cancel
Showing results for 
Search instead for 
Did you mean: 

Infected Sat TV / CCTV boxes?

ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Infected Sat TV / CCTV boxes?

Noticed a few entries in my firewall log recently, from other Plusnet IP addresses:
2014/12/03 19:31:07
IN=ppp0 OUT= MAC= SRC=80.189.their.ip DST=80.189.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=60 ID=39062 DF PROTO=TCP SPT=34976 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
2014/12/05 19:37:57
IN=ppp0 OUT= MAC= SRC=146.199.their.ip DST=146.199.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=59 ID=62927 DF PROTO=TCP SPT=60583 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0

They appear to be some sort of Satellite TV (or possibly CCTV) boxes, which are wide open, and have been found and infected with malware that's part of some IRC controlled botnet.
18 REPLIES 18
Anonymous
Not applicable

Re: Infected Sat TV / CCTV boxes?

I've seen those before - often every few seconds for days at a time to all four of my WAN addresses.
Last time I could be bothered to log anything, there were others, but these were the worst culprits -
<redacted>
I've even asked Plusnet to have a word with the account holders, but as far as I know nothing was done about it.
jim:red Personal information removed in accordance with this Forum Rule mod:end
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Infected Sat TV / CCTV boxes?

ejs, why have you redacted the sender's IP address? If they are sending out spurious/malicious garbage then we should all know about them.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Infected Sat TV / CCTV boxes?

Because anyone could telnet into those IPs and do whatever they like. Which is most likely how the malware got on them.
Anonymous
Not applicable

Re: Infected Sat TV / CCTV boxes?

Would anyone really be stupid enough to try and connect to a machine that is known to be already infected ?
Perhaps if the full IPs were known, then Plusnet might help by taking a look at their traffic and perhaps having a quiet word !.
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Infected Sat TV / CCTV boxes?

Rubbish. So you can just pick a random IP address and hack into it eh?
Chris
Legend
Posts: 17,724
Thanks: 600
Fixes: 169
Registered: ‎05-04-2007

Re: Infected Sat TV / CCTV boxes?

Quote
SRC=80.189.their.ip DST=80.189.my.ip/quote]
Quote
SRC=146.199.their.ip DST=146.199.my.ip

Are the other entries the same, in the the source IP is always from the same range as the destination?
Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Infected Sat TV / CCTV boxes?

That's how I happened to notice that they were from other plusnet IP addresses. And there were just about enough packets in total (10-20 or so over a few hours) for them to get noticed.
Is there a preferred way to report things like this? e.g. ticket, abuse@plus.net, or just not bother based on the reaction I got for not posting other people's IP addresses to the public forum.
Chris
Legend
Posts: 17,724
Thanks: 600
Fixes: 169
Registered: ‎05-04-2007

Re: Infected Sat TV / CCTV boxes?

Can you put all the details on a ticket? I'll get it passed to someone to take a look at.
Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
avatastic
Grafter
Posts: 1,136
Thanks: 2
Registered: ‎30-07-2007

Re: Infected Sat TV / CCTV boxes?

The RIPE information for my IP block lists abuse@plus.net as the abuse contact address.
F9 member since 4 Sep 1999
F9 ADSL customer since 27 Aug 2004
DLM manages your line the same way DRM manages your rights.
Look at all the pretty graphs! (now with uptime logging!)
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Infected Sat TV / CCTV boxes?

I've put the details of the first two IP addresses in ticket no. 95905934 plus a third IP (don't know what kind of computer or device was responsible for that one) spotted yesterday and today.
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Infected Sat TV / CCTV boxes?

Quote from: ejs
............., or just not bother based on the reaction I got for not posting other people's IP addresses to the public forum.

What on earth are you on about? This forum, and other fora elsewhere on the internet are full of modem/router logs showing a variety of IP addresses trying to make unsolicited connections to the then user's IP address. For example here is a sample of mine from earlier in the year - because I'm on a dynamic IP address, I have no need to redact the Dst Ip: from back in March, as I'm no longer on it.
<84> Mar 12 23:08:45 IDS proto parser : tcp null port (1 of 1) : 123.151.42.61   87.112.136.26   40
   41  TCP 12206->0 [S.....] seq 1741428515 ack 0 win 8192
<81> Mar 13 01:32:51 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 61.234.109.246 Dst ip: 87
.112.136.26 Type: Time Exceeded Code: Time to Live exceeded in Transit
<81> Mar 13 03:28:55 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 202.39.218.14 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Communication with Destination Host is Administrative
ly Prohibited
<81> Mar 13 03:32:31 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 211.178.52.60 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 07:52:59 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 129.44.137.232 Dst ip: 87
.112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 08:50:38 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 67.51.197.18 Dst ip: 87.1
12.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 08:52:56 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 75.139.241.82 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 10:39:28 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 222.140.55.133 Dst ip: 87
.112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 13:33:49 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 14.43.166.154 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 14:27:00 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 61.234.109.246 Dst ip: 87
.112.136.26 Type: Time Exceeded Code: Time to Live exceeded in Transit
<81> Mar 13 15:03:33 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 201.199.39.66 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 15:17:22 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 218.166.218.126 Dst ip: 8
7.112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 15:43:25 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 210.48.107.30 Dst ip: 87.
112.136.26 Type: Time Exceeded Code: Time to Live exceeded in Transit
Would you like to pick any of them at random and hack into them Roll_eyes
@Oldjim
Regarding reply #1, can you please explain exactly what is "Personal" about information that's available in the Public Domain?
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Infected Sat TV / CCTV boxes?

This thread is not about any random IP addresses, nothing I've said is about any random IP addresses.
Anotherone
Champion
Posts: 19,107
Thanks: 457
Fixes: 21
Registered: ‎31-08-2007

Re: Infected Sat TV / CCTV boxes?

I don't believe I've said anything about "random IP addresses" either. I just suggested you could "pick one" at random.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Infected Sat TV / CCTV boxes?

Quote from: Anotherone
Rubbish. So you can just pick a random IP address and hack into it eh?

From a list of two IP addresses? What's your point?