Menu
Reply
Highlighted
  • 34
  • 0
  • 7
On our wavelength
672 Views
Message 1 of 15
Flag for a moderator

IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

On 26 September I discovered that we couldn’t send emails from our email clients because our IP address was listed on the Spamhaus SBLCSS database. Virus and malware checks failed to detect anything suspicious on any of our devices.

On 29 September our IP address was automatically delisted, with no interaction on our part. Since then, daily checks have shown our IP address was not listed. Until today, 14 days later…

Today I checked and found our IP address was listed once again on SBLCSS; consequently I requested a delisting. As part of that process, I was advised that “Latest sighting, 12th around 1900 GMT”.

Now that is very odd!

I have four systems that connect to my VM SuperHub 3:

  • Laptop: running Windows 10 build 18362.356.
  • Android tablet.
  • Android mobile phone.
  • Chromecast device.

The main suspect must be the laptop; however this was shut down at the time of the latest Spamhaus sighting. I have confirmed this in Event Viewer (under Windows Logs > System), which reports that the last activity on 12 October was at 13:23.

The tablet and mobile phone were away from home (some miles away) at that time, so we can rule out those devices.

The Chromecast, like the laptop, was switched off.

We don’t have any other devices that connect to the internet. No Alexa, no other IoT devices.

That only leaves the SuperHub 3 that was powered on at the time of last sighting of spam. We’ve had the same IP address since we received the hub on 20 August (so can rule out receipt of a blacklisted dynamic IP address), and we’ve only had problems sending mail since then. The router is protected with a strong password, as is its browser set-up page. No passwords have been shared with any third parties in the short time we’ve had the SuperHub 3.

So, could my recently acquired hub have been hacked, even before I received it?

0 Kudos
Reply
Highlighted
  • 10.98K
  • 1.24K
  • 5.21K
Very Insightful Person
Very Insightful Person
654 Views
Message 2 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

I'm going to make some short observations on this story and then leave it to others to fill in the detail.

The Hub 3 is not vulnerable in the way you describe. I've never heard or seen an incident of it since I've been around this Forum from 2014 or so.

The CSS list does not rely on one incident. It relies on a series of incidents before listing takes place so your reasoning is likely fallacious. All your devices are suspect still. The trigger event for the new listing on 12th was what was reported to you as being when the spam was detected by Spamhaus.  There have been prior incidents of CSS being seen from your home IP before the latest listing was made by Spamhaus.

https://www.spamhaus.org/css/

Read what jem101 said in this thread about how a spam bot works. As we have said before spambots get retired and reactivated by the spammers and remotely controlled so they can go quiescent and then be revived. That is the essence of CSS - small quantities of low level spam sent at sporadic intervals from various sources to spread the load.

In message 9/9 of this thread and copied here for you:

https://community.virginmedia.com/t5/Email/Total-failure-of-Email/td-p/4081049

No not necessarily, any device could have become infected and made pa[s]rt of a remote controlled botnet, it wouldn't need to have an email program installed on it as the malware can easily also contain a simple SMTP relay component. You need to thoroughly investigate any device you have on your local network. Have you had any visitors recently which have used your wifi? Any Android based phones or tablets?  (not that I'm saying that iOS is completely immune but the closed nature of the App Store does make it far less likely for a malicious app to be installed).

 

 

 



I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 34
  • 0
  • 7
On our wavelength
632 Views
Message 3 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

Thanks for your reply and the link to the other post.

The key point I am trying to make is that there was a detection by Spamhaus at a time when nothing but the SuperHub 3 was connected to the internet.

It’s this specific point that is the puzzle here. Could there be some malware in the router’s firmware? We didn’t have any problems like this before we switched hubs back in August. Everything points to the hub.

I don’t know if someone else has had this hub before me; is it possible that a previous owner hacked it? Could there be a fault in its manufacture?

I’m looking for explanations beyond malware on my own devices, as none of these was connected at the time of the last detection.

0 Kudos
Reply
Highlighted
  • 10.98K
  • 1.24K
  • 5.21K
Very Insightful Person
Very Insightful Person
627 Views
Message 4 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

I take your point, but I can't be authoritative about the issue except to say that my understanding is that Spamhaus will list as and when they see the spam, not when it was sent.  On the supposition that this is Hub 3 related I do know that when VM re-use equipment they ensure it is returned to factory-clean condition.



I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 30.28K
  • 1.51K
  • 5.25K
Very Insightful Person
Very Insightful Person
623 Views
Message 5 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

there is no way the hub can have malware on it. The firmware is digitally signed and can only be updated over the tftp. It checks and updates every time it starts up.

The only other thing is someone hs managed to get on your wifi. change the password,

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Highlighted
  • 10.98K
  • 1.24K
  • 5.21K
Very Insightful Person
Very Insightful Person
617 Views
Message 6 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

@apcyberaxis a IT professional and he knows VM equipment inside out. If your wifi has enabled unauthorised access and a third party has sent stuff via your connection then his suggestion of a password change is spot-on. Otherwise this means that the sole probability reduces to malware on your devices which is as yet undetected. You my need to look at "root kit" detection. I can't and won't recommend one but I see that my old friend "malwarebytes" has one for free use. But at your own risk.



I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 34
  • 0
  • 7
On our wavelength
603 Views
Message 7 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

The password consists of 12 random alpha-numeric characters, which hasn't been shared with anyone.

I've been using Wireless Network Watcher to monitor connections; there have been no devices connected other than our own.

No harm in changing the password, though.

0 Kudos
Reply
Highlighted
  • 30.28K
  • 1.51K
  • 5.25K
Very Insightful Person
Very Insightful Person
596 Views
Message 8 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

that leaves it to something on your devices.

That is all it can be

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Highlighted
  • 34
  • 0
  • 7
On our wavelength
570 Views
Message 9 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

The only device connected to the internet at the time of last detection was the VM SuperHub.

0 Kudos
Reply
Highlighted
  • 14.44K
  • 1.98K
  • 6.33K
Very Insightful Person
Very Insightful Person
564 Views
Message 10 of 15
Flag for a moderator

Re: IP Address Blacklisted: Has My VM SuperHub 3 Been Hacked?

You posted this earlier: Latest sighting, 12th around 1900 GMT”.

Is that the time the suspect item was sent or the time it was reported to spamhaus?

________________________________
Graham

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media, I'm a VM customer. There are no guarantees that my advice will work. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply