Menu
Reply
Highlighted
  • 514
  • 0
  • 24
Up to speed
679 Views
Message 1 of 16
Flag for a moderator

internet-security@virginmedia

This is a 1st

Your Virgin Media account number: 14 - 
Our Reference: VMIS70-Portmapper-F008496799

Dear Mr ,

Your home devices could be at risk

We're writing to let you know that a device connected to your home network has been identified as having a potential Portmapper vulnerability.

A Portmapper vulnerability is a security issue whereby a 3rd party can use this protocol to gain unauthorised access to your network/devices for malicious purposes. If a 3rd party has access to your network/devices they will be able to perform a Distributed Denial of Service (DDoS) attack.

It is therefore important that you follow the advice in this letter.

What has happened?

We suspect the device may have been misconfigured by you, someone in your household or without your knowledge. If the settings are left unchanged they can be exploited to unwittingly participate in malicious activities, for example a Distributed Denial of Service (DDoS) attack.

Details:

IP: 
Date: 13 October 2020

How can this issue be resolved?

To fix this problem please visit virginmedia.com/portmapper for guidance on how to secure your network.

More help & support

Protect yourself in the future; Web Safe is available to Virgin Fibre customers at no extra cost to help give you protection against malware and viruses. Full details can be found by registering or signing in to your account at virginmedia.com/myvirginmedia and going to My Apps.

For extra advice, or to double-check that this is a genuine Virgin Media communication, head to our community at virginmedia.com/community, click 'Help forum' and join the conversation on the Security Matters board.

Kind regards,
The Virgin Media team
  

 

is this a legit email or is it another hoax!!

0 Kudos
Reply
Highlighted
  • 1.36K
  • 105
  • 193
Knows their stuff
636 Views
Message 2 of 16
Flag for a moderator

Re: internet-security@virginmedia

It's real, you can unknowingly expose your PC to risk if you Virgin hub is in modem mode, or if you have modified the firewall of the virgin hub. 

What do you have connected to your virgin box? 

Do you have your virgin box in modem mode? 

0 Kudos
Reply
Highlighted
  • 514
  • 0
  • 24
Up to speed
616 Views
Message 3 of 16
Flag for a moderator

Re: internet-security@virginmedia

The hub as never been in modem mode, the only thing I have connected to the hub that could flag anything like this is my NAS, but I have never had any issues like this in the last 15 years it's been on and it's only ever turned on for a few hours at a time.

0 Kudos
Reply
Highlighted
  • 1.36K
  • 105
  • 193
Knows their stuff
607 Views
Message 4 of 16
Flag for a moderator

Re: internet-security@virginmedia

In that case I'd ignore it as it's probably a false positive. 

They'll send another email if the problem re-occurs. 

0 Kudos
Reply
Highlighted
  • 514
  • 0
  • 24
Up to speed
603 Views
Message 5 of 16
Flag for a moderator

Re: internet-security@virginmedia

Must be, I can't remember the actual date last time I switched it on but it could have been the date they are saying I had to transfer some files to the NAS which took most of the night. I have turned DMZ off to see if it helps, I will also enable the firewall inside the NAS.

0 Kudos
Reply
Highlighted
  • 5.18K
  • 577
  • 1.83K
Very Insightful Person
Very Insightful Person
551 Views
Message 6 of 16
Flag for a moderator

Re: internet-security@virginmedia

Do keep in mind that the trusted third party (likely shadowserver.org) observer the reported activity from your public IP Address so the likelihood of false positive is low IMHO.

Hopefully the action taken to secure the NAS will resolve the issue but if not consider port forwarding traffic directed towards port 111/udp to an unassigned IP Address on the LAN

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 514
  • 0
  • 24
Up to speed
535 Views
Message 7 of 16
Flag for a moderator

Re: internet-security@virginmedia

The NAS as been setup the same for years and not once have I had this issue.

The hub has never been in modem mode

The port has never been set to 111

The issue here I can guess to why virginmedia flagged it, is because of the large amount of data that was transferred.

Telling me that I am using port 111 when clearly I know I never have is clearly wrong on virgins side.

0 Kudos
Reply
Highlighted
  • 5.18K
  • 577
  • 1.83K
Very Insightful Person
Very Insightful Person
498 Views
Message 8 of 16
Flag for a moderator

Re: internet-security@virginmedia

Hopefully the forum team can confirm the identity of the reporting third party to allow you to:  (a) confirm the detection; (b) obtain a copy of the the data captured in response to their rpcinfo query; from them.

0 Kudos
Reply
Highlighted
  • 514
  • 0
  • 24
Up to speed
493 Views
Message 9 of 16
Flag for a moderator

Re: internet-security@virginmedia

What would be nice is if their customer support agent who I spoke to today who cut me off after a 1 hour 30 minute phone call, saying give me a few mins why I go check with another agent could actually phone me back and explain 1st why I was cut off! why phone back 35 minutes later to me answering the phone then again being cut off with no reply!!  2nd answer the questions I asked over the phone regarding this issue. 

I asked 1 simple question

did I receive this email due to the high transfer on my home network bring up a fake DDOS attack because the transfer took nearly 8 hours to complete!

This question took over 45 minutes before I was cut off not getting any answer.

0 Kudos
Reply
Highlighted
  • 5.18K
  • 577
  • 1.83K
Very Insightful Person
Very Insightful Person
419 Views
Message 10 of 16
Flag for a moderator

Re: internet-security@virginmedia


@lojelo5 wrote:

did I receive this email due to the high transfer on my home network bring up a fake DDOS attack because the transfer took nearly 8 hours to complete!

This question took over 45 minutes before I was cut off not getting any answer.


No because the detection of the issue is from the trusted third party to your public IP Address and then a capture of the response.

0 Kudos
Reply