Spectrum Security Alert

[Diggs]

I received a Spectrum security alert today (below). I'm a bit frustrated as to where to focus. I have 8 Windows machines, 3 Linux machines, 4 Android devices and 2 routers. I've ran complete scans (MS anti-virus) on all the Windows machines and even tried the Spectrum (F-Secure) Antibot on the Windows machines. Nothing so far and I'm not sure what to try next. Spectrum is completely unhelpful as there is no mention of port, machine ID, internal IP, etc. A MAC address would be helpful. Hmmm....

Alert: Security Issue With Your Internet Account​

Hello Diggs,

Spectrum has been notified of a potential security issue with your Internet service. A device using your network may be infected by malicious software often disguised as a legitimate program or file. The infected device could be any computer, tablet, mobile device, set-top box (i.e., Firestick), smart home device, security camera or gaming console connected to your network.

Recommendations • Update anti-malware, firewall and antivirus software on computers, tablets and mobile devices. • Run a full anti-virus system scan on each device that uses your Spectrum Internet connection. • Use a tool such as the Spectrum AntiBot Scanner and/or other bot removal scans in conjunction with your anti-virus software to remove any malware. ○ The Spectrum AntiBot Scanner can be located at Spectrum.net/security • Consider taking your computers, tablets and mobile devices to a repair professional. • Update all operating systems that run on your devices (i.e, Windows, Apple OS, Linux Distro or Android). • Make sure that all routers, modems, cameras, set-top boxes, smart home devices and gaming consoles are updated. • Change passwords to email accounts, banking and other financial sites after the device has been cleared of any virus or malware.

 

[Markverhyden]

I'm just asking the question since it has not already been answered. Did you pass the headers through something like mxtoolbox to make sure it's really from Spectrum.

Spectrum has been notified of a potential security issue with your Internet service.

Based on my experience a third party, could be anyone, ID'd the public IP owner and sent them a message. Have you run a scan against your public IP to make sure no ports are open?

 

[Diggs]

I'm just asking the question since it has not already been answered. Did you pass the headers through something like mxtoolbox to make sure it's really from Spectrum.


Based on my experience a third party, could be anyone, ID'd the public IP owner and sent them a message. Have you run a scan against your public IP to make sure no ports are open?

I examined the headers closely and saw nothing that bothered me. The headers show Spectrum inter-network email. My Googling says this message verbiage is authentic. The link is for their network security page. Ublock didn't like the awstrack.me in the link but that's to be expected. Even if the email is a hoax/spam there's no gotcha! Nothing malicious.

 

[backwoodsman]

Even if it's legit, I'd have a hard time taking it seriously if they didn't even give you a hint what or where the problem is. If they can't be bothered to do that, they can't be too concerned about it.

But maybe keep an eye on your network traffic for a while, and see if there's a device that's acting suspicious.

 

[Diggs]

scans (MS anti-virus) on all the Windows machines

I spoke a bit too soon as one computer here takes forever to scan. Our media machine (Intel NUC with 2TB external drive) came up with "Browser Modifier: MSIL/ MediaArena". I had it removed but I'm having a hard time believing that is what Spectrum picked up on????

 

[Diggs]

if there's a device that's acting suspicious

I'm starting to look at my routers with a raised eye. I haven't checked firmware updates for them in forever.

Some discussions say that even a fat-fingered typing error on a domain address can trip this warning if the domain is black-listed or know to have problems through DNS.

 

[Markverhyden]

Spectrum did't pick it up. They get notified by a third party. They do have some monitoring that they do but it's somewhat limited. Most likely provided by a subcontracted third party. Malware spams, etc have visible signatures. Had a similar situation years ago. I stupidly let my land lady's daughter and son-in-law use my wifi without monitoring their traffic. Got a similar notice but about DCMA. Not surpriseingly they were using file sharing apps/services to share copyrighted materials through my Internet connection. Of course I cut them off immediately.

 

[Diggs]

Have you run a scan against your public IP to make sure no ports are open?

I brushed this off earlier (as I stop by Steve Gibson's site now and then) but it's been awhile since I visited Shields Up. It shows port 81 open(?) and "hosts2-ns" using it. Not familiar with hosts2-ns I've been Googling away but not really getting anywhere. Port 81 shows open no matter which machine I run the tests from. I need to start shutting machines down and having only one running at a time when I test.

@add-
Hmmm.... Things got weird. The port 81 is open on the main router through UPnP pointing at one of my cheap IP security cams that are running on the second router(???). (Is China watching my garage door?) I have no idea where that router setting came from? I turned off UPnP and that deleted the port 81 entry. Now all shows secure on Shields Up.

 

[Markverhyden]

I brushed this off earlier (as I stop by Steve Gibson's site now and then) but it's been awhile since I visited Shields Up. It shows port 81 open(?) and "hosts2-ns" using it. Not familiar with hosts2-ns I've been Googling away but not really getting anywhere. Port 81 shows open no matter which machine I run the tests from. I need to start shutting machines down and having only one running at a time when I test.

@add-
Hmmm.... Things got weird. The port 81 is open on the main router through UPnP pointing at one of my cheap IP security cams that are running on the second router(???). (Is China watching my garage door?) I have no idea where that router setting came from? I turned off UPnP and that deleted the port 81 entry. Now all shows secure on Shields Up.

You figured it out before I got to reply. Port scanning is looking at ports on the edge device. Not a computer/device on the LAN. Of course the port might lead to a device as you saw. UPnP is a common opening these days but you can/should be able to tell the edge device to ignore UPnP. So you don't have to worry about those exploits. Which has happened.

I'm sure you're ok but one last check I'd do is run Wireshark on the LAN. You can sort by IP address then see if any particular LAN is sending way to much traffic. If your cams are brandx from China it's entirely possible they might have been the problem.

 

[Diggs]

tell the edge device to ignore UPnP

I turned off UPnP on the router that was offending. I keep Angry and Intelligent IP Scanners on my old work laptop. I ran both and can identify everything on the network. A camera was the offending device and unfortunately they have high rate data streams. Figuring out what may go external vs. internal is a challenge.

I haven't really examined my network in a long time. I originally set up the IP cameras with their own router set up on a separate VLAN (192.168.2.xxx). Now I'm seeing all the cameras and the access point back on 192.168.1.xxx and am trying to figure out the why-for on that???

 

[Diggs]

I'm confused..... Shields up showed port 81 open again this morning and sure enough UPnP was turned back on with port 81 pointing to the same internal address of an IP camera. That camera is still unplugged (and is being replaced). Yesterday I just turned off UPnP. Today I turned it off and rebooted the router (TP-Link Archer A9). Firmware is up to date. Just remembered I still need to change the admin password.

Through this all port 0 keeps showing up on scans as closed. I don't remember port 0 ever showing up at all?

Meh - I found this all interesting for awhile, now I'm getting a bit frustrated.