Slickdeals Saves U! Vote for our Slickdeals scholarship finalists! Learn More
Forum Thread

AT&T Uverse Malware Infection Advisory - Citadel

WaarrEagle 367 87 July 2, 2014 at 06:54 PM
Anyone ever get one of these before:

AT&T has received information indicating that one or more devices using your Internet connection may be infected with malicious software. Internet traffic consistent with a malware infection was observed on Jun 30, 2014 at 11:42 PM EDT from the IP address (my IP - removed for privacy). Our records indicate that this IP address was assigned to you at this time. Infection details:

Type: citadel
Source port: 51810
Destination IP: 198.xx.xx.98
Destination port: 80
For security reasons, the destination IP is partially obscured.

Infected devices are often used as participants in zombie computer networks ("botnet"). Botnets are networks of computers which have been infected with malware and placed under the control of a hacker or group of hackers. They are typically used for attacks on websites, spamming, fraud, and distribution of additional malware.


Oddly enough, I have been away from home for the past week and none of my computers were left on. I do have a fairly well connected home with several Foscams, a DLink DNS-325, DirecTV boxes and a SlingBox on my network but are any of those candidates for malware? I checked the log on the DNS-325 and did not see anything unusual. I do have WiFi but it is secured with WPA. Any tips on how to further investigate the source?

5 Comments

1

Sign up for a Slickdeals account to remove this ad.

Joined Jul 2006
CDI gave me free netflix!
50,348 Posts
10,948 Reputation
#2
I'll take "Chinese company Foscam has vulnerabilities in it's firmware" for $100 Alex.

http://www.darkreading.com/vulner...d/1109560?
Reply Helpful Comment? 0 0
Joined Jul 2008
L10: Grand Master
6,214 Posts
3,165 Reputation
#3
The email is probably legitimately from AT&T. Here's a discussion [experts-exchange.com] of similar emails.

Citadel often goes hand in hand with the FBI Ransomware called Reveton. Malwarebytes should be able to remove it all. I'd recommend running a full scan on all of your computers with the anti-virus & anti-malware program(s) of your choice.

More info on Citadel: http://blog.malwarebytes.org/inte...te-weapon/
Reply Helpful Comment? 0 0
Joined Feb 2004
L4: Apprentice
367 Posts
87 Reputation
Original Poster
#4
Quote from dzap View Post :
I'll take "Chinese company Foscam has vulnerabilities in it's firmware" for $100 Alex.

http://www.darkreading.com/vulner...d/1109560?
Possibly, but I have changed the default password and default ports on all of them. Firmware is also updated in the past 2 months.
Reply Helpful Comment? 0 0
Last edited by WaarrEagle July 2, 2014 at 07:51 PM.
#5
Quote from WaarrEagle View Post :
Anyone ever get one of these before:

AT&T has received information indicating that one or more devices using your Internet connection may be infected with malicious software. Internet traffic consistent with a malware infection was observed on Jun 30, 2014 at 11:42 PM EDT from the IP address (my IP - removed for privacy). Our records indicate that this IP address was assigned to you at this time. Infection details:

Type: citadel
Source port: 51810
Destination IP: 198.xx.xx.98
Destination port: 80
For security reasons, the destination IP is partially obscured.

Infected devices are often used as participants in zombie computer networks ("botnet"). Botnets are networks of computers which have been infected with malware and placed under the control of a hacker or group of hackers. They are typically used for attacks on websites, spamming, fraud, and distribution of additional malware.


Oddly enough, I have been away from home for the past week and none of my computers were left on. I do have a fairly well connected home with several Foscams, a DLink DNS-325, DirecTV boxes and a SlingBox on my network but are any of those candidates for malware? I checked the log on the DNS-325 and did not see anything unusual. I do have WiFi but it is secured with WPA. Any tips on how to further investigate the source?
you use WPA or WPA2? AES or TKIP? Did you disable WPS (guessing no) ? You can crack routers running WPS in about 2 minutes.

I would check the DHCP logs and ID every device on it to ensure no rouge devices appeared.

If you have usage logs I would look for something connecting to the 198 IP / and search for usage of the port 51810
Reply Helpful Comment? 0 0
Joined Feb 2004
L4: Apprentice
367 Posts
87 Reputation
Original Poster
#6
Quote from mrbobhcrhs View Post :
you use WPA or WPA2? AES or TKIP? Did you disable WPS (guessing no) ? You can crack routers running WPS in about 2 minutes.

I would check the DHCP logs and ID every device on it to ensure no rouge devices appeared.

If you have usage logs I would look for something connecting to the 198 IP / and search for usage of the port 51810
Unfortunately I am still traveling and away from home so I can't investigate all of these details. I use the basic U-Verse modem/router that AT&T provides so I hope it has a good log. I'll take a look when I get home and see if anything looks fishy.
Reply Helpful Comment? 0 0
Page 1 of 1
1
Join the Conversation
Add a Comment
 
Copyright 1999 - 2016. Slickdeals, LLC. All Rights Reserved. Copyright / Infringement Policy  •  Privacy Policy  •  Terms of Service  •  Acceptable Use Policy (Rules)  •  Interest-Based Ads
Link Copied to Clipboard