Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,684,183

members

78

online now

1,852,552

discussions

Back to Top

Mirai-botnet reported from Constant Guard

SOLVED
Posted by
Regular Contributor

Message 1 of 10
1,089 Views

Recently Constant Guard has been reporting XFINITY Internet Security detected bot activity from one or more computers connected to your home network - specifically Mirai-botnet.  I have a couple of desktops and laptops running on my home network - all with current anti-virus.  A little research tells me that the Mirai-botnet runs on Linux.  I don't have anything running Linux that I am aware of - although I recently added a smart TV (TCL-Roku) that might run on that platform.  I ran a few scans on my PCs and they are clean. I also ran BullGuard and Incapsula and they showed I was clean. Now what?  Any way to identify which device is causing this reading?  Thanks

9 REPLIES
Posted by
Regular Contributor

Message 2 of 10
1,046 Views

sehale wrote:

Recently Constant Guard has been reporting XFINITY Internet Security detected bot activity from one or more computers connected to your home network - specifically Mirai-botnet.  I have a couple of desktops and laptops running on my home network - all with current anti-virus.  A little research tells me that the Mirai-botnet runs on Linux.  I don't have anything running Linux that I am aware of - although I recently added a smart TV (TCL-Roku) that might run on that platform.  I ran a few scans on my PCs and they are clean. I also ran BullGuard and Incapsula and they showed I was clean. Now what?  Any way to identify which device is causing this reading?  Thanks


Anyone?  Everyday I get an email with this notification but as far as I can tell, I still have no Linux machines running so I don't know what the offending device is.

Posted by
Security Expert

Message 3 of 10
1,037 Views

 

Hi Sehale,

 

Please see if the following info sheds any light on your situation:

 

https://constantguard.xfinity.com/products-and-services/bot-detection-and-removal/

 

It will ask you to be loggd into your Comcast Home page - for some reason being logged into the forums does not work - which makes no sense to me.

 

 

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Posted by
Regular Contributor

Message 4 of 10
1,009 Views

Thanks for the reply but as far as I know, the Mirai Botnet only affects Linux machines - possibly routers, CCTV systems, etc.  Not Windows based PCs - which is what I have.  I have up to date antivirus and anti-malware on my PCs.  There is no local reports from these programs.  They are up to date and constantly scanning.  I called Comcast yesterday for more information and they had no clue - I want to know if the MAC ID of the offending device can be identified.  I have run a few scans from other programs and came up clean - which is expected since they are scanning Windows devices that cannot have the Mirai.

Posted by
Security Expert

Message 5 of 10
1,000 Views

I'm not the sharpest tool in the shed when it comes to botnets - so I have requested help from a much sharper tool!

 

Hopefully LoPhatPuud will post some addtional info.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Posted by
Security Expert

Message 6 of 10
988 Views
At this point, I suggest you post the required logs at one of the Malware Removal boards listed here:
http://forums.xfinity.com/t5/Anti-Virus-Software-Internet/Where-to-Seek-Malware-Removal-Assistance/t...

My recommendation would be Bleeping Computer.

Be sure to link to this thread.


"Once I talked to the inmates of an insane asylum in Hartford. I have talked to idiots a thousand times, but only once to the insane..."
Mark Twain


Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Posted by
Regular Contributor

Message 7 of 10
970 Views

So the plot thickens - I was very skeptical that one of my PCs would have this bot as they are fully protected and Windows based.  Then the more I thought about it, the more I realized that these alerts started right about the time I got a new (and first) "smart" TV.  A TCL-Roku 55US5800.  So last night I disconnected it from the internet and sure enough - for the first time, no alert message.  All other devices connected as normal.  Hmmm.  I will try and duplicate it again tonight (alert messages come around midnight) but I think I found the culprit.  Now what...?

Posted by
Frequent Visitor

Message 8 of 10
727 Views
Solution

Marai Botnet isn't a windows bot. Marai is a IoT (internet of things) based bot that has infected one or more of your IoT (Internet of things) devices. Such as a IP Camera, DVR, any third party device that is on your network.

 

Your TCL-Roku 55US5800 is infected, reinstall or reset your TCL-Roku 55US5800

 

I don't know how the secruity works on a TCL-Roku 55US5800 but the bot that is infected on there is exploiting the default admin settings/login, after you reset it, see if there is a way to change the default administator password and that will prevent any future attacks.

 

You don't need to worry about any data-breaches, as the Marai Bot is only used to send DDoS (Distrubed Denial of Service Attacks) from the device. If you have had any problems with your internet being slow or dropping, this will be the issue.

 

Edit:

Factory restore it using this tutorial here:

https://tclusa.helpjuice.com/20272-roku/189398-how-to-reset-your-tcl-tv-to-factory-defaults

 

I'm not sure if your device allows you to change your default admin credentials, this is a problem with this bot, alot of companies have not updated their firmware to fix the problem, you should try calling them and see if there is anyway to change it.

 

 

 

Posted by
Regular Contributor

Message 9 of 10
689 Views

fogles - I think you nailed it.  Coincidentally, we had another issue with the TV and the service tech came out and replaced the motherboard.  At the first startup, we were prompted to create a Roku account - something we were not prompted to do with the original version.  So we made an account and there has not been another Xfinity botnet report since.  I am thinking the obvious - the original TV motherboard (with Roku built in) was operating with the stock password and became infected. THANKS for the detailed response.

Posted by
Frequent Visitor

Message 10 of 10
666 Views

That's great, I am glad you were able to get them out there for a new Motherboard.