cancel
Showing results for 
Search instead for 
Did you mean: 

Infected Sat TV / CCTV boxes?

Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Infected Sat TV / CCTV boxes?

Noticed a few entries in my firewall log recently, from other Plusnet IP addresses:
2014/12/03 19:31:07
IN=ppp0 OUT= MAC= SRC=80.189.their.ip DST=80.189.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=60 ID=39062 DF PROTO=TCP SPT=34976 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
2014/12/05 19:37:57
IN=ppp0 OUT= MAC= SRC=146.199.their.ip DST=146.199.my.ip LEN=60 TOS=0x00 PREC=0x80 TTL=59 ID=62927 DF PROTO=TCP SPT=60583 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0

They appear to be some sort of Satellite TV (or possibly CCTV) boxes, which are wide open, and have been found and infected with malware that's part of some IRC controlled botnet.
18 REPLIES
Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: 11-08-2007

Re: Infected Sat TV / CCTV boxes?

I've seen those before - often every few seconds for days at a time to all four of my WAN addresses.
Last time I could be bothered to log anything, there were others, but these were the worst culprits -
<redacted>
I've even asked Plusnet to have a word with the account holders, but as far as I know nothing was done about it.
jim:red Personal information removed in accordance with this Forum Rule mod:end
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Infected Sat TV / CCTV boxes?

ejs, why have you redacted the sender's IP address? If they are sending out spurious/malicious garbage then we should all know about them.
Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Re: Infected Sat TV / CCTV boxes?

Because anyone could telnet into those IPs and do whatever they like. Which is most likely how the malware got on them.
Community Veteran
Posts: 5,472
Thanks: 292
Fixes: 4
Registered: 11-08-2007

Re: Infected Sat TV / CCTV boxes?

Would anyone really be stupid enough to try and connect to a machine that is known to be already infected ?
Perhaps if the full IPs were known, then Plusnet might help by taking a look at their traffic and perhaps having a quiet word !.
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Infected Sat TV / CCTV boxes?

Rubbish. So you can just pick a random IP address and hack into it eh?
Community Gaffer
Community Gaffer
Posts: 17,665
Thanks: 658
Fixes: 162
Registered: 05-04-2007

Re: Infected Sat TV / CCTV boxes?

Quote
SRC=80.189.their.ip DST=80.189.my.ip/quote]
Quote
SRC=146.199.their.ip DST=146.199.my.ip

Are the other entries the same, in the the source IP is always from the same range as the destination?
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Re: Infected Sat TV / CCTV boxes?

That's how I happened to notice that they were from other plusnet IP addresses. And there were just about enough packets in total (10-20 or so over a few hours) for them to get noticed.
Is there a preferred way to report things like this? e.g. ticket, abuse@plus.net, or just not bother based on the reaction I got for not posting other people's IP addresses to the public forum.
Community Gaffer
Community Gaffer
Posts: 17,665
Thanks: 658
Fixes: 162
Registered: 05-04-2007

Re: Infected Sat TV / CCTV boxes?

Can you put all the details on a ticket? I'll get it passed to someone to take a look at.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Staff
Community Veteran
Posts: 1,136
Thanks: 2
Registered: 30-07-2007

Re: Infected Sat TV / CCTV boxes?

The RIPE information for my IP block lists abuse@plus.net as the abuse contact address.
F9 member since 4 Sep 1999
F9 ADSL customer since 27 Aug 2004
DLM manages your line the same way DRM manages your rights.
Look at all the pretty graphs! (now with uptime logging!)
Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Re: Infected Sat TV / CCTV boxes?

I've put the details of the first two IP addresses in ticket no. 95905934 plus a third IP (don't know what kind of computer or device was responsible for that one) spotted yesterday and today.
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Infected Sat TV / CCTV boxes?

Quote from: ejs
............., or just not bother based on the reaction I got for not posting other people's IP addresses to the public forum.

What on earth are you on about? This forum, and other fora elsewhere on the internet are full of modem/router logs showing a variety of IP addresses trying to make unsolicited connections to the then user's IP address. For example here is a sample of mine from earlier in the year - because I'm on a dynamic IP address, I have no need to redact the Dst Ip: from back in March, as I'm no longer on it.
<84> Mar 12 23:08:45 IDS proto parser : tcp null port (1 of 1) : 123.151.42.61   87.112.136.26   40
   41  TCP 12206->0 [S.....] seq 1741428515 ack 0 win 8192
<81> Mar 13 01:32:51 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 61.234.109.246 Dst ip: 87
.112.136.26 Type: Time Exceeded Code: Time to Live exceeded in Transit
<81> Mar 13 03:28:55 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 202.39.218.14 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Communication with Destination Host is Administrative
ly Prohibited
<81> Mar 13 03:32:31 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 211.178.52.60 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 07:52:59 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 129.44.137.232 Dst ip: 87
.112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 08:50:38 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 67.51.197.18 Dst ip: 87.1
12.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 08:52:56 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 75.139.241.82 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 10:39:28 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 222.140.55.133 Dst ip: 87
.112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 13:33:49 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 14.43.166.154 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 14:27:00 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 61.234.109.246 Dst ip: 87
.112.136.26 Type: Time Exceeded Code: Time to Live exceeded in Transit
<81> Mar 13 15:03:33 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 201.199.39.66 Dst ip: 87.
112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 15:17:22 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 218.166.218.126 Dst ip: 8
7.112.136.26 Type: Destination Unreachable Code: Port Unreacheable
<81> Mar 13 15:43:25 FIREWALL icmp check (1 of 1): Protocol: ICMP  Src ip: 210.48.107.30 Dst ip: 87.
112.136.26 Type: Time Exceeded Code: Time to Live exceeded in Transit
Would you like to pick any of them at random and hack into them Roll eyes
@Oldjim
Regarding reply #1, can you please explain exactly what is "Personal" about information that's available in the Public Domain?
Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Re: Infected Sat TV / CCTV boxes?

This thread is not about any random IP addresses, nothing I've said is about any random IP addresses.
Community Veteran
Posts: 19,101
Thanks: 443
Fixes: 21
Registered: 31-08-2007

Re: Infected Sat TV / CCTV boxes?

I don't believe I've said anything about "random IP addresses" either. I just suggested you could "pick one" at random.
Community Veteran
Posts: 5,172
Thanks: 480
Fixes: 20
Registered: 10-06-2010

Re: Infected Sat TV / CCTV boxes?

Quote from: Anotherone
Rubbish. So you can just pick a random IP address and hack into it eh?

From a list of two IP addresses? What's your point?