Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,759,754

members

65

online now

1,916,003

discussions

Back to Top

Mirai-botnet reported from Constant Guard

ANSWERED
Highlighted
Regular Contributor

Mirai-botnet reported from Constant Guard

Recently Constant Guard has been reporting XFINITY Internet Security detected bot activity from one or more computers connected to your home network - specifically Mirai-botnet.  I have a couple of desktops and laptops running on my home network - all with current anti-virus.  A little research tells me that the Mirai-botnet runs on Linux.  I don't have anything running Linux that I am aware of - although I recently added a smart TV (TCL-Roku) that might run on that platform.  I ran a few scans on my PCs and they are clean. I also ran BullGuard and Incapsula and they showed I was clean. Now what?  Any way to identify which device is causing this reading?  Thanks

Accepted Solution

Re: Mirai-botnet reported from Constant Guard

Marai Botnet isn't a windows bot. Marai is a IoT (internet of things) based bot that has infected one or more of your IoT (Internet of things) devices. Such as a IP Camera, DVR, any third party device that is on your network.

 

Your TCL-Roku 55US5800 is infected, reinstall or reset your TCL-Roku 55US5800

 

I don't know how the secruity works on a TCL-Roku 55US5800 but the bot that is infected on there is exploiting the default admin settings/login, after you reset it, see if there is a way to change the default administator password and that will prevent any future attacks.

 

You don't need to worry about any data-breaches, as the Marai Bot is only used to send DDoS (Distrubed Denial of Service Attacks) from the device. If you have had any problems with your internet being slow or dropping, this will be the issue.

 

Edit:

Factory restore it using this tutorial here:

https://tclusa.helpjuice.com/20272-roku/189398-how-to-reset-your-tcl-tv-to-factory-defaults

 

I'm not sure if your device allows you to change your default admin credentials, this is a problem with this bot, alot of companies have not updated their firmware to fix the problem, you should try calling them and see if there is anyway to change it.

 

 

 

View answer in context
Tags (1)
Regular Contributor

Re: Mirai-botnet reported from Constant Guard


sehale wrote:

Recently Constant Guard has been reporting XFINITY Internet Security detected bot activity from one or more computers connected to your home network - specifically Mirai-botnet.  I have a couple of desktops and laptops running on my home network - all with current anti-virus.  A little research tells me that the Mirai-botnet runs on Linux.  I don't have anything running Linux that I am aware of - although I recently added a smart TV (TCL-Roku) that might run on that platform.  I ran a few scans on my PCs and they are clean. I also ran BullGuard and Incapsula and they showed I was clean. Now what?  Any way to identify which device is causing this reading?  Thanks


Anyone?  Everyday I get an email with this notification but as far as I can tell, I still have no Linux machines running so I don't know what the offending device is.

Security Expert

Re: Mirai-botnet reported from Constant Guard

 

Hi Sehale,

 

Please see if the following info sheds any light on your situation:

 

https://constantguard.xfinity.com/products-and-services/bot-detection-and-removal/

 

It will ask you to be loggd into your Comcast Home page - for some reason being logged into the forums does not work - which makes no sense to me.

 

 

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Regular Contributor

Re: Mirai-botnet reported from Constant Guard

Thanks for the reply but as far as I know, the Mirai Botnet only affects Linux machines - possibly routers, CCTV systems, etc.  Not Windows based PCs - which is what I have.  I have up to date antivirus and anti-malware on my PCs.  There is no local reports from these programs.  They are up to date and constantly scanning.  I called Comcast yesterday for more information and they had no clue - I want to know if the MAC ID of the offending device can be identified.  I have run a few scans from other programs and came up clean - which is expected since they are scanning Windows devices that cannot have the Mirai.

Security Expert

Re: Mirai-botnet reported from Constant Guard

I'm not the sharpest tool in the shed when it comes to botnets - so I have requested help from a much sharper tool!

 

Hopefully LoPhatPuud will post some addtional info.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Security Expert

Re: Mirai-botnet reported from Constant Guard

At this point, I suggest you post the required logs at one of the Malware Removal boards listed here:
http://forums.xfinity.com/t5/Anti-Virus-Software-Internet/Where-to-Seek-Malware-Removal-Assistance/t...

My recommendation would be Bleeping Computer.

Be sure to link to this thread.


"Once I talked to the inmates of an insane asylum in Hartford. I have talked to idiots a thousand times, but only once to the insane..."
Mark Twain


Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Regular Contributor

Re: Mirai-botnet reported from Constant Guard

So the plot thickens - I was very skeptical that one of my PCs would have this bot as they are fully protected and Windows based.  Then the more I thought about it, the more I realized that these alerts started right about the time I got a new (and first) "smart" TV.  A TCL-Roku 55US5800.  So last night I disconnected it from the internet and sure enough - for the first time, no alert message.  All other devices connected as normal.  Hmmm.  I will try and duplicate it again tonight (alert messages come around midnight) but I think I found the culprit.  Now what...?

Frequent Visitor

Re: Mirai-botnet reported from Constant Guard

Marai Botnet isn't a windows bot. Marai is a IoT (internet of things) based bot that has infected one or more of your IoT (Internet of things) devices. Such as a IP Camera, DVR, any third party device that is on your network.

 

Your TCL-Roku 55US5800 is infected, reinstall or reset your TCL-Roku 55US5800

 

I don't know how the secruity works on a TCL-Roku 55US5800 but the bot that is infected on there is exploiting the default admin settings/login, after you reset it, see if there is a way to change the default administator password and that will prevent any future attacks.

 

You don't need to worry about any data-breaches, as the Marai Bot is only used to send DDoS (Distrubed Denial of Service Attacks) from the device. If you have had any problems with your internet being slow or dropping, this will be the issue.

 

Edit:

Factory restore it using this tutorial here:

https://tclusa.helpjuice.com/20272-roku/189398-how-to-reset-your-tcl-tv-to-factory-defaults

 

I'm not sure if your device allows you to change your default admin credentials, this is a problem with this bot, alot of companies have not updated their firmware to fix the problem, you should try calling them and see if there is anyway to change it.

 

 

 

Regular Contributor

Re: Mirai-botnet reported from Constant Guard

fogles - I think you nailed it.  Coincidentally, we had another issue with the TV and the service tech came out and replaced the motherboard.  At the first startup, we were prompted to create a Roku account - something we were not prompted to do with the original version.  So we made an account and there has not been another Xfinity botnet report since.  I am thinking the obvious - the original TV motherboard (with Roku built in) was operating with the stock password and became infected. THANKS for the detailed response.

Frequent Visitor

Re: Mirai-botnet reported from Constant Guard

That's great, I am glad you were able to get them out there for a new Motherboard.