Xfinity Forum Archive...
This is an archived section of the community.
Content in this area has been identified as outdated or irrelevant.
This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.
Post your questions in the Xfinity Community
I wouldn't be concerned. The net is filled with bots whose only purpose is to sniff out vulnerable routers - the Netcore routers are a prime example. Just the way it is nowadays. I could dig up the logs for my ASUS RT-AC88U and show you many months of the same Netcore attacks on my router.
This simply underscores the necessity of regularly updating your software and firmware to maintain network security. Even a well known, reputable company like ASUS (sometimes more than once) or Intel (Spectre and Meltdown, anyone? ) can be compromised, or even security software vendors like Symantec.
In fact, even though Heartbleed was patched many years ago, as long as there are servers out there sill run the vulnerable OpenSSL protocol that Heartbleed exploits, the vulnerability remains, and bots will still scour the Net for them.
On 29 Mar 2018 at 1929 hrs PDT we started experiencing multiple external attacks daily (12x/d) coming from a total of 19 different outside IPs, ALL of which were effectively trapped & blocked by our Router & Firewall.
These started as, "Remote Command Execution via Script" + "Netcore Router Backdoor Access" attacks until 20 Apr 18 at 0302 hrs when an attempt was made at "SSL OpenSSL TLS DTLS Heartbeat Info Disclosure (CVE-2014-0160, Heartbleed)". The R&N attacks continued but on 22 Apr a "Remote Command Execution via Script" was followed on 23 Apr by "LAN Backdoor Command Execution (CVE-2014-9583)" aimed at an outdated ASUSWRT, followed by Netcore attacks until another Heartbleed on 25 Apr, then back to R&Ns. These are not benign "trying to surf on your dime" attacks. Heartbleed & Backdoor are serious issues.
All of these attacked the same MAC address, which was one used by Cadant (now Arris) in CMs and targeted a local Comcast IP. The MAC was isolated and rejected at all access venues and the attacks have since slowed with none in the last 48-hrs.
My network was not impacted, no data was exfiltrated and no users were aware of any issues. That said, it is apparent that these 2014 viruses are being actively aimed at Arris devices on Comcast networks -- at least in my area.
Comcast is still the Gatekeepper to all FW updates for all equipment on their farm. That's fine, but trying to report the issue to Comcast by chat, phone, or email is nearly impossible. Can we be expecting an update to the ARRIS FW soon?