Reply
Regular Contributor
Posts: 35
Registered: ‎08-17-2005
Accepted Solution

Constant Guard Center warning

Hi,

 

I just got a warning email from Comcast's Constant Guard Center informing me that I may be infected with a Bot.  However, I use Linux (Frugalware 1.3) fully patched.  Could this be a false positive?  'chkrootkit' informs me that I'm OK.

 

 

 

The Constant Guardâ„¢ service has identified that one or more of your computers may be infected with a Bot. Please read on.

A Bot, also referred to as malicious software or malware, is used to gain control of your computer, typically without your knowledge. Online criminals can use Bots to collect your personal and private data, such as Social Security numbers, bank account information, and/or credit card numbers by monitoring your keystrokes. This can lead to identity theft and fraud!

We recommend that you visit the Comcast Constant Guard Center at https://constantguard.comcast.net for instructions to help you remove the Bot from your computer(s). We also advise that you keep your computer(s) protected by performing regular Operating System updates and by using Norton Security Suite anti-virus software.
Connection Expert
JamesR
Posts: 6,423
Registered: ‎09-29-2007

Re: Constant Guard Center warning

Might be good to google "bots and malware" and "botnet".  If a Robot has been installed on your machine so that someone can use your computer to make it perform some action in the background it might not appear as Malware on your scan.

Can you monitor for Internet transactions that occur without initiation by you?

 

Regular Contributor
Posts: 35
Registered: ‎08-17-2005

Re: Constant Guard Center warning

Hi JamesR and thanks for the advice,

 

I guess the safest thing to do is to do a re-install. If I am rooted, then I guess I cannot trust anything my pc is telling me. I'm quitting Frugalware and installing Aptosid over this weekend.  This seems safest.

 

Then, I'm changing all my passwords.

 

Thanks again :smileyhappy:

-Joe G.

Connection Expert
JamesR
Posts: 6,423
Registered: ‎09-29-2007

Re: Constant Guard Center warning

Sounds like a plan! :smileycool: Be embarrassing to find out that a bad guy had set your machine up to hack something or do a denial of service attack on someone.

Regular Contributor
Posts: 35
Registered: ‎08-17-2005

Re: Constant Guard Center warning

Thanks JamesR,

 

I just surprised that I could ge hacked in Linux.  I'd go BSD, but I only have logical partitions left to install to.

Connection Expert
JamesR
Posts: 6,423
Registered: ‎09-29-2007

Re: Constant Guard Center warning

Don't know that you have been hacked.  Maybe you downloaded some music amd are now serving up music files off your hard drive or something like tthat.  Or you have a service running that is appearing to function in a similar manner.

Seems like it would be worth putting up wireshark or something similar to monitor Internet activity to figure out what application or service is runniing along.

Regular Contributor
Posts: 35
Registered: ‎08-17-2005

Re: Constant Guard Center warning

Hi JamesR,

 

I think I still need advice...

 

I decided not to go with Aptosid. Rather than let me reuse my /home/username, Aptosid wanted me to istall to one partition and thern edit my fstab.  I could have done it, but I just didn't feel like playing arounds.  So, I decided to take the easy way:  I'm running Ubuntu 10.04 i386.  I installed last night.  I installed Firestarter an d even configged it to "Block traffic from reserved addresses on public intefaces."  I also installed and edited "denyhosts."

 

Today, I got another warning email from Constant Guard Center.  Same thing.

 

 

Firestarter is busily blocking deploy.akamaitechnologies.com: [code] Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:41:42 Direction: Unknown In:eth0 Out: Port:41897 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:41:43 Direction: Unknown In:eth0 Out: Port:41898 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:41:45 Direction: Unknown In:eth0 Out: Port:41897 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:41:45 Direction: Unknown In:eth0 Out: Port:41898 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:06 Direction: Unknown In:eth0 Out: Port:41897 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:07 Direction: Unknown In:eth0 Out: Port:41898 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:10 Direction: Unknown In:eth0 Out: Port:51193 Source:184.51.157.48 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:54 Direction: Unknown In:eth0 Out: Port:41897 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:55 Direction: Unknown In:eth0 Out: Port:41898 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:43:18 Direction: Unknown In:eth0 Out: Port:57157 Source:a184-51-157-48.deploy.akamaitechnologies.com [/code] It's using very high port numbers, so this has me a bit conmcerned.
Regular Contributor
Posts: 35
Registered: ‎08-17-2005

Re: Constant Guard Center warning

Hi JamesR,

 

I think I still need advice...

 

I decided not to go with Aptosid. Rather than let me reuse my /home/username, Aptosid wanted me to istall to one partition and thern edit my fstab.  I could have done it, but I just didn't feel like playing arounds.  So, I decided to take the easy way:  I'm running Ubuntu 10.04 i386.  I installed last night.  I installed Firestarter an d even configged it to "Block traffic from reserved addresses on public intefaces."  I also installed and edited "denyhosts."

 

Today, I got another warning email from Constant Guard Center.  Same thing.

 

 

Firestarter is busily blocking deploy.akamaitechnologies.com: [code] Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:41:42 Direction: Unknown In:eth0 Out: Port:41897 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:41:43 Direction: Unknown In:eth0 Out: Port:41898 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:41:45 Direction: Unknown In:eth0 Out: Port:41897 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:41:45 Direction: Unknown In:eth0 Out: Port:41898 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:06 Direction: Unknown In:eth0 Out: Port:41897 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:07 Direction: Unknown In:eth0 Out: Port:41898 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:10 Direction: Unknown In:eth0 Out: Port:51193 Source:184.51.157.48 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:54 Direction: Unknown In:eth0 Out: Port:41897 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:42:55 Direction: Unknown In:eth0 Out: Port:41898 Source:184.84.220.161 Destination:71.60.77.135 Length:44 TOS:0x00 Protocol:TCP Service:Unknown Time:smileyshocked:ct 2 13:43:18 Direction: Unknown In:eth0 Out: Port:57157 Source:a184-51-157-48.deploy.akamaitechnologies.com [/code] It's using very high port numbers, so this has me a bit conmcerned.

Regular Contributor
Posts: 35
Registered: ‎08-17-2005

Re: Constant Guard Center warning

[ Edited ]

Comcast would not allow me to post a long message, so I'm afraid that this will be a 2-part message.

 

I also host an virtualized XP guest via VirtualBox. (I usually only run it only very occasionally.  But, I installed a printer that isn't happy with Linux drivers.  So, I have run Xp a bit more lately.) After installing Ubuntu, I installed VBox.  I breifly started XP guest last night to verify that it still worked.  After the 2nd warning email from Constant Guard Center,  I ran some tests...

 

I ran Avira on XP guest: No problems.

 

I ran MalwareBytes on XP guest: No problems.

 

I ran ClamWin on XP guest:  Problem.

C:\Program Files\TestOut\sims\2003_06\Programs\XPFldrProp.exe

Heuristic  FOUND

 

The "trojan" appears to have been found heuristically, not from a list of known trojans.  This leads me to wonder if it is a real trojan at all.  TestOut.com's LabSim software does "phone home" for updates, etc.  

 

But, a Google search  does seem to indicate that Trojan.SusPacked.FFXPU is real.  But, I'm not finding any info on it other than it exists.

 

Thanks again,

-Joe :smileyhappy:

 

 

 



 



Regular Contributor
Posts: 35
Registered: ‎08-17-2005

Re: Constant Guard Center warning

[ Edited ]

I have a little more information from Google. It seems that no one knows if XPFldrProp.exe is safe:

 

https://www.online-armor.com/oasis2/file/testout_corporation/unspecified_product/xpfldrprop_exe/9353...

 

http://www.prevx.com/filenames/X798562851884365024-X1/XPFLDRPROP.EXE.html

 

 

I hope Comcast doesn't cut my service because they think I'm infected.

 

 

 

Official Employee
ComcastSteve
Posts: 384
Registered: ‎09-13-2006

Re: Constant Guard Center warning

joegumbo

 

What part of the country you are located? We did send some email notifications of the product to users and what you received may not be an actual issue.

Steve Teow


Regular Contributor
Posts: 35
Registered: ‎08-17-2005

Re: Constant Guard Center warning

[ Edited ]

Hi ComcastSteve,

 

The closest major city is Pittsburgh, PA.  If you want more detailed info, I'll be happy to send it along.  But for my protection and privacy, I'd rather not go n to more detail in a public forum.  I think we cam PM here?

 

Thanks!

-Joe

Connection Expert
JamesR
Posts: 6,423
Registered: ‎09-29-2007

Re: Constant Guard Center warning

Probably better to send it to him at his email address above.
New Visitor
tngamecockfan
Posts: 1
Registered: ‎01-22-2012

Re: Constant Guard Center warning (Received 1/22/12)

Hi!

 

Just received this email supposedly from "Comcast Customer Security Assurance".  I don't believe to be the case.  I didn't follow the link (shown below) in the email.  I have also given you the adresss, that supposedly, sent me this email.  Please contact me as to the validity of this email. 

 

Please read the email below:

 

-----------------------------------------------------------------------------

 

Dear Comcast Customer,

 

The Constant Guard™ service has updated the Online Security of Comcast Users.

 

To link your account to our new update you just need to Relogin your account using the secure link bellow. The link
will redirect you to our update login page. Simply login your account and the account will automaticly be updated.

 

https://constantguard.comcast.net/link=newupdate?&=login/update.aspx

 

Sincerely,
Comcast Customer Security Assurance

 

 

===========================================================

 

The "From" address is shown below:

 

Comcast Support [34@woodnetwork.net]

 

 

Thanks in advance,

 

Ken