dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8649
share rss forum feed


Paul928

join:2000-05-06
Haverhill, MA

Constant Guard Security Alert?

Just got an email from Xfinity, saying that I had a bot on my computer. Is this legit, or a scam of some sort? I never go to any shady sites, or click on anything from a link. I'm pretty careful on things like that. I am running MS Security Essentials, along with Malware Bytes (paid version) did a scan with both and came up with nothing!...anyone else know or heard of Comcast sending out these email?


makaze
Premium
join:2004-02-23
USA

do you have more than one computer? could another be infected with something?



Paul928

join:2000-05-06
Haverhill, MA
reply to Paul928

Yes my daughter has a computer...... I'll try doing a scan on that one later when I get home.....so what you are saying is this email is legitimate?



jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2
reply to Paul928

Go to »amibotted.comcast.net/ to verify your bot status.
--
JL
Comcast



Paul928

join:2000-05-06
Haverhill, MA

When I get home, I'll run that on both computers......thanks for the info.


smith_in_co

join:2003-12-12
Colorado Springs, CO

1 edit
reply to jlivingood

The I am botted URL only looks at activity from your modem's IP so it most likely will not be able to tell you which computer connected to your router may have a bot.

That said I've been looking into the BOT report from my modem/systems and I have done quite a bit of testing and in one case even rebuilding from the Computer Makers Mfg. Distribution Disks. It's my feeling at this point that the new version of am i botted may be triggering unnecessary alerts. I have posted a request into the Comcast Help and Support Forums asking for information on what in particular they are seeing that is producing the alert (in my case the alert is for the Adware_generic bot) which generally has been easy to find using Norton, MSRT or other tools.
They have agreed that the new version has had some problems in showing the time at which the bot was last seen and they did change the retention time for the alert to 24hrs from seven days that was the case in the previous version.



Paul928

join:2000-05-06
Haverhill, MA
reply to jlivingood

According to that link, I am indeed infected with the ad aware virus or something like that.....going to run another virus scan with Security Essentials, and also malware bytes, and see what is detected.....I've also heard that Superantispyware is a good scanner, so maybe I'll scan with that as well.



Oregonian
Premium
join:2000-12-21
West Linn, OR

If you need help with getting rid of the nasty, you could try posting in the Security Clean Up forum.

»Security Cleanup



Johkal
Cool Cat
Premium,MVM
join:2002-11-13
Happy Valley
kudos:10
reply to Paul928

I occasionally get those alerts. To date my network is clean. I disregard them anymore.


smith_in_co

join:2003-12-12
Colorado Springs, CO

Although, I'm running yet another scan in the background, It's my feeling that if these alerts are bogus we need to push on Comcast to clean up their detection methods/tools.

Otherwise the "Boy who cried Wolf" will be the case for me also.



Paul928

join:2000-05-06
Haverhill, MA
reply to Paul928

Ran Security Essentials, Malwarebytes, came up clean on all of those on both computers....Now running Windows Malicious Software Tool...If that comes up with nothing, I have no idea of what to do next!



sortofageek
Runs from Clowns
Premium,Mod
join:2001-08-19
kudos:21

Check the addressee for the email you received and the email headers. I occasionally get those, but they are not actually from a Comcast domain.

When I do, I give the header info to ComcastSteve and he reports them.
--
Join Team Helix * I am praying for these friends .



Johkal
Cool Cat
Premium,MVM
join:2002-11-13
Happy Valley
kudos:10
reply to Paul928

If you find nothing, do nothing more. What I always find curious about these warnings is how the emails always lead you to download Constant Guard. Hmmmm.........!


smith_in_co

join:2003-12-12
Colorado Springs, CO
reply to sortofageek

In my case and I think the person above, in addition to the email, Comcast's website, »amibotted.comcast.net is also saying I/we have the BOT, but I've been through the same and more set of scanners Paul928 is trying and also came up clean.

I'm starting to think that these are false positives from their recently revised website. In the Comcast direct forum I've asked for the information as to what triggers the alert, in particular I would like to know what IP they show my modem accessing that they consider to be a BOT domain. If they can provide me with the address or dns name I can check the site. Personally I think with the IPV4 and IPV6 work going I would not be terribly surprised that addresses are being re-used and that what was considered a 'safe site' might have become unsafe or what was an unsafe address may have become a 'safe site' now days.

Just my $.02



Paul928

join:2000-05-06
Haverhill, MA
reply to sortofageek

said by sortofageek:

Check the addressee for the email you received and the email headers. I occasionally get those, but they are not actually from a Comcast domain.

When I do, I give the header info to ComcastSteve and he reports them.

Here are the addresses:

Received: by 10.224.70.205 with SMTP id e13mr2149780qaj.77.1355137742039;
Mon, 10 Dec 2012 03:09:02 -0800 (PST)
Return-Path:
Received: from qmta04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net. [2001:558:fe14:43:76:96:62:40])
by mx.google.com with ESMTP id p4si8027436qct.98.2012.12.10.03.09.01;
Mon, 10 Dec 2012 03:09:01 -0800 (PST)
Received-SPF: neutral (google.com: 2001:558:fe14:43:76:96:62:40 is neither permitted nor denied by domain of online.communications@alerts.comcast.net) client-ip=2001:558:fe14:43:76:96:62:40;
Authentication-Results: mx.google.com; spf=neutral (google.com: 2001:558:fe14:43:76:96:62:40 is neither permitted nor denied by domain of online.communications@alerts.comcast.net) smtp.mail=online.communications@alerts.comcast.net; dkim=pass (test mode) header.i=@comcast.net
Received: from imta06.westchester.pa.mail.comcast.net ([76.96.62.53])
by qmta04.westchester.pa.mail.comcast.net with comcast
id Zn8q1k00218vZRY54n91sL; Mon, 10 Dec 2012 11:09:01 +0000
Received: from qmta01-mdp.westchester.pa.bo.comcast.net ([76.96.68.101])
by imta06.westchester.pa.mail.comcast.net with comcast
id ZmrW1k00o2B5erw06n5h3l; Mon, 10 Dec 2012 11:05:41 +0000
Received: from omta02-mdp.westchester.pa.bo.comcast.net ([76.96.53.12])
by qmta01-mdp.westchester.pa.bo.comcast.net with comcast
id ZlBz1k0010FoFkC01n5hov; Mon, 10 Dec 2012 11:05:41 +0000
Received: from PACDCMSSAPP01 ([68.87.97.254])
by omta02-mdp.westchester.pa.bo.comcast.net with bizsmtp
id Zn5h1k00F5VJHpw07n5hxU; Mon, 10 Dec 2012 11:05:41 +0000
From: "Comcast Online Communications"


Paul928

join:2000-05-06
Haverhill, MA

Well after doing all those scans most of the evening, I still come up with nothing found! I'm starting to believe as many here that this may be a false positive of some sort....From the little research that I've done on this subject, I guess this has been going on for a while, and people seem to come up with the same results as I have.... Just wondering when or If Xfinity is going to fix this, and stop scaring the crap out of it's customers!



jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

Not all malware infections are detected using free or commercial tools - this is not like anti-virus. Something to keep an eye on.

We're developing some new tools & capabilities in 2013 that will take this to the next level, since IPv4 NAT currently is a limiting technical factor for us.
--
JL
Comcast


smith_in_co

join:2003-12-12
Colorado Springs, CO

1 edit

I can understand that the IPv6 transition is preventing the rollout of new tools and capabilities, but like Paul628 mention I think the current state of scaring the heck out of your customers with inaccurate and incomplete reports is a disservice to your customers. Not to mention the hours/$ your customers are spending working on something that can't be found.

As I mentioned in the Comcast Direct Forum please provide the details about what triggers the bot alert and then I and others can work backward from our Router(s) to search for the problem.

Also I know that these bot alerts have been around since 2010 and I have been a comcast/aldephia customer for over 25 years, but my issues with getting them only started when the new version was put in last week, so please also review what changed last week that might be causing more false alerts than were created in the past.

Thank You.



KHAOS1

@comcast.net
reply to Paul928

Do you have a wireless router either with no password or a very weak one? Someone piggyback on your network! Does your neighbor have your password? Has your daughter given it to a friend? Check your router logs, see how many connected devices you see, verify mac addresses.


smith_in_co

join:2003-12-12
Colorado Springs, CO

Yes, I have a wireless router using a long WPA2 character key using all types of characters, in addition I use software such as insidder, so I know what other wifi networks are in the area, and I review my routers reports to see if there is any access from computers other than ours.



Paul928

join:2000-05-06
Haverhill, MA

I too have a wireless router, that is pretty well locked down....And no my daughter has never given out the password to anybody! Just out of curiosity, I'm wondering if people that have Constant Guard on their computer are also getting these warnings, or for that matter if a scan is done with Constant Guard, has any such Malware been detected? I also find that between all these programs and scans being run (free or paid) that at least one of them would be able to detect this "mystery" malware! I for one have spent enough of my time on this , and outside of actually doing a format on both my computers, have done all I can do! I am almost tempted to download a copy of Constant Guard to see as an experiment if it picks up on this exploit, even though I have always had a personal policy to keep my computers as clean as I can by not installing resource hog programs like Constant Guard.....Might be worth it though just to ease my own mind.



sortofageek
Runs from Clowns
Premium,Mod
join:2001-08-19
kudos:21
reply to Paul928

Paul,

Here is an example of what I sent ComcastSteve. He confirmed it was a "phishing expedition."

Notice the two bolded email domains. I would expect an email from Comcast to come from the comcast.com domain, so I was immediately suspicious.
================================

This morning I got an odd email to one of my Comcast email accounts, one I don't use heavily, just have some political stuff occasionally.

At first glance, I thought the subject was Constant Guard Alert. That struck me as odd since I have not installed Constant Guard.

The title is actually Comcast Guard Alert. Hmmm. It says it is from Comcast@security.com. Another hmmmm.

It has a link it wants me to click. The link is disguised as "Account Reconciliation" which covers the actual link ---> ht tp://butrflydrms213.home.comcast.net

Email headers:

Return-Path: root@wiki.poweroasis.com
Received: from imta31.westchester.pa.mail.comcast.net (LHLO
imta31.westchester.pa.mail.comcast.net) (76.96.62.25) by
sz0115.ev.mail.comcast.net with LMTP; Fri, 15 Jun 2012 21:07:49 +0000 (UTC)
Received: from Ubuntu11x64Svr ([84.92.25.153])
by imta31.westchester.pa.mail.comcast.net with comcast
id Nl7o1j01t3JBZMQ0Xl7oxZ; Fri, 15 Jun 2012 21:07:49 +0000
X-CAA-SPAM: 00000
X-Authority-Analysis: v=2.0 cv=WZ2OmjdX c=1 sm=1
a=p3riUwRaJWU4p/K8+3S3WQ==:17 a=YWNZQc2wkpcA:10 a=HRn4fpiT8EsA:10
a=cVHRbVdmAAAA:8 a=C_IRinGWAAAA:8 a=Baj1MykYeoxCemNOp18A:9
a=p3riUwRaJWU4p/K8+3S3WQ==:117
Received: from root by Ubuntu11x64Svr with local (Exim 4.76)
(envelope-from )
id 1Sfdi5-0006N0-6g
for xxxxxxx@comcast.net; Fri, 15 Jun 2012 22:05:37 +0100
To: xxxxxxx@comcast.net
Subject: Comcast Guard Alert
X-PHP-Originating-Script: 0:send.php
From: comcast@security.com
Content-Type: text/html
Message-Id:
Date: Fri, 15 Jun 2012 22:05:37 +0100
X-Brightmail-Tracker: AAAAAA==
X-Brightmail-Tracker: AAAAAA==

Email message:

Xfinity

Constant Guard Alert

Dear XFINITY Customer,

Please read this entire message.

In an effort to improve our customers' experience,
Comcast has been reviewing some user accounts and sending e-mails that direct customers to an

Account Reconciliation
ht tp://butrflydrms213.home.comcast.net

We appreciate your prompt attention to this important security notice.

Sincerely,

Constant Guard from XFINITY
===========================

Pfish?


--
Join Team Helix * I am praying for these friends .


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

reply to smith_in_co

said by smith_in_co:

I can understand that the IPv6 transition is preventing the rollout of new tools and capabilities,

It is actually the reverse: It's not that IPv6 is preventing anything -- it is more that IPv4 NAT is. IPv6 actually enables more things.

said by smith_in_co:

I think the current state of scaring the heck out of your customers with inaccurate and incomplete reports is a disservice to your customers.

While the language of the alerts is written to acknowledge the possibility of false positives, we think it'd be a disservice not to tell customers that we have observed one of their hosts participating in a bot network. Keep in mind that malware removal tools are in their relative infancy compared to, say, anti-virus tools. Bots are designed to be difficult to find and difficult to remove. Were that not the case, bots would not be so successful
getting onto trusted hosts on some of the world's most secure networks -- not to mention your average home LAN.

said by smith_in_co:

As I mentioned in the Comcast Direct Forum please provide the details about what triggers the bot alert and then I and others can work backward from our Router(s) to search for the problem.

What triggers the alert is customers participating in malicious bot networks.
--
JL
Comcast


NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to sortofageek

said by sortofageek:

Paul,

Here is an example of what I sent ComcastSteve. He confirmed it was a "phishing expedition."...

Just because you received a phishing email pretending to be from Comcast, does not mean that the OP did. In fact when the OP went to »amibotted.comcast.net/ , that site confirmed that Comcast had indeed identified his connection as being a bot host:
said by Paul928:

According to that link, I am indeed infected with the ad aware virus or something like that...

Not only that, but the post containing the headers from the OP's email to which you replied clearly shows that the email received by the OP was indeed from Comcast.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

smith_in_co

join:2003-12-12
Colorado Springs, CO
reply to jlivingood

What I need to know is what activity or accessing what IP or website Your tool has determined warrants a BOT notification. If you can provide the requested info I at least have a chance of preventing the activity or access at my router and/or computer.



pflog
Bueller? Bueller?
Premium,MVM
join:2001-09-01
El Dorado Hills, CA
kudos:3

1 recommendation

said by smith_in_co:

What I need to know is what activity or accessing what IP or website Your tool has determined warrants a BOT notification. If you can provide the requested info I at least have a chance of preventing the activity or access at my router and/or computer.

It's not Comcast's job to police your LAN or identify the malware. They detected it and notified you. It's in your hands now to find it. Why is it their responsibility to find your bot/malware?
--
"I drank what?" -Socrates

smith_in_co

join:2003-12-12
Colorado Springs, CO

1 recommendation

I'm not asking them to 'correct my lan' what I'm asking is for them to tell me what they have identified that makes their tool think I have a bot.

As you can see in my post what I'm asking for is an IP or dns name that they are seeing activity from my modem to that makes them think one of my devices is hosting a BOT.



pflog
Bueller? Bueller?
Premium,MVM
join:2001-09-01
El Dorado Hills, CA
kudos:3

1 recommendation

said by smith_in_co:

I'm not asking them to 'correct my lan' what I'm asking is for them to tell me what they have identified that makes their tool think I have a bot.

As you can see in my post what I'm asking for is an IP or dns name that they are seeing activity from my modem to that makes them think one of my devices is hosting a BOT.

This is why I like having a FreeBSD (or Linux, etc) type box as a router. I can tcpdump and see what's going on with the network and find it myself.

But yes, if all you want to know is IP or host names, then that seems reasonable. But given the amount of data they must go through, it's not inconceivable that the throw this kind of stuff away once it's reported to save on space.
--
"I drank what?" -Socrates


ropeguru
Premium
join:2001-01-25
Mechanicsville, VA
reply to smith_in_co

pflog beat me too it...


smith_in_co

join:2003-12-12
Colorado Springs, CO

1 recommendation

But their software is supposedly seeing something from my modem's IP to some other point in space. This is the information that I want them to provide Once I know what/where that point is I can locate where the access is coming from at my router.