Forum Discussion

andy2510's avatar
andy2510
On our wavelength
7 months ago

Marai Warning Email - And Other Issues

Hi

Yesterday I had an email from VM (genuine, my account number and name was included in the email) saying one of my devices may have been affected with the Mirai malware and I need to take action. Obviously, we don't know which one, as many of my gadgets are smart items and are connected to the internet "24/7" (though my system shuts down for 6 to 7 hours a night!).

It would be nice if possible if a time of detection was made available, as this would narrow don the culprit!

This is because on the day of the detection, I was setting up a new NAS and decommissioning my old Amahi server (as the software is outdated and not likely to be updated). This may be a culprit, though as the new NAS has a stronger firewall and was "out of the box", though with no default account details set, I doubt it would have succumbed to a malware attack so soon.

My main desktop PC was not switched on on this day. My personal laptop was, and so was my work laptop (very highly doubt that would be the culprit - the work VPN would also have a different IP address). Same with my son's school Chromebook and Nintendo Switch. Android phones and tablets have not had any new software installed apart from mine for access to the NAS from the manufacturer.

There are 2 Google Nest cams, though they are highly locked down. Same with Google Home Hubs and Google Nest Thermometer.  Would it be possible for smart plug sockets to get infected? I hope it's not the ones hard wired into the wall if they are!!

That leaves just one more possible culprit, a CCTV DVR, though that currently keeps crashing as I believe the hard drive that is in it is failing. It is now currently unplugged. I think I changed it's user and password though to reduce the risk of it getting hacked though.

At the same time as all of this, I can no longer access my Virgin Media account nor an online banking account on any device attached to our network (including my phone, it's only when I switch to mobile data that I can get access). An attempt just times out. Is this linked to the above issue (i.e. has Virgin Media blocked access due to the suspected malware issue) or is it something else, i.e. the new NAS (though when testing with the NAS off and running direct, access still failed) or a broadband issue that is currently under investigation in my area? With so many things happening at the same time it's difficult to know what is the cause (though it not browser cache as the phone reconnects on network change easily, and I've tried devices which have never attempted to access these services before, hence the one post here rather than separate ones in different forum area.

Sorry for the long post and thanks in advance for your help.

6 Replies

  • andy2510's avatar
    andy2510
    On our wavelength

    I'm also having an issue logging into my Virgin Media account (including Webmail) via a browser or VM app - except when on mobile data and not via my home VM broadband connection. I did a detailed post here (https://community.virginmedia.com/t5/Security-matters/Marai-Warning-Email-And-Other-Issues/m-p/5574087#M55887) as it could be a multitude of things, the cause could be anything! Also can't log into my back either via VM broadband, but app via mobile data is fine.

    UPDATE - Virgin Media Webmail is now back up and running for me!

  • andy2510's avatar
    andy2510
    On our wavelength

    Forgot to mention - I have already checked and Telnet Port 23 is closed, on the NAS and Virgin Hub.

    UPDATE - Virgin Media Webmail is back for me, for now at least!

    • Paul_DN's avatar
      Paul_DN
      Icon for Forum Team rankForum Team

      Hi andy2510,

      Thank you for reaching out to us in our community and welcome back, sorry to hear you have been facing issues due to Mirai Malware being detected which stopped your Emails being accessed, glad to hear you now have normal access, apologies that there was not any further information available around what device was attacked and when, we do advise running an anti Virus on all devices when this happens.

      In regards to NAS this may be something one of our community members may be along to help at some point, if you do need any further help with anything else then please reach back out.

      Regards

      Paul.

  • andy2510's avatar
    andy2510
    On our wavelength

    Hi Paul.

    I've had another email today, this one the "Network Attacks" one, which has no date of when malware was detected - this is the one with the threat of disconnection. I am really hoping that is related to the original detection (of which the 2 most likely culprits are a) currently offline or b) decommissioned) and is not anything else.

    The date of detection was the 3rd October, which was a coincidence as my old media server (which didn't have any default accounts) was running for the last time and the new NAS took over file server and DHCP duties. The NAS was bought direct from Synology so shouldn't be a source of the problem - it's default admin account is disabled from the off.

    The faulty CCTV box was unplugged on the 4th October when I got the email - it has a failing hard drive (I think) and the box keeps crashing and freezing. As I need to unplug it anyway to replace the hard drive, I'll look at the settings when it's plugged into a monitor offline to see if there is anything that is obvious that could be causing the issue (I'm sure I've already closed the default account and it's using a non-standard 5-digit port for communication).

    I'm sure Telnet port  23 is closed in all firewalls - the NAS, Virgin Superhub, and another Wifi 6E TPLink router that the NAS is connected to (which also benefited from a firmware update on Saturday). Knowing the port the malware used to spread it's filth would be useful though.

    From what I read Mirai targets Linux systems built into devices like CCTV DVR's rather than Windows, Android... or smart plug sockets.

    Fingers crossed I don't get any more of these emails. Still can't get into Nationwide though!

    • Paul_DN's avatar
      Paul_DN
      Icon for Forum Team rankForum Team

      Hi andy2510,

      As both issues were are the same date and you haven't had anything dated later fingers crossed no more issues and the scans you have ran have done the trick, if you do have any further issues please reach back out and I will be happy to look further into this for you.

      Regards

      Paul.

      • andy2510's avatar
        andy2510
        On our wavelength

        Thanks Paul.

        I've also ordered a replacement CCTV box from Amazon (Prime Day!) from a different manufacturer and hope this doesn't become a malware server too (if the previous one was the cause!) - I did look at seeing if I could fine a newer firmware for the previous one, however posts I've seen online say that those boxes are hardcoded to have the port 23 open and no new firmware is ever made available (it was a Fleureon box). I'll set this new box up differently too to hopefully make it more secure!