In the last two weeks I've received two emails warning/accusing me of being infected with an iotmirai virus, and generating bot activity. This email threatens to terminate my DSL service.
Both times I've run full AVG and Malwarebytes scans, and nothing showed up. (I'd run both about a week prior, and that was clean too, of course.) Yesterday I also ran TrendMicro's online scan, as well as their Network Security scan, and both were 100% clean.
I have no IoT devices -- no cameras, appliances, smart tvs, DVRs, nothing that accesses the internet. I only have one laptop, a tablet, some phones, and a printer which is rarely turned on. There is nothing here for iotmirai to use as a bot.
Both my gateway and my router have a unique password, not the default admin/admin. My WiFi connection is secure and encrypted, and the WPS is set to "button only," so someone would need physical access to connect. I don't click on random stuff, and am very careful about what I install.
I've replied to both emails, explained all this, and sent screencaps of the results of these scans, twice now, but haven't received any reply.
So, how am I getting tagged for these emails? how to prove there's nothing here? or how to find whatever is happening, if all these scans are clear? and how likely is CenturyLink to turn off my service, despite my attempts to avert that?
Here's the text of their "investigation" (sorry about the format, that's how it is in the email:quote:The date, time (GMT) and IP addresses identified in our investigation are as follows:
Date IP Additional Info
=================== ===========
2016-12-01 19:35:11 76.1.xxx.xxx mwtype => 'iotmirai', C&C => '-', srcport => '13164', dstport => '7547', asn => '6222', protocol => 'tcp'
2016-12-01 22:33:31 76.1.xxx.xxx infection => 'bots', subtype => 'bladabindi', src_port => '60060', dest_ip => '204.95.99.26', dest_port => '7547', URI => 'POST /UD/act', asn => '6222', Risk => 'High'
2016-12-02 00:09:50 76.1.xxx.xxx mwtype => 'iotmirai', C&C => '-', srcport => '52154', dstport => '7547', asn => '6222', protocol => 'tcp'
Date IP Additional Info
=================== ===========
2016-11-22 00:47:08 76.1.xxx.xxx mwtype => 'iotmirai', C&C => '-', srcport => '12785', dstport => '2323', asn => '6222', protocol => 'tcp'
2016-11-22 01:37:32 76.1.xxx.xxx mwtype => 'bots', subtype => 'Mirai', category => 'webbots', dstport => '23', detail => 'Mirai Bot', asn => '6222', cc => 'US'Weirdly, the "destination IP" is Microsoft.quote:204.95.99.26 IP address Information
The IP address 204.95.99.26 was found in Redmond, Washington, United States. It is allocated to Sprint, Microsoft Corporation.
↧