I'm using the Asus ac1900p router. I have that IP blocked on the router so if there is a malware it won't cause anymore problems. But I still need to figure out if this is a faults alarm or not. I wonder if my android boxes can get the botnets...
I assume that you're running Merlin's Asuswrt. Do you have Skynet loaded? If so, you can block inbound and outbound attempts from/to any IP address, block whole countries and watch any LAN IP address for attempts to contact a blocked IP address. It should be possible to parse thru the Skynet log to look for specific IP addresses.
Just installed Skynet. Would you recommend I turn on AI Protection or is Skynet enough?
AI Protection is a conundrum. There's privacy issues as your websites are cleared by Trend Micro, so Trend Micro knows what sites you visit, and then, there's the question of whether or not AI Protection actually indicates if it detects anything. With Skynet and Diversion running on my 86U, I hadn't seen any records for weeks if not months, but then, I block a number of countries, inbound and outbound, so, perhaps the blocking takes care of a number of potential incidents, but still, I would have expected some indication for AI Protection. In any event I found that AI Protection caused more stability issues than what it was worth so I disabled it. For your particular circumstance, perhaps its worth turning it on to see if it indicates anything. Watch for any problems running the add-ons that you didn't have previous to this. If that happens, I'd blame it on AI Protection.
Don't know, perhaps Trend Micro has done something to improve the stability? It might be worth a shot as I haven't run it for a considerable amount of time. I'm considering loading Suricata to see what turns up.
Note that for country blocking, adding countries to an existing list requires that you reenter the entire existing list plus the new countries. As that's a paste into the command line, its not difficult. So, for example, if you had Russia and China in the existing list:
as displayed in that fashion in Skynet, to add other countries you would enter:
cn ru pt ro rs
for China Russia Portugal Romania Serbia
Whenever you enter a country list of any length, the existing list is removed and then the IP address for each country in the new list is downloaded for blocking purposes. This list isn't updated after its downloaded, but I don't know if IP blocks assigned to countries changes very much, if at all. So, to update the country IP address list that corresponds to the entered countries, you would have to enter the same list again, to automatically remove the existing IP list, download the current IP list and automatically load that into the blocking list.
Fwiw, I also run a 68U with the same long country block list. I don't run Diversion on the 68U as I don't know how the 68U will do for available memory, even with the swap file. I don't keep track of the 68U's available memory on a regular basis and its been a while since I looked at it.
I have the same issue as @stockylobster
data: SOURCE TIME: 2020-07-13 02:20:37Z
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: isrstealer
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 18.104.22.168
DESTINATION PORT: 80
I have received the same email 3 times but with a different UUID.
I ran malwarebytes on my laptop and desktop and found nothing. I even factory reset them.
I have a hitron-cgn3 modem bridged to a d-link dir-859 router.
I have blocked the destination IP.
Anyone know how I can find the infected device?
Thank you for your post and welcome to the Community.
I hope you and your loved ones are doing well and staying safe.
I understand your desire to know what is causing this notification and you've certainly come to the right place to find out more.
If you're experiencing the same issue as @stockylobster, I'd recommend you to have a look at @Datalink's reply to his problem. If you've already gone through those steps and you need further assistance, please let us know!