Internet access blocked repeatedly

PowerMac · Mar 2, 2021

You can think what you want about Swisscom, but in all cases that I know of, the suspensions due to suspicious activity were, without exception, completely justified. Swisscom was also always very helpful and willingly passed on all available information to help find the cause. If you get infected with viruses on the Internet, you may have to pay a professional to get it sorted out.

Of course, you can also try it yourself and, for example, in this case if you have a Mirai infection, you can reinstall all your Windows computers. You’ll definitely learn a lot. But you could have saved yourself if you had [informed yourself] beforehand (https://de.wikipedia.org/wiki/Mirai_(Computerwurm)).

It cannot be Swisscom’s job to explain every step to solving the problems they have created to laypeople. It is not without reason that there are professionals with many years of training and experience in this field who earn their living doing this. There are now cyber insurance policies for private individuals specifically for such events.

Lori-77 · Mar 2, 2021

Hello everyone

The culprit could easily be an Android phone or Taplet.

If you had installed a program there from a dubious source.

(Watsup as a Taplet version. That doesn’t exist officially, but certain clever people have written such an app, so it makes more sense just by sending messages.

Or you got a VPN software that is free, but it sends spam in the background, and that’s why it’s free for the customer, because the provider gets paid for sending spam.

I just want to ask for help, you may be using such a device and haven’t thought of it yet.

And by law every ISP has to block Anschluss if it is misused. If they don’t do it, the ISP’s RNking will be downgraded and the ISP wants to avoid that at all costs.

Greetings Lorenz

SSC-Client · Mar 2, 2021

All I can say is: The virus scanners recommended by Swisscom are chargeable after a short trial period at the latest and reported in unison that my systems were clean. It’s not just the layperson who starts to spin when Swisscom’s Internet connection is blocked again despite serious scans…

Werner · Mar 2, 2021

@SC-Client

Swisscom is just playing the role of reseller of F-Secure for a product that is now actually superfluous anyway.

I would save these costs immediately, because the security from Microsoft itself has proven itself very well in the meantime and as soon as you install a third-party product, the manufacturer’s security provided by Windows 10 itself is largely switched off and you are also messing with the operating system’s core competencies, which can then result in further collateral damage that is difficult to understand.

I still have a few lifetime licenses for virus scanners that I have long since taken out of circulation, including several test winners in the scanner business.

vormirdieSinflut · Mar 2, 2021

PowerMac

Anyone who can read has a clear advantage. Firstly, after the second shutdown of the internet connection, I immediately commissioned my IT specialist, who has owned an IT company for 25 years, to check the devices and set them up again. Except these Smart TV devices and WiFi Bose boxes were not made because Swisscom was also convinced that these devices could not be the ones. However, I then reset these devices myself. As a loan, I dared to stick a paper clip in the hole and perform a reset and then get it working again with the latest firmware. Swisscom is my contractual partner and it cannot be the case that I, as a customer, contact Melani about the problem and get more detailed information on how and why. It is unlikely that you will have a direct contact person at Swisscom. Every employee has to read up on the case and in the home office they don’t have any other options than I have in the customer center with expert mode. It also annoys me when cooking pots clink and children’s screams can be heard in the background. This does not speak at all for serious customer service. Regardless of whether I got myself into something or not. Google spits out a few such cases, which ultimately turned out to be error messages.

SSC-Client · Mar 2, 2021

Android cell phones and tablets can of course also do bad things, but this is rather rare. The main suspect is and remains Windows, and here it is mainly the older versions.

vormirdieSinflut · Mar 2, 2021

As mentioned, I don’t connect my iPad or iPhone to the home network. This means that these devices have their own IP and these connections have never been blocked.

Just always have an internet connection via PC. And that too with a brand new system that was freshly purchased in January. Specifically, the internet connection was blocked before the new device and also with the new device. Whenever I entered the address directly without https in the browser, whether Firefox or Internet Explorer. So example sbb.ch. 50 times went well then I was blocked again. However, when I entered sbb in Google despite being blocked and then clicked on the link that just generated a https://www.sbb.ch/de/ I came despite being blocked by Swisscom.

Since I tried everything to get to the bottom of the error, I of course also bought paid VPNs from Kaspersky and CCleaner. However, I have since uninstalled it following your advice. Regardless of whether I had these tools or not, I was blocked by Swisscom.

I received a report from Swisscom. However, no concrete information. For me, probably doesn’t mean certain. A technician sent me the following message while we were on the phone. So no fake email

************************* ****************

          Email

************************* *****************

 Attachment Reason for Barring

************************* *****************

You are receiving this email because you are registered in our system as a contact for AS3303 or because your email address is registered with RIPE as an abuse contact for AS3303.

The National Center for Cyber Security (NCSC) has been notified by a partner of one or more Internet of Things (IoT) devices on your network that have most likely been compromised by hackers and are now being used for malicious purposes . Attached you will find a list of affected IP addresses that have been reported to us in the past 24 hours.

The affected devices were most likely infected with a malware called Mirai through the use of a default password.

We recommend that you identify the affected devices or customers and secure and clean them up (e.g. by resetting the device to the factory settings). You can find an overview of NSCS recommendations regarding IoT devices on our website.

Security in the “Internet of Things” (IoT):

https://www.melani.admin.ch/iotsicherheit

01/29/2021 10:50:59 +0000,111.11.111.11 (IP was changed)*********************** *******************

 Attachment Lookup Information

************************* *****************

Lookup with 111.11.111.11 (IP has been changed) and date Fri Jan 29 10:50:59 GMT+00:00 2021

************************* *****************

          Info mail

************************* *****************

And I took all of these measures. And as mentioned, have it checked by an IT company.

vormirdieSinflut · Mar 2, 2021

Yes, I’m slowly leaning towards your statement that only Windows protection should be installed. But that’s exactly what takes courage. I wanted to take out cyber insurance. But I don’t think a 1000.00 deductible and insurance in the event of damage is the right way either. I don’t want to let any harm come to it. Apparently it caught me despite the precautionary measures. I have absolutely no illegal software installed. Bought everything. I also don’t hang around on relevant websites. And I don’t have any exotic set in my network. I think it’s normal

- 2 Windows PCs with the latest Windows 10 operating system

- 1 Nas from Synology 218x with Antivirus Essential

- 3 TV devices, 2 of which are Samsung Smart TVs with new admin passwords

- 3 DCS-2670L Cam for monitoring the environment, some connected via WiFi

- 4 Bose speakers Soundtouch 10, 20, 30, some connected via WiFi

- 3 WiFi amplifiers from Swisscom

- 1 Internet box from Swisscom

- 2 TV boxes from Swisscom

- 2 telephone connections with 2 sets

Except for the Swisscom devices, all devices were reset and reinstalled.

I don’t think I can do more.

PowerMac · Mar 2, 2021

@vormirdieSinflut I can very well understand that you are frustrated. Having paid 1,500 francs to an IT company to reinstall Windows computers after a suspected Mirai infection would really annoy me personally.

I’m sorry to have to write this, but if the IT company has the same information that you wrote here for us and then starts destroying the Windows computers, then they don’t have a clue about IT security. Worse still, you apparently didn’t even bother to click on the link and at least read up on the topic of IoT security.

Selling PCs for 25 years is obviously not the same as having a clue about IT security. Sorry.

But the point here is to find a solution for you. My tip: give the IT company hell so that they should finally use the lever in the right place for the good money they collect. Or else they should refund you the money. The cause is most likely not the Windows PC, but rather one of the devices described under the link mentioned.

An IT security professional can usually detect something like this in a few minutes with a switch with port mirroring, a packet sniffer and a good dose of specialist knowledge. For significantly less than 1,500 francs.

PowerMac · Mar 2, 2021

@vormirdieSinflut wrote:

[…] - 3 DCS-2670L cams for monitoring the environment, some connected via WiFi […]

THAT would be my main suspects…

Followed by the Bose boxes and the Smart TVs.

vormirdieSinflut · Mar 2, 2021

Power MAC

Yes, I was already advised about such sniffers by Swisscom. I also reported this to the IT company. But they wanted to put an expensive device in front of the Swisscom router and charge an annual fee of around 600.00 from 3 years onwards. I’m a micro-business and can’t afford that. What kind of one-man business requires such a huge amount of effort? I think I’m the exception. I also have the Office solution Buissines 365 and no student license.

vormirdieSinflut · Mar 2, 2021

DCS cam and Bose boxes were reinstalled with hard reset and the latest firmware.

All WiFi passwords reset.

As Swisscom told me before the last blocking, there will be new firmware on the Swisscom Internet boxes from February onwards, where the infected devices will be marked with a red beetle in the network technology. When asked, my Internet box was on the latest firmware version. During the last blocking, however, another employee told me again that my Internetbox 3 was not yet equipped with this firmware. You can see how I as a customer have to deal with these statements from Swisscom.

I will now wait until I am blocked again. Maybe they’ll install the latest firmware on my Internetbox 3.

If not, I’ll switch to another provider with all subscriptions. Of course, with prior assurance about what the new provider will do with such a situation.

PowerMac · Mar 2, 2021

@vormirdieSinflut Forget the internet box and the red beetle function for a moment. This can also be done differently:

Unplug the WiFi cameras, smart TVs and Bose boxes.

Then work with your computers for some time and see if the lock comes back (probably not). According to your description, this should be clear after just a few minutes.

Then reconnect the smart TVs to the network and continue watching for some time.

Then the Bose speakers, and watch again.

Finally, put the WiFi cameras into operation. If the ban comes again, my suspicions would have been confirmed.

vormirdieSinflut · Mar 2, 2021

And what do you mean by some time?

1 day, 2 days or over weeks?

Can I do more than reset these devices? I actually don’t want to buy new ones.

Your tip with a switch with port mirroring, a packet sniffer, can you tell me a reputable device or tool. There are so many on the internet that I don’t dare install. Of course I won’t do it myself anyway, but I’ll make it a suggestion to the IT department.

I could still understand why it hit the smart TV because they had a default password. Like probably 99% in this world. But the cam works over WiFi with the WPA2 settings and I also reset all the passwords there. I will follow your advice and take the cams off the network for now.

Werner · Mar 2, 2021

@vormirdieSinflut

The reference to IoT devices such as web cams is quite clear, so just throw them off the internet for 1-2 weeks and when the problem goes away, the case is clear.

You probably also have UPnP activated on your router, with which every client in your network can easily activate additional ports on the Internet box.

In your situation, I would immediately uncheck the UPnP box.

We can keep puzzling about offshore here for a long time, but like my colleagues, I would bet on the cameras first as a lottery tip.

The Windows 10 PCs are extremely unlikely to be the villains.

You should simply believe us that you should not expect any help from the Internetbox firmware in this topic for malware detection in the local network, at least in the next few months, regardless of what support has suggested to you.

vormirdieSinflut · Mar 2, 2021

Hello Werner

I will follow this and take the cams off the network.

So allow automatic port forwarding (UPnPIGD) is activated for me. You mean I should deactivate that?

As mentioned, I also switched the firewall to strict so that I don’t have all ports open.

PowerMac · Mar 2, 2021

@vormirdieSinflut wrote:

And what do you mean by some time?

1 day, 2 days or over weeks?

How long did it take between unblocking your connection and blocking it again? As you described, it was clear in just a few minutes. In that case I would wait an hour and then put the next device into operation.

Your tip with a switch with port mirroring, a packet sniffer, can you tell me a reputable device or tool. There are so many on the internet that I don’t dare install. Of course I won’t do it myself anyway, but I’ll make it a suggestion to the IT department. […]

Well, my “ingredients list” was: switch with port mirroring, packet sniffer and - most important of all - a good dose of specialist knowledge. And since the IT company you hired doesn’t seem to have the latter, a switch and packet sniffer won’t help either.

A professional doesn’t have to buy a switch and install a packet sniffer because he already has such equipment.

But now at least take the webcams off the internet and see if that solves the problem.

Werner · Mar 2, 2021

UPnP on the router allows all clients, including your cameras, to open any ports on the router without your explicit consent so that they can be accessed from the Internet.

I would actually recommend that everyone deactivate this purely convenience function, but of course especially in your situation.

vormirdieSinflut · Mar 2, 2021

Ok Cam are off the network

The closures have been different since last autumn. Once I had 1 month of rest, then 14 days. Then after a new IP last week and again yesterday.

vormirdieSinflut · Mar 2, 2021

Yes, now I have deactivated that. That’s actually the purpose of the CAM, that you can access the cams via DS cam from your iPhone while on vacation to see whether everything is going well. But as I said, I’ve now taken it off the network and if that’s the problem, you should actually hold the manufacturer of these cams responsible.

I forgot to list the printer. This automatically reports the meter reading to the Sharp company because I have a service contract. There’s probably a port like that open there too. 😞

I hope that because of the lively chat here I won’t be labeled as spam or something else and blocked again. So now I wish everyone involved a good night. Thanks everyone for now. I’ll report back what’s going on