@Hergesheimer Read the abuse mail, it might show time, and public IP visited. Search those in your log, and you see internal IP and MAC address of infected devices. Block TCP port 23 on router. You can check if it is open from the web page:https://www.yougetsignal.com/tools/open-ports/
Reboot infected devices en restore them to factory settings. Install new firmwares and patches. Put your IoTs in a separate VLAN to monitor and put them behind a VPN or craft your firewall rules such that they only respond to known IP addresses.
If you dont know which devices are infected, reset all devices with linux (router, ip-camera, smart-things...). Change your passwords in all your devices.
When correct the Abuse team gave you some action to take like for example scanning your machines with malwarebytes. Weren't those instructions useful or did you not get any instructions from the Abuse team?
Dears,
Thanks for the quick reply. Unfortunately there is again no IP address mentioned in the email. Port 23 is closed by the way.
I have reset the Sat receiver twice so far. I don‘t have a camera but some smart plugs, some Amazon Alexas and a Hue bridge though. Will try to run malewarebyte over the Sat receiver.
Thanks again.
What did the Abuse team ask you to do?
This should be mentioned in the email you received.
I did all this already:
Wat is er aan de hand? Een of meer apparaten die zijn aangesloten op je internetverbinding zijn geïnfecteerd met het Mirai virus. We kunnen niet met zekerheid zeggen welk apparaat geïnfecteerd is. Waarschijnlijk is het een digitale video recorder (DVR), beveiligingscamera of printer die op het internet is aangesloten en dus geen computer, laptop, tablet of mobiele telefoon. Het Mirai virus verwijderen en in de toekomst voorkomen Volg onderstaande stappen. Mocht het niet lukken een stap uit te voeren, ga dan verder naar de volgende. - Bepaal welke apparaten zijn aangesloten op je internetverbinding.
Het Mirai virus infecteert met name op het internet aangesloten apparaten zoals een DVR, beveiligingscamera of printer. - Wijzig de wachtwoorden van de op het internet aangesloten apparaten. Kies een wachtwoord dat moeilijk te raden is. Controleer de handleiding van het apparaat als je het huidige wachtwoord niet weet.
Door het uitvoeren van deze stappen heb je toekomstige infecties voorkomen. - Herstart de op het internet aangesloten apparaten door deze uit en opnieuw aan te zetten. Hierna is het Mirai virus verwijderd uit het geheugen van de apparaten.
Je apparaten zijn nu veilig. Doorloop de volgende stappen om ook je router/modem te beschermen tegen toekomstig misbruik. - Reset je modem/router naar de fabrieksinstellingen. Op onze website staat beschreven hoe je dit kan doen voor een Experia Box.
| | - Stel het wachtwoord van je modem/router in. Op onze website staat beschreven hoe je dit kunt doen voor een Experia Box.
|
|
Oké, so just changing passwords and rebooting of the IoT devices should do the trick.
What concerns me is that you are asked to do the same with the Experia Box and that implies that the Experia/KPN Box could also be comprimised. This is strange as that means there must be a door in the firmware through which the virus was able to enter the Experia Box.
Do I understand that even after rebooting all you machines the issue still exists?
If that is the case I hope the Abuse team can give you more information.
@Raymondt, Do you have any idea how to tackle this?
I switched off all IoT devices but after a week we got another email from KPN. Thanks wjb!
Switch off isnt enough because Mirai may remain persistent on your system and may re-infect it. You need to restore to factory settings en patch the vulnerabilities. Change the default password of your IoTs. If you cant patch the vulerabilies Mirai will come back again. Block all linux devices telnet/SSH (inside your LAN too), block all android based device developers options en port 5555. Block outgoing traffics of your IoTs to internet en allow incomming only from known adress (like your work, your school and your intern LAN). Monitor TCP SYN queries in your network.
Wich router and sat-receiver do you have?
@wjb We ask for a modem reset because Mirai needs an open port to infect a device. Resetting the EB closes that port. The EB itself is not vulnerable for Mirai
@Hergesheimer Do you have an abuse ticket number, zo I can take a closer look?
Hello Dennis, Sorry there is no abuse ticket number. Let me please know what you need instead? Thanks a lot.
Hello Dennis, Sorry there is no abuse ticket number. Let me please know what you need instead? Thanks a lot.
Why don't you have an abuse ticket, didn't the mail you received contain a ticket number?
@HergesheimerYou did not reply to the email to ask for more information? Because the information regarding destination IP addresses and such is all availible. Its just not something we put in ur automatic warnings, as its not usefull for the overwhelming majority of our customers.
Edit: @wjb Our automatic warnings do not contain a ticket number, as they're not sent using our ticketing system. Only when there is actual correspondence with us after the warning will a ticket be created.
Switch off isnt enough because Mirai may remain persistent on your system and may re-infect it. You need to restore to factory settings en patch the vulnerabilities. Change the default password of your IoTs. If you cant patch the vulerabilies Mirai will come back again. Block all linux devices telnet/SSH (inside your LAN too), block all android based device developers options en port 5555. Block outgoing traffics of your IoTs to internet en allow incomming only from known adress (like your work, your school and your intern LAN). Monitor TCP SYN queries in your network.
Wich router and sat-receiver do you have?
The router is a TP-Link XE75 set to accesspoint mode. The Sat receiver is a VUE+ SE Uno. I did a malware check yesterday and there was nothing reported. Thanks again.
@Dennis ABD Thanks! We called the number and they just told us to follow what is in the enail.
Yeah, customer service has no details on what exactly is being seen, hence the email stating to contact us at abuse@kpn.com if you want/need more information.
@Dennis ABD Thanks Dennis. Will send an email to them.
@Dennis ABD Just got the same answer from them just in English. I was asking explicitly for more details but nothing. I feel a bit left alone (not from you) but from that abuse team. We pay a lot every month to KPN and just getting no help is sad. I don‘t know what to do now? They might close the Internet connection soon. Thanks anyway!
That should mean you now have a ticket number. I can have a look with that.
@Dennis ABD 381135865. They just answered again that they have no insight. Thanks Dennis
Ah, yes. I can see the confusion. We indeed cannot see which of the devices in your internal network is infected. What is interesting is that we only occasonally receive notifications, which leads me to believe its not a device always active on your network. The fact that we only receive portscanning notices and such on TCP port 23 does indicate Mirai, however.
I"ll send you a list with notifications we received.
Thanks a lot @Dennis ABD . Just received your mail. Will have a look later. Thanks for all your efforts!
@Dennis ABD I might have found the perpetrator thanks to your dates sent. It might be the Honeywell Home Total Connect wifi module. We have outages on those days ± one hour on those days. There are even more in between but not recognized by you. I don‘t know what to do with it but you helped us a lot Dennis if this is indeed the bad device!
Is it possible to give the Honeywell a factory reset and change the password of that Honeywell before it is connected to the Internet again.
@wjb will do. Thanks a lot!!