Abuse email from ISP

[Wheemer1]

Hello;

I've got the GT-AX6000 setup with the latest merlin firmware on my sisters house. I have enabled AiProtect which I had thought would stop outbound "attacks".

However since last week we've been getting email from the ISP say we are the source of abuse.

This is what the email says:

IP x.x.x.x
 data: SOURCE TIME: 2024-06-15 00:35:02Z
IP: x.x.x.x
ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: 911-socks5-proxy
TYPE: malware infection
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 5.79.71.225
DESTINATION PORT: 443
PORT: 58905
HTTP REQUEST: POST /api/node HTTP/1.1
USER AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
UUID
: bd8df903-4f54-4263-956d-6fb0568c895e

How can I use the features of this router to help determine the machine responsible?

Any help would be appreciated as they say they are going to terminate our account as this problem is affecting the network.

Thanks

 

[tiddlywink]

A Deep Dive Into the Residential Proxy Service ‘911’ – Krebs on Security

https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors

I would assume all windows devices you have are compromised with even more bad stuff.

 

[Wheemer1]

Is this not what is supposed to be prevented by the AiProtect?

I've ran multiple antivirus and malware software and cannot find anything on any of the windows pcs.

 

[Wheemer1]

I'm currently using adguard, should I be using skynet?

 

[Wheemer1]

I installed skynet and added that list to import ip blocklist, not sure if that was correct

 

[Wheemer1]

I installed skynet and added that list to import ip blocklist, not sure if that was correct

EDIT: seems setting it as the malware list might be the correct move.

 

[DJones]

I installed skynet and added that list to import ip blocklist, not sure if that was correct

Should be fine to use skynet as well. Adguard as far as I know handles ad blocking skynet is for the firewall. I don’t use adguard so I don’t pretend to offer advice on compatibility. https://github.com/Adamm00/IPSet_ASUS

 

[Tech9]

@DJones, many of the statements and/or suggestions in your long post above are unrelated to the issue, not necessary or simply incorrect. I can't correct this essay at 10.45pm, but mixing general statements with personal choices (yours or someone else's) on top is not the best advice. @Wheemer1 just installed a new router in sister's house. Servers, Fail2Ban, different blockers and what they do, what is inbound and outbound, what is encrypted around NTP/DNS and how, what DoH does, DNS settings with blocking upstream server... it's messy.

 

[Wheemer1]

Wow ok, did not notice the post updated. I am running a debian server at her location also for home assistant.

But before it has to get that involved I I should perhaps format some pcs. There's only really 5 pcs running windows. I am at least going to have to gain remote access to them to run some tests and uninstall any sketchy software... This is all very new to me. I had thought things were faily secure before all this went down. We bought the router to solve the problem so I hope we can find some solution. The ISP has already warned us 4 times.

 

[Tech9]

You have days long project reformatting and reinstalling 5x Windows PCs alone. It is a client, it is most likely a PC, try to catch which one is contacting this IP and how often. The more changes and blockers you introduce in the mix the more you mask the problem and make it harder for you to diagnose.

 

[DJones]

@DJones, many of the statements and/or suggestions in your long post above are unrelated to the issue, not necessary or simply incorrect. I can't correct this essay at 10.45pm, but mixing general statements with personal choices (yours or someone else's) on top is not the best advice. @Wheemer1 just installed a new router in sister's house. Servers, Fail2Ban, different blockers and what they do, what is inbound and outbound, what is encrypted around NTP/DNS and how, what DoH does, DNS settings with blocking upstream server... it's messy.

Yep. Typed off a phone. As Tech9 said it’s equivalent to word spaghetti I’m not very concise I do apologize if it’s not clear, incorrect, or messy as I was typing as I was thinking of possible things to look for. I’m not a security expert, and I don’t work in IT. Although I do run a home lab and learn as I tinker. My knowledge is just off hand, and I’m perfectly content with being humbled if it’s wrong. As I learn that way.

No need to fix what I said. If it helps him in anyway assuming he gleamed something from what I said to secure his network or at the least help him stop receiving these emails from his ISP I did my part.

But yes take what I said as falling into a rabbit hole of technical features that do different things for different reasons. Those reasons might not stop or correct the root of the problem, and might only mask the issue at hand.

Edit: removed the post to keep it relevant so not to confuse you.

 

[Wheemer1]

Well so far it's just adguard and skynet. The AiProtect stuff is all turned on as well.

That wazuh looks more complicated that formatting windows.

I'm happy to take further steps just no clue what to do next really.

 

[Wheemer1]

Yep. Typed off a phone. As Tech9 said it’s equivalent to word spaghetti I’m not very concise I do apologize if it’s not clear, incorrect, or messy as I was typing as I was thinking of possible things to look for. I’m not a security expert, and I don’t work in IT. Although I do run a home lab and learn as I tinker. My knowledge is just off hand, and I’m perfectly content with being humbled if it’s wrong. As I learn that way.

No need to fix what I said. If it helps him in anyway assuming he gleamed something from what I said to secure his network or at the least help him stop receiving these emails from his ISP I did my part.

But yes take what I said as falling into a rabbit hole of technical features that do different things for different reasons. Those reasons might not stop or correct the root of the problem, and might only mask the issue at hand.

I didn't even realize skynet was something I needed, so I appreciate any pointers. very much a noob when it comes to actual security.

 

[Wheemer1]

What software should I run on the pcs, I am gaining remote access soon one pc at a time, they are giving me whatever time I need to clean the pc.

 

[DJones]

I didn't even realize skynet was something I needed, so I appreciate any pointers. very much a noob when it comes to actual security.

The standard firewall will always block incoming connections. It’s the outgoing connections that seem to be getting you in trouble.

 

[Wheemer1]

Yeah I had thought the AiProtect stuff was good for outgoing... little do I know.

 

[DJones]

What software should I run on the pcs, I am gaining remote access soon one pc at a time, they are giving me whatever time I need to clean the pc.

Avoid freeware if it’s not reputable. Anti-virus for windows I recommend bitdefender myself over something like Norton.

By what software you should run. Only install what you need, and install updates as appropriate is my only recommendation in windows/linux to keep it simple. Avoid torrenting files that maybe malicious and maybe sandbox the torrent application in a virtual machine and keep an antivirus/firewall on that virtual machine do virus scans each time those files are moved to your host.

 

[Wheemer1]

These are all things I already do... but the suspect pcs are two teenaged boys so getting them to be smart is probably mission impossible.

 

[DJones]

Yeah I had thought the AiProtect stuff was good for outgoing... little do I know.

It should help. Skynet also uses Aiprotects malware lists so in a sense it will keep helping, but from my personal experience I’ve never had a hit from AiProtect.

 

[DJones]

These are all things I already do... but the suspect pcs are two teenaged boys so getting them to be smart is probably mission impossible.

Ah okay. Well I understand your position, you could attempt to monitor your web traffic located under adaptive qos->web history or use filtered dns to prevent malware and access to adult sites.

But if theirs a will theirs a way. So with that in mind if they have data they’d like to keep I would anti-virus scan it. Then back it up. Keep things to a minimum on your boot drives so that if necessary to refresh your windows computers from time to time it’s not a painful experience for the whole family.