boot-time scans on all of the PCs with a myriad of tools recommended for busting botnet drones and again everything was clean.

 

Anyway, Rogers is replacing the ancient modem (Webstar DPX2100) this morning so we'll see how that goes.  I'm thinking that simply replacing that terribly old/potentially insecure Cisco WRV210 gateway might have done it tbh.

I Plan to Stick Around
Posts: 124

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

I would be a little cautious of those svchost processes. Many types of malware will hide themselves as svchost so less likely of being detected. A tool like process explorer could give you more insight as to what is behind those particular svchost executable. 

 

http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx

 

Hopefully it is just the modem though.

I Plan to Stick Around
Posts: 8

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Thanks for that.  I remember using that utility years ago now and it's very useful.

I Plan to Stick Around
Posts: 8

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Just to give you guys an idea of what I'm taking about, here's a shot of the OpenDNS activity for today up untill this point:

 

http://i.minus.com/i9spmEeDY4Cip.jpg