Reply
Gold Problem Solver
BruceW
Posts: 7,500
Registered: ‎12-03-2007

Re: Bot Education

[ Edited ]

MelvinTheGrate wrote: For me, using Firefox, the capcha page flashes up for a few milliseconds, then goes blank, and the browser just sits there showing "Read www.google.com" in the status bar. ...

Almost the same for me in FF3 and FF8. After I click "GET STARTED", the CAPTCHA flashes by, and then https://amibotted.comcast.net/authorized.html just sits there, blank, with the status bar reading "Connecting to ssl.google-analytics.com". IE7 seems to work OK, except for the security certificate warning.

Regular Problem Solver
BlueJay
Posts: 3,852
Registered: ‎03-11-2004

Re: Bot Education

Thanks BruceW, your link got me to the page, I was able to get past the get started garbage screen after a number of tries trying to interpret the catchy codes and type them into the box..

 

Came up clean, but think I'll stick with :      http://www.botnetchecker.com/    , sure is a heck of lot easier than waiting for "amibotted" to connect.

 

Still using IE 8 ----  no desire to use or check out other browsers..

 

ciao, bj

Bronze Star Contributor
Posts: 131
Registered: ‎12-12-2009

Re: Bot Education


ComcastJordan wrote:

Folks,

Thank you to everyone for their helpful input. We've taken everyone's ideas into consideration and are pleased to share a new site with all of you. The "Am I Botted" (https://amibotted.comcast.net)provides a great deal of the information requested by users to help identify and understand the bot issue specific to their home network.  This site is considered an open-beta, so feel free to provide feedback for improvement.

 

Thanks.



Some feedback as requested, interesting website, I am amazed CC can even call this a beta, some more not ready for prime time software. If you are running IE9, and haven’t changed security settings for mixed content you will get a security warning “only secure content displayed“, so the “Get started“ button doesn’t work.

 

At that point, hit fn and f12 ( or whatever on your keyboard for f12) for the debugger and click console and refresh and you can see the security issues;

 

SEC7111: HTTPS security is compromised by http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js

authorized.html

SCRIPT5009: 'jQuery' is undefined

jquery.mousewheel-3.0.4.pack.js, line 13 character 2

SCRIPT5009: 'jQuery' is undefined

jquery.fancybox-1.3.4.pack.js, line 18 character 3

SCRIPT5009: '$' is undefined

authorized.html, line 30 character 13

SEC7111: HTTPS security is compromised by http://xfinity.comcast.net/js-api/compressed/xpbar.js?version=3

authorized.html

SEC7115: :visited and :link styles can only differ by color. Some styles were not applied to :visited.

authorized.html

SEC7111: HTTPS security is compromised by http://xfinity.comcast.net/constantguard/resources/images/content/BotAssistance/btn_getstartedWin.pn...

authorized.html

SEC7111: HTTPS security is compromised by http://xfinity.comcast.net/footer/vendor/standard/2/

authorized.html

SEC7111: HTTPS security is compromised by http://xfinity.comcast.net/footer/vendor/standard/2/

authorized.html

 

Now to see the other issues with this site, click validate on the top button bar, select multiple validations, check all of them, yes to run multiple validations. You will get a boat load of errors.

 

Not worth posting them all, needless to say, the software isn’t ready for my use. I will wait until they can provide secure and bug free software, but I won’t hold my breath. Makes me wonder who writes their software when a lowly user can find all these bugs in a few minutes.  

Visitor
Posts: 3
Registered: ‎12-21-2006

Re: Bot Education

Thanks for the information ComcastJordan. The site says I am "in the clear," so I can't see if the information provided is useful for now. However, one of my LAN users will track something in soon enough, and I'll see how it works.

 

I hope your Customer Service folks are promptly trained to point customers to this site when you make it productional. I've spoken with them enough to say that they really need the help, and now that I've found this forum, I'll avoid talking to them every chance I get.:smileylaugh:

 

Also, I agree with the feedback you've received about your notifications. The popups and anonymous emails are off-putting.

 

Thank you.

Security Expert
USAF_E-8_RET
Posts: 5,122
Registered: ‎10-28-2003

Re: Bot Education


davegreen wrote:
Some feedback as requested, interesting website, I am amazed CC can even call this a beta, some more not ready for prime time software. If you are running IE9, and haven’t changed security settings for mixed content you will get a security warning “only secure content displayed“, so the “Get started“ button doesn’t work.

 

Not worth posting them all, needless to say, the software isn’t ready for my use. I will wait until they can provide secure and bug free software, but I won’t hold my breath. Makes me wonder who writes their software when a lowly user can find all these bugs in a few minutes.  


Hi davegreen,

 

I informed 2 Comcast employees of this exact situation earleir this week and received no reposnse from one and was told to use compatability mode by the other, insisting it was totally tested on different browsers. 

 

I agree it is not ready for primetime, as has been the case for some of Comcast's previous attempts.  

 

I anxiously await their answers.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Official Employee
ComcastJordan
Posts: 788
Registered: ‎03-17-2008

Re: Bot Education

Folks,

Of course it's not ready for prime time.  Perhaps I should have used the term "sneak peak"?  We're looking for value of the data and suggestions on how we can make the site more useful.  If a few certificate issues are easy enough to work out.  I'd much rather hear whether the information provided is of use and whether the page helps folks get to the root of problems easier.

Gold Problem Solver
BruceW
Posts: 7,500
Registered: ‎12-03-2007

Re: Bot Education


ComcastJordan wrote: ... I'd much rather hear whether the information provided is of use and whether the page helps folks get to the root of problems easier.

Difficult for those of us who are not botted to evaluate, since we see no results. Is there some sort of sample page that would show what sort of information we might see if we were infected?

 

Also, any idea why I having problems with the site in Firefox as described in my earlier post (02-09-2012 02:15 PM)?

Recognized Contributor
Posts: 644
Registered: ‎06-13-2009

Re: Bot Education

[ Edited ]

I had rcvd' the email only notice one time and scanned clean w/ multiple software.

 

But then I found EG's post of ccJordans link and it worked without security issue so I used it (and am using it).

 

I like it and appreciated it.  (Im currently clear, but the first time I used it it did tell me my info when they first saw issue).

 

At least I knew my pc was on at said time.  I would like to know what the threat levels mean a simple explanation would be nice on the site.

 

Of course even better if it was a site I surfed or email'd or what but I know the implications previously discussed in this post.

 

Anyway the link is nice it at least confirms the email.

 

I DO wish the cust serv rep after waiting 45 min on hold on security line wouldve told me about the link instead of saying they could tell me nothing and just lectured me on net safety.

EG's link to JOrdans site: https://amibotted.comcast.net/ (i run ie9)

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: Bot Education

The "Am I Botted?" page @ https://amibotted.comcast.net is now in beta. That means some things may not work right and we're seeking feedback on it. ;-)  (cert issues noted)

JL
National Engineering & Technical Operations
Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: Bot Education

[ Edited ]

BruceW wrote:

Difficult for those of us who are not botted to evaluate, since we see no results. Is there some sort of sample page that would show what sort of information we might see if we were infected?


On the new page, try the "clickable demo" in the FAQs (first FAQ) 

Direct link: https://amibotted.comcast.net/demo/detected.html

 

JL
National Engineering & Technical Operations
Security Expert
USAF_E-8_RET
Posts: 5,122
Registered: ‎10-28-2003

Re: Bot Education


jlivingood wrote:

The "Am I Botted?" page @ https://amibotted.comcast.net is now in beta. That means some things may not work right and we're seeking feedback on it. ;-)  (cert issues noted)


Other than the cert issues,  if I go to the FAQ re the Demo under Options, I select Export Image. then copy the URL, then select Go to Forums from the Options drop down and get taken to the forums, but when I select the tree icon to load an image and paste the URL from the demo i get the proverbial red X in the little square.  Is that supposed to work in the Demo or am I doing something worng?

 

I guess I should add this is in IE9.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Official Employee
cc_adame
Posts: 333
Registered: ‎09-13-2010

Re: Bot Education


USAF_E-8_RET wrote:

Other than the cert issues,  if I go to the FAQ re the Demo under Options, I select Export Image. then copy the URL, then select Go to Forums from the Options drop down and get taken to the forums, but when I select the tree icon to load an image and paste the URL from the demo i get the proverbial red X in the little square.  Is that supposed to work in the Demo or am I doing something worng?

 

I guess I should add this is in IE9.



Thanks, USAF_E-8_RET. That image doesn't actually exist on the server. We will consider adding a sample so you can at least see what it would look like.


--
Adam
Comcast National Engineering // Customer Protection Team
Gold Problem Solver
BruceW
Posts: 7,500
Registered: ‎12-03-2007

Re: Bot Education

[ Edited ]

jlivingood wrote: ... On the new page, try the "clickable demo" in the FAQs (first FAQ) 

Direct link: https://amibotted.comcast.net/demo/detected.html


Thanks Jason -- how on earth did I miss that???

 

First impression: this info is a big improvement over what we had before, for technically-inclined users, at least.

Contributor
Posts: 7
Registered: ‎10-18-2006

Re: Bot Education

While i see some information being presented in my case, I do not find it partucularly helpful. Below is what the current amibotted page shows for me. Unfortunately it does not get me any closer to pin pointing which connected device it came from. Between Phones, Ipads, Game Consoles and Computers I can have as many as 10 connected at any given time. And as pointed out some time back if the BOT goes dormant for a period of time it might be hard to locate. I get a Security Alert Email about every 6 to 8 days but this leaves me with a few questions that I have not seen presented as yet. For example, how often does Bot detection run? Or is it on all the time?  Is it possible for Comcast to provide us with the destination IP address that triggered the bot alert? That might be a good way to backtrack to a specific PC. Also, what

standards are being used to evaluate activity and designate it as bot activity? Are there any stats on False Positives?

 

I appreciate the efforts that Comcast has made to make the program more meaningful. Please keep it going. I would love nothing better than to find a bot on any of my equipment and destroy it.

 

 

 

 

 

 

BotnetIntentSeverityMSRT FixLast SeenTimes SeenAdvisory
       
52 3

 

 

 

 

 

 

Official Employee
cc_adame
Posts: 333
Registered: ‎09-13-2010

Re: Bot Education


rboski wrote:

While i see some information being presented in my case, I do not find it partucularly helpful. Below is what the current amibotted page shows for me. Unfortunately it does not get me any closer to pin pointing which connected device it came from. Between Phones, Ipads, Game Consoles and Computers I can have as many as 10 connected at any given time. And as pointed out some time back if the BOT goes dormant for a period of time it might be hard to locate. I get a Security Alert Email about every 6 to 8 days but this leaves me with a few questions that I have not seen presented as yet. For example, how often does Bot detection run? Or is it on all the time?  Is it possible for Comcast to provide us with the destination IP address that triggered the bot alert? That might be a good way to backtrack to a specific PC. Also, what

standards are being used to evaluate activity and designate it as bot activity? Are there any stats on False Positives?

 

I appreciate the efforts that Comcast has made to make the program more meaningful. Please keep it going. I would love nothing better than to find a bot on any of my equipment and destroy it.

 

 

 

 

 

 

BotnetIntentSeverityMSRT FixLast SeenTimes SeenAdvisory
       
52 3

 

 

 

 

 

 


Thanks for the feedback, 

 

--
Adam
Comcast National Engineering // Customer Protection Team
Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: Bot Education


rboski wrote:

While i see some information being presented in my case, I do not find it partucularly helpful. Below is what the current amibotted page shows for me. Unfortunately it does not get me any closer to pin pointing which connected device it came from. Between Phones, Ipads, Game Consoles and Computers I can have as many as 10 connected at any given time. And as pointed out some time back if the BOT goes dormant for a period of time it might be hard to locate. I get a Security Alert Email about every 6 to 8 days but this leaves me with a few questions that I have not seen presented as yet. For example, how often does Bot detection run? Or is it on all the time?  Is it possible for Comcast to provide us with the destination IP address that triggered the bot alert? That might be a good way to backtrack to a specific PC. Also, what

standards are being used to evaluate activity and designate it as bot activity? Are there any stats on False Positives?

 

I appreciate the efforts that Comcast has made to make the program more meaningful. Please keep it going. I would love nothing better than to find a bot on any of my equipment and destroy it.

 

 

 

 

 

 

BotnetIntentSeverityMSRT FixLast SeenTimes SeenAdvisory
       
52 3

 

 

 

 

 

 


As we do not have software installed on your home LAN, we have no way of telling what device it was, but sometimes the timestamp helps. You will note there is a fix available for this (http://www.microsoft.com/security/pc-security/malware-removal.aspx) so I would strongly recommend you install and run that on each of your PCs.

JL
National Engineering & Technical Operations
Security Expert
USAF_E-8_RET
Posts: 5,122
Registered: ‎10-28-2003

Re: Bot Education

jlivingood wrote: 

As we do not have software installed on your home LAN, we have no way of telling what device it was, but sometimes the timestamp helps. You will note there is a fix available for this (http://www.microsoft.com/security/pc-security/malware-removal.aspx) so I would strongly recommend you install and run that on each of your PCs.

 

 

There is an extra ) at the end of the link rendering the link unuseable - the correct link is

 

http://www.microsoft.com/security/pc-security/malware-removal.aspx

 

Which is for the Microsoft Malicious Software Removal Tool

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Gold Problem Solver
BruceW
Posts: 7,500
Registered: ‎12-03-2007

Re: Bot Education


ComcastJordan wrote: ... The "Am I Botted" (https://amibotted.comcast.net) provides a great deal of the information requested by users ... free to provide feedback for improvement.

Any chance that, in addition to the "Last Seen" column, a "Last Remote IP" column could be added?

Official Employee
cc_adame
Posts: 333
Registered: ‎09-13-2010

Re: Bot Education


BruceW wrote:

Any chance that, in addition to the "Last Seen" column, a "Last Remote IP" column could be added?



BruceW, are you looking for the ip that the traffic was going to? 

--
Adam
Comcast National Engineering // Customer Protection Team
Gold Problem Solver
BruceW
Posts: 7,500
Registered: ‎12-03-2007

Re: Bot Education


cc_adame wrote: BruceW, are you looking for the ip that the traffic was going to?

The IP the user connected to, yes. That information could help users determine whether they are actually infected, or whether the detection resulted from visiting a host that happened to be part of a botnet. It might reduce the number of "false positive" complaints.

Visitor
Posts: 3
Registered: ‎12-21-2006

Re: Bot Education

Also, I could pinpoint the offending machine on my LAN from the outgoing router logs with the time and IP. Time alone would get me close, but both would be ideal.

Contributor
Posts: 7
Registered: ‎10-18-2006

Re: Boot Education

My thanks to all the Comcast people for trying to lend me a hand. I realize that based on all the time you spend in the forums that you truly want to help. Also thanks to all the other poster that contribute as well.

 

This has been going on for so long I thought it might be a help to layo out  some of the steps I have taken.

 

I use both AVG and MSRT and Malwarebytes to detect Unwanted files on all my computers. I have also installed WireShark to monitor packets and so far have never been able to catch the bot when it is active.

In addition I check the Routers outgoing and incoming logs and everything I get an alert there is no activity at the exact specified time. I am running a fairly good size network when you add up all the Kids phones and

games not to mention the desktop PCs but I can account for every Mac address that appears and there is no way anyone outside is accessing the network.

 

So you can see why I have had so much difficulty in tracking this down. I do not think my network is anything so complicated nor do I think it is much different than anyone else that has kids.

 

One of you mentioned that you do not have any software on my network that would allow you to pin point which connected item is infected..... Is there such software that I could install then remove it when the offending device it captures buy you? I believe I would be OK with that as long as I had the ability to remove it once the issue is resolved.

 

THe long and short of this is.. This is not a very simple thing to do and I wonder if the average person

has the skills and/or the time to devote to this program. I am 100% in favor of the alerts and go in search anew every time one arrives but I always find nothing. I am still hoping to find something, but I am not as enthusiastic I I once was.

Contributor
Posts: 5
Registered: ‎01-25-2009

Re: Boot Education

Although I never ended up catching the supposed bot, I tried the following.  In my case I think it may have actually been a DNS prefetch from Firefox on an infected page -- Firefox automatically fetches DNS records for links that apppear on a page to make things faster (unless you turn it off), so if Comcast is looking at DNS queries as part/all of the source for the "you've got a bot" messages, then just visiting such a page might cause false positives despite no bot and no bot communications (Comcast likely can't tell us exactly what they look at, though, for the obvious reason that it would let the bot creators know how to avoid it).

 

  Both methods require some things that "average" users probably don't have/can't easily do, but are not particularly exotic or complicated. 

 

Method 1:

Set your router to point to a local caching DNS server that you run, and on that server, install dnsmasq (Linux) or similar software that caches DNS lookups and configure it to log every one of them (and configure it to use your normal Comcast DNS as the server it speaks to).  If there's a particular host identified by name, this would probably catch it (at least once your devices all refresh their DHCP leases and get the new local DNS server IP), and tie it to a particular IP address in your house, which you can then resolve to a particular device.  Obviously what you do then depends on whether it's an iPhone or a PC, but at least it would give you a single target to look at.

 

 

Method 2:

If you're running DD-WRT, TomatoUSB, or similar open router software, you can run tcpdump directly on that and log DNS or even all packets to a capture file, which you can analyze with Wireshark or other tools later.   Likely much more effective than trying to run it locally on all PCs (plus if it's a really clever bot, it might be clever enough to not let Wireshark see its traffic... perhaps).  If you don't have attached storage, you could pipe it through SSH like this (or probably a half dozen other ways):

 

tcpdump -i eth0 -w - |ssh user@somelocalhost "cat >dump.pcap"

 

  To some other Linux box that's got plenty of space (assuming you have both ssh and tcpdump on your router).  Even if you have a huge network, logging all of the WLAN packets probably would be manageable, and you could always filter it if you know more about the specific problem based on the Comcast tool.

tcpdump -i eth0 -w - |ssh rand@cayenne "cat >dump.pcap"

Security Expert
USAF_E-8_RET
Posts: 5,122
Registered: ‎10-28-2003

Re: Bot Education

Removed to prevent others from clicking onlink.

Regular Problem Solver
BlueJay
Posts: 3,852
Registered: ‎03-11-2004

Re: Bot Education

deerpoacher01...

 

Are you for real????    Go back and remove or break that link...!!!

 

ciao, bj

New Visitor
deerpoacher01
Posts: 3
Registered: ‎02-22-2012

Re: Bot Education

i did split it but i warned everybody in red lol

Service Expert
Queen-Evie
Posts: 14,145
Registered: ‎02-04-2004

Re: Bot Education

[ Edited ]

For some people a warning will go over their heads and they will click the link out of curiousity.

 

I have an old computer that I don't mind if something happens to it. I used that computer to click the link and was immediately taken to a page that looked like My Computer and a scan started, stating my system is infected.

 

I also closed out the page as soon as the scan started.

 

There is no LOL about posting a malicious link.  It's totally irresponsible on your part to post a known bad link. One may think YOU are intentionally wanting to spread the malware.

 

FYI, if you had read the Posting Guidelines (which everyone should read before making his/her first post) you would have seen this:

 

Please Don’t:

 

5. Malicious Content

 

Posting content designed to disrupt or interfere with the operation of another member’s computer is not permitted. This may include, but is not limited to, linking to viruses and linking to pages that hijack browsers. Posting this brand of content will likely lead to the loss of posting privileges.

 

 Thank you USAF for removing the post. You got to it mere seconds before I did.

 

edited to correct a spelling typo



 


Comcast employees must be authorized to post in the forum in an official capacity. Employees posting here have their names in red and are designated as employees. Names not in red are customers.

This is done to protect customers and for assurance that they are dealing with a Comcast employee.
Non-Authorized Employees are allowed to post but cannot state they are employees nor can they allude to being employees.

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: Bot Education


deerpoacher01 wrote:

i did split it but i warned everybody in red lol


You can be banned from the forums for knowingly posting malware links, as the poster above notes.

JL
National Engineering & Technical Operations
New Visitor
Posts: 1
Registered: ‎03-03-2010

Re: Bot Education

First off regarding the DNS changer bot. Could your company be more useless?

 


After 40 minutes on the phone. i am told to go to the website. this info could have been put in your annoying email.

 

Second. . Open "Terminal" (type "Terminal" in Spotlight)   How about using language the rest of us understand? What is a spotlight? Is comcast familiar with the term "illustration?"

 

Your customers are begging for more informations and you dolts give us nothing. And the customers should not have to be explaining this to a giant corporate parasite.


Visitor
Posts: 3
Registered: ‎12-21-2006

Re: Bot Education


iamanalliecat wrote:

First off regarding the DNS changer bot. Could your company be more useless?

 


After 40 minutes on the phone. i am told to go to the website. this info could have been put in your annoying email.

 

Second. . Open "Terminal" (type "Terminal" in Spotlight)   How about using language the rest of us understand? What is a spotlight? Is comcast familiar with the term "illustration?"

 

Your customers are begging for more informations and you dolts give us nothing. And the customers should not have to be explaining this to a giant corporate parasite.



Hi iamanalliecat,

 

I'm not a Comcast employee, and I share your frustration with their so-called Customer Service. Count your blessings that you were directed here relatively quickly.

 

There are some helpful people here, both technically knowledgeable customers, and Comcast employees who are as helpful as their corporate overlords will allow, which is reasonably helpful.

 

You're the first person I've seen come in swinging, so I don't know how much response you'll get calling these folks names.

 

I will share with you a link to their Am I Botted page, which is a beta page to give you something to go on, although some of us are lobbying for additional info. Bot Net Checker is a non-Comcast site I've seen recommended. Also, some of the specific bot FAQ's have IP address ranges of known botnets, so you can look for those if you are logging your outbound traffic from your router.

 

Other people have provided advice for finding and eliminating malware, so it is useful to read some of the posts.

 

Good luck.

 

Contributor
AG2012
Posts: 5
Registered: ‎02-06-2012

Re: Bot Education

THANKS FOR THE INFORMATION ON THEIR MONEY BACK GUARANTEE, ESPECIALLY SINCE THEY REPORT I HAVE A BOT, CANT TELL ME WHY, AND SAID I WOULD GET MY MONEY BACK IF A BOT WAS NOT FOUND. THEY ALSO TOLD ME THEIR WAS NO DO IT YOURSELF FIX, WHEN THE LETTER SAYS THERE IS.

 

I ONLY HAVE AWEEK TO CLEAN MY COMPUTER OR LOSE CONNECTION EVEN THOUGH NONE OF MY COMPUTERS ARE REPORTING THE BOT THROUGH THE"TEST" THEY HAVE YOU DO AT DNS-OK.US

Official Employee
ComcastJordan
Posts: 788
Registered: ‎03-17-2008

Re: Bot Education

AG2012,

I believe your issue was resolved in another forum, correct?  Please let us know if that is not the case.

Official Employee
ComcastJordan
Posts: 788
Registered: ‎03-17-2008

Re: Bot Education

Iamanalliecat,

We are working to improve some of our messaging, so bear with us as we work through what is essentially an extremely technical issue that is having significant impact on the masses.

 

If you can give a little details, we can probably help walk you through the issue you're having.

Official Employee
cc_adame
Posts: 333
Registered: ‎09-13-2010

Re: Bot Education


iamanalliecat wrote:

First off regarding the DNS changer bot. Could your company be more useless?

 


After 40 minutes on the phone. i am told to go to the website. this info could have been put in your annoying email.

 

Second. . Open "Terminal" (type "Terminal" in Spotlight)   How about using language the rest of us understand? What is a spotlight? Is comcast familiar with the term "illustration?"

 

Your customers are begging for more informations and you dolts give us nothing. And the customers should not have to be explaining this to a giant corporate parasite.



Thanks for the feedback! Please check your PMs.

--
Adam
Comcast National Engineering // Customer Protection Team