Woshbuild H2s virus ?

[ryan5262]

My ISP cut me off as I had several out going connections trying to connect to several ips (told them I had a laptop virus but nothing was on appart from the box) so now back on.

So done a bit of digging

So using tenet and some netsh commands I could see my box spamming lots of ip addresses and they were just counting up and trying to connect on same port 44454 on multiple ip's

I have switched off and will reflash just wanted to see if anyone else was seeing this?

Sent from my SM-G935F using Tapatalk

 

[xxwexx]

Interesting............. someone had an issue with talk talk and zgemma h2s on nother thread (didn't read it all) so maybe the two are connected.
Can you list the telnet netsh commands you used to check so maybe other zgemma users can test ? (if its allowed on the forum)

 

[dsayers2014]

On virgin? You haven't opened any ports to view outside of network have you?

 

[ryan5262]

It's on sky and they box was dmz at the time I have taken dmz off and rebooted router.

Switched box on a few times and running the netsh command in a telnet window it's still trying to connect to multiple ips.

Will get exact commands I used send a screenshot shortly before I reflash it.

Sent from my SM-G935F using Tapatalk

 

[dsayers2014]

Factory reset router then reflash box. Your exposed and getting ip scanned there's website's that do this automatically constantly looking for openwebif ports.

Can you take a screenshot of you're root dirrectory on box via Windows explorer

Sent from my SM-G925F using Tapatalk

 

[ryan5262]

Command is netstat -at and as you can see below it's the box that's making the scan. To external ip/ports I will reflash it and see if it's the same.

If still the same will try the another build

Sent from my SM-G935F using Tapatalk

 

[dsayers2014]

Factory reset router first then reflash

 

[ryan5262]

Quick reflash seemed to have fixed it going to change the default root password this time and I won't dmz it again [emoji23]

Sent from my SM-G935F using Tapatalk

 

[dsayers2014]

Hopefully people will learn to stop doing this.

 

[xxwexx]

Hopefully people will learn to stop doing this.

might help if you explained what they are doing ?

 

[dsayers2014]

might help if you explained what they are doing ?

They are openning ports on there routers to view outside of network some say they have secured it but some still manage to get in.

Best think is to not try to view outside of network

 

[wooshman]

Opening the ports of the router or setting DMZ to enabled in the router and then pointing it to the box to gain access from outside of the house / local network.

Without changing the security on the box first it lets everyman and his dog into the box to steal the line, setup a mail server using the box or anything else the box is capable of doing.

At the end of the day the boxes are running linux so it would be like setting up a server and not securing it. Quite quickly you will be hacked.

 

[xxwexx]

They are openning ports on there routers to view outside of network some say they have secured it but some still manage to get in.

Best think is to not try to view outside of network

:) much better and totally agree, although sometimes people have to port forward for a number of reasons. There was a thread earlier on the forum about someone having issues with the net and getting closed down because of constant spam being sent from a source within his connection, I would bet my bottom dollar its the same thing as here.

 

[dsayers2014]

Yea he was on vm I think they are prone to a certain virus that adds a file to the root dirrectory cant remember the name of it.

Sent from my SM-G925F using Tapatalk