I just got an email from Comcast warning me that my computer "may be infected by a bot". Since the only devices currently on my network connection are a 722 and a LinkSys router, it's hard to see how that could be true. Is it actually conceivable that a Dish DVR could be infected like that? I suspect Comcast is just confused, but is there another explanation?
Bot on my 722?
- Thread starter kmkohler
- Start date
- Latest activity Latest activity:
- Replies 11
- Views 2K
No, it is not.
If your router is also a wireless access point, it might be possible that one or more of your neighbors is using it and they have the infection.
I find it interesting that you have a high speed internet connection and use it only for your 722. How were you able to post this (use a public computer, or some other internet access)? Or, could it be that you also have a PC that might be infected (yours) connected to your Comcast internet?
Note that the trigger for the bot detection may have happened days before the message was sent to you. You need to be concerned about anything that has been on your network anytime in the last several days, not just at this minute.
Their bot notification doesn't give instances and data to support what they see ... they just tell you they've seen traffic, and suspect it ... and when you ask them for the details they never write back assuming that the customer has no clue and should just take comcast at its word..
same company that was found to be lying about their "traffic shaping" for people who were using bit torrent ... not even going after the specific people involved in *over* use .. but just anyone regardless of how much traffic they had consumed.
If your wireless isn't open, and you're using WPA/WPA2 and not with an easy pass-phrase ... you should be relatively ok.. but you should try to monitor usage to see if someone's using your net while you're not there... also try anyway to contact Comcast to ask them if they can get you specific details that lead them to believe the traffic is bot related. You never know, if most of the customers started asking them for proof, maybe then Comcast would send it by default rather than just the "hey we think you're infected" notices, regardless of their belief.
I did get my notice after I'd reinstalled my debian workstation... from downloads ... so it was heavily hitting for about an hour and without any other proof from them, or follow up notices telling me they're still seeing something I'm going on the thought that their script doesn't really know, that they didn't really do what they claimed ... and that they took a short cut in coming to the conclusion I'd be infected..
I do know.. that there are ports open on the 722k that you can get data from it ... but unless your 722k is opening a port with UPnP there shouldn't be any random traffic to it ... and only if you had a Sling Adapter connected would you expect to have an open port through your linksys open to everyone. So could it be hacked ... yes.. but have there been proof of crackers? not that I've seen or heard.. anyone else hearing of it.. do tell and give links for people to follow to learn more..
same company that was found to be lying about their "traffic shaping" for people who were using bit torrent ... not even going after the specific people involved in *over* use .. but just anyone regardless of how much traffic they had consumed.
If your wireless isn't open, and you're using WPA/WPA2 and not with an easy pass-phrase ... you should be relatively ok.. but you should try to monitor usage to see if someone's using your net while you're not there... also try anyway to contact Comcast to ask them if they can get you specific details that lead them to believe the traffic is bot related. You never know, if most of the customers started asking them for proof, maybe then Comcast would send it by default rather than just the "hey we think you're infected" notices, regardless of their belief.
I did get my notice after I'd reinstalled my debian workstation... from downloads ... so it was heavily hitting for about an hour and without any other proof from them, or follow up notices telling me they're still seeing something I'm going on the thought that their script doesn't really know, that they didn't really do what they claimed ... and that they took a short cut in coming to the conclusion I'd be infected..
I do know.. that there are ports open on the 722k that you can get data from it ... but unless your 722k is opening a port with UPnP there shouldn't be any random traffic to it ... and only if you had a Sling Adapter connected would you expect to have an open port through your linksys open to everyone. So could it be hacked ... yes.. but have there been proof of crackers? not that I've seen or heard.. anyone else hearing of it.. do tell and give links for people to follow to learn more..
Just means that there is high than "normal" customer activity. Could be you dnld stuff on PC & the 722 and the kicked up a "red flag". Also Comcast is trying to throttle activity and get BS legislation pushed thru in congress. Also you might want to start your PC in safe mode and scan system w/updated anti-virus program to see if you have a bot in it. It's unlikely that the 722 being linux is the problem.
Thanks for the suggestions. I hadn't thought about the possibility that someone could be freeloading on the connection. I'll have to check that. However the monthly traffic shown on the Comcast site doesn't look out of line.
I haven't had a computer on my home internet connection for over a year. My computer is at my office which is on a completely separate network several miles away.
I haven't had a computer on my home internet connection for over a year. My computer is at my office which is on a completely separate network several miles away.
kmkohler said:
Any iPads, smartphones, ps3/xbox there at your place?
Sent from my iPhone using SatelliteGuys
There is a link in the email, its to direct users to Xfinity.com/BotAssistance (with the main portion of the url as this: http://xfinity.comcast.net/constantguard/botassistance/) it also has trailing variables ... one of which is "utm_campaign=Email1" ... which suggests they track it as getting the first email.. getting a second or what have you might indicate that its more serious... or repeated.. etc..
Its more likely a valid email in both the OP's case and for sure in mine ... the real problem is that Comcast doesn't validate what it saw ... so you can't look at any evidence taking it for its merits ... you can only take them at their word that they actually did see traffic, that they did anaylze the traffic and see a bot related signature ... rather than they saw a huge amount of traffic and presume it meant something bad..
Its more likely a valid email in both the OP's case and for sure in mine ... the real problem is that Comcast doesn't validate what it saw ... so you can't look at any evidence taking it for its merits ... you can only take them at their word that they actually did see traffic, that they did anaylze the traffic and see a bot related signature ... rather than they saw a huge amount of traffic and presume it meant something bad..
Nope, nothing except the 722.
I checked the full headers on the email. It's Comcast all the way down.
The Comcast site say I've used 14GB so far in September. Not unreasonable.
The consensus seems to be that Comcast doesn't know what they're talking about. Why am I not surprised?
OP
It is possible, but highly unlikely, your 722 has been compromised; in fact, I don't see anyone outside of a disgrunted Dish Network software developer planting malicious code onto the receiver - it's just not a high-profile target and thieves would be more interested in using them to steal Dish Network service. Offhand, I would say it is more likely your usage patterns (obtained through automated log analysis) have triggered this email notification. Of course, it's impossible to say since I have no idea what tools Comcast has deployed, the rules they've configured, or even how deep they're inspecting suspicious data packets...and I have no idea how they research and validate these events. For all we know at one time in the past you may have had a PC on your home network that had malware or perhaps the botnet was trying to contact an IP address or hostname that you now dynamically lease from Comcast.
What do to? Well, you can explain your concerns to Comcast and---if you actually speak to a competent person in IT Security---perhaps they can pass along more details as to what triggered this security event. But don't hold your breath. As others have mentioned, you can ensure your router is properly configured. Heck, turn off your routers wireless capability if your 722 is hard-wired to the router. The NSA and FTC provide various online publications to help people address their home network security and privacy concerns...just follow 'em like a checklist. You can also check-out your router and cable modem logs if you wish...you can use wireshark to sniff traffic on both sides of your router...heck, if you can't sleep at night or your can slap in a spare SourceFire IDS or deploy an ArcSight instance.
Otherwise, unless Comcast offers you more information just check your firewall configuration and don't worry about it.
What do to? Well, you can explain your concerns to Comcast and---if you actually speak to a competent person in IT Security---perhaps they can pass along more details as to what triggered this security event. But don't hold your breath. As others have mentioned, you can ensure your router is properly configured. Heck, turn off your routers wireless capability if your 722 is hard-wired to the router. The NSA and FTC provide various online publications to help people address their home network security and privacy concerns...just follow 'em like a checklist. You can also check-out your router and cable modem logs if you wish...you can use wireshark to sniff traffic on both sides of your router...heck, if you can't sleep at night or your can slap in a spare SourceFire IDS or deploy an ArcSight instance.
Otherwise, unless Comcast offers you more information just check your firewall configuration and don't worry about it.
I was thinking your box may be "phoning home" to Dish too much. But if the usage patterns are consistent....... meh.
I'm thinking somebody could have hijacked your router and is using it to relay email? If you never set security or left the default password to "admin" or blank, then someone could have hijacked it easy. I had some little twirp in my neighborhood who did it to me for 2 years, until he moved away I presume. I used to set security then make my password a taunt to his sexual orientation. LOL He used to brute-force his way in every time as a taunt back to me. Then I got a good router instead of your average Linksys and he couldn't get in anymore. Then he just finally stopped.
In the meanmtime he was using my connection to download music and movies. I noticed when my network usage went through the roof and my connecltions sloed to a crawl. I have a 20 meg connection. If THAT slows to a crawl there's a problem somewhere?
In the meanmtime he was using my connection to download music and movies. I noticed when my network usage went through the roof and my connecltions sloed to a crawl. I have a 20 meg connection. If THAT slows to a crawl there's a problem somewhere?
Last edited:
