cancel
Showing results for 
Search instead for 
Did you mean: 

Possible Plusnet attack effecting my Internet connection?

frank34uk
Dabbler
Posts: 13
Registered: ‎10-03-2014

Possible Plusnet attack effecting my Internet connection?

Hi,
Please could you start by reading this message I had from Plusnet sent to my Member Centre homepage:-
In order to us to maintain a high level of service, and protect our network against potential attacks, we need to make a change which affects your account.
This change is related to the broadband firewall which all of our customer accounts have access to.
We'll be making a change to block incoming traffic on ports 53, 111, 135, 137, 138, 139, 445, 515, 1080, 1433, 3128, 3306, 6000.
In most cases these ports will already be blocked by your local firewall however in the event of a compromised router, the ports may be unblocked or used in a potential attack.
It is unlikely you will need these inbound ports open, if you do you please visit http://contactus.plus.net and let us know by responding to this support ticket.
There's nothing you need to do, and your connection should continue to work as normal apart from a brief disconnection whilst we make these changes. In the vast majority of cases your router will automatically reconnect. If you experience problems getting reconnected following this maintenance please try a single reboot of your router.
Kind Regards,
Chris Parr
Customer Support

This message was posted to me on the 06/03/2014. Ever since then Ive had nothing but problems with my internet connection and can only put it down to some form of attack on the Plusnet servers?.
It all began when I simply logged into Windows and fired up my Firefox browser. My homepage is and always has been Google but for some VERY bizarre reason now I don`t get Google?Huh
Instead I get this:-

And every time I click OK I then get this :-

If I downloaded the Flash setup file to my PC and began installation, my AVG would automatically detect the file as a trojan.
On further investigation I can see the URL clearly states "http://www.google.co.uk/". The Firefox website identity also reports no ownership information of this webpage.
To start with I thought it was some form of phishing attack/virus/trojan in my PC. I did several scans using AVG, Malwarebytes..etc but they all came back clean.
This is were things got very strange!. My wife went to Google on her Iphone and received the exact same message!???? So I turned on my tablet and went to Google on that. Guess what.... exact same message
No matter what device I have in my household, none of them can get on to Google without this stupid "Update your Flash Player" message! it`s so frustrating.
I even went as far as formatting my PC and still have this message about Flash Player when going to Google homepage.
Also for some odd reason I can occasionally get onto Google fine and everything is as should be. Then later in the day the same problem again.
Also my wife tells me she can only get on Facebook half the time due to this problem.
I tried to reboot/reset my router also making sure to change passwords for my administration panel and WPS2 connection in case of a possible attacks on my router.
As already mentioned this problem comes and goes. Why?. And how can it effect ALL hardware devices in my home.... PC, Laptop, iphone, tablet!!!???
Could this problem be related to the message Plusnet had sent me about firewall ports?.
I have been using Yahoo search to look up this problem on various websites but to no avail.
I really do hope somebody can help me with this problem. I am running out of ideas. Any help would be highly appreciated. Thanks
40 REPLIES 40
AndyH
Grafter
Posts: 6,824
Thanks: 1
Registered: ‎27-10-2012

Re: Possible Plusnet attack effecting my Internet connection?

I think this is some kind of malware because there is no Adobe Flash Player Pro....
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Possible Plusnet attack effecting my Internet connection?

Double check the settings on your router especially those of the DNS - it could be some kind of DNS hijacking at your router level.
Also try typing the following at a CMD prompt on a Windows PC :
IPCONFIG /all and see what your DNS servers are set to.
pwatson
Rising Star
Posts: 2,470
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Possible Plusnet attack effecting my Internet connection?

As a test, try changing the network settings on the PC to use another DNS e.g. 8.8.8.8 and see if that changes the behaviour
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Possible Plusnet attack effecting my Internet connection?

Oh - also download and run this :
http://usa.kaspersky.com/downloads/TDSSKiller
Some rootkit viruses aren't detectable by normal antivirus software
frank34uk
Dabbler
Posts: 13
Registered: ‎10-03-2014

Re: Possible Plusnet attack effecting my Internet connection?

Thanks for your comments guys. My DNS Servers are set to :-
50.63.128.135
8.8.8.8
Is that right?  Undecided
pwatson
Rising Star
Posts: 2,470
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Possible Plusnet attack effecting my Internet connection?

It's affecting iPhones and tablets...  The router and DNS lookups are the common factor, not PC based malware.
The DNS setting of 50.63.128.135 is your problem.  As advised, go into your PC NIC settings and change your DNS server to one set manually.  
AndyH
Grafter
Posts: 6,824
Thanks: 1
Registered: ‎27-10-2012

Re: Possible Plusnet attack effecting my Internet connection?

No...
50.63.128.135 is a DNS hijacked site.
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Possible Plusnet attack effecting my Internet connection?

The 50.63.128.135 looks very suspicious.
The 8.8.8.8 is your standard Google DNS
frank34uk
Dabbler
Posts: 13
Registered: ‎10-03-2014

Re: Possible Plusnet attack effecting my Internet connection?

Quote from: DomS
Oh - also download and run this :
http://usa.kaspersky.com/downloads/TDSSKiller
Some rootkit viruses aren't detectable by normal antivirus software

Thanks DomS, I will try this. But as mentioned I formatted my PC and still got this message after a clean install?? and to get it on all devices in my household makes things ever weirder!
AndyH
Grafter
Posts: 6,824
Thanks: 1
Registered: ‎27-10-2012

Re: Possible Plusnet attack effecting my Internet connection?

Which router are you using?
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Possible Plusnet attack effecting my Internet connection?

As above - you potentially have an issue with the DNS being incorrect on your router if your other devices are exhibiting the same problem.
http://www.bleepingcomputer.com/forums/t/526812/help-google-redirects-to-a-fake-flash-player-update-...
^^^^ someone else with the same issue and same hijacked DNS
frank34uk
Dabbler
Posts: 13
Registered: ‎10-03-2014

Re: Possible Plusnet attack effecting my Internet connection?

Ok, I will look my DNS settings and see what I can do. Thanks for all your help guys!  Smiley
pwatson
Rising Star
Posts: 2,470
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Possible Plusnet attack effecting my Internet connection?

Spoof DNS server based in the Ukraine
nslookup www.google.co.uk 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.google.co.uk
Address: 173.194.41.191
Name: www.google.co.uk
Address: 173.194.41.183
Name: www.google.co.uk
Address: 173.194.41.184
nslookup www.google.co.uk 50.63.128.135
Server: 50.63.128.135
Address: 50.63.128.135#53
www.google.co.uk canonical name = google.co.uk.
Name: google.co.uk
Address: 194.28.172.232
nslookup 194.28.172.232 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
232.172.28.194.in-addr.arpa name = dedic.dc.besthosting.ua.
picbits
Rising Star
Posts: 3,432
Thanks: 23
Registered: ‎18-01-2013

Re: Possible Plusnet attack effecting my Internet connection?

In case you missed the above, what brand and model router are you using ?
Interestingly and rather scarily this appears to be happening to a few people recently. One is using an Edimax and the other is using a TP-Link router on that link I posted above.