[kwlug-disc] Rogers says (said) I have a virus! Check your D-Link routers.

[B. S.]

So I get a voice mail from Rogers saying I have a virus (nonsense!) and that if I don't contact them they'll shut down my internet within 48 hours - I could be affecting my neighbours, yada, yada. From 1-888-764-3771. Right!

Went to Rogers website and was eventually able to dig out internet technical support number at https://www.rogers.com/web/content/contactus-technical-support, 1-855-381-7838.

So called, hit a few buttons to get to the right department, provided details to verify who I was / right account, and was able to talk to a human. I got lucky in that this particular person had some computer savvy, not the normal complete dunce, nor, sadly, someone who -really- knows what they're doing.

Apparently there have been some DDNS attacks going on, via UPnP / SSDP bug, and D-Link routers, such as my DIR-857, are known to have the problem.

Now why UPnP / SSDP would EVER be allowed to be exposed to the public internet, let alone hidden / no way to shut off from the interface is beyond me. Strike one for D-Link - off my shopping list they go.

Going to support.dlink.com as told revealed nothing, but a search on 'rogers ssdp d-link' got me to SANS: Malware FAQ: Microsoft Windows UPnP vulnerabilities (search SSDP for relevant bits) - useless (not being Microsoft!, myself) but germane. More importantly it got me to http://support.dlink.ca/FAQView.aspx?f=sY5vcvfAuAV6bXgi%2F8WoVw%3D%3D [If you got a call from Rogers ...] - i.e. This is all 'real' - the original voice mail message wasn't spam.

Follow the bouncing ball and you'll get to http://upnp-check.rapid7.com/ where you can check whether you're affected. (Router exposing SSDP via UPnP and vulnerable to malformed packets.)

So, just a heads up to everyone:

Apparently some routers silently expose your internal SSDP (UPnP devices) interface - you may want to check with the rapid7 link and upgrade your firmware.

Note also that you may experience as I did that the latest downloadable firmware is the version your router page is showing you you are already running. Diff showed binary differences comparing my current firmware against the just downloaded one (beta, no less!) - but no version number change. Post-update firmware date did show a change from something in 2013 (IIRC), to this past summer.

YMMV.

P.S. If people didn't know, you can get a setting put on your Rogers account where when their scans show a problem, their scan log is automatically sent to your (additional) on file e-mail address. But you have to call and specifically request it. Without it, of course, you have no idea what nonsense they think they've found, so can't combat the 'have you run a virus check' hurdle you can't get them over. (What part of 'Linux' do you not understand, Rogers? <sigh>)

- never mind I was supposed to have received a warning e-mail (didn't), nor ever seen a log, only that you definitely will never see one if you don't ask. [Asking the rep to have security send me a test e-mail to verify they can get through got me nowhere, but that's another story ...] I found this (additional) out in the past when a friend got hit, but they couldn't send the logs after the fact, being gone from their history - if you're going to get the logs, they have to know to save them at time of scan.

GL&HF