Ce sujet a besoin d'une solution.
Remerciements6 Stats

zyxel command injection cve-2023-28771

I have been getting intrusion attempts "zyxel command injection cve-2023-28771" for the last week that Norton has been blocking.  I'm not using any zyxel products.  How do I stop these attacks from continuing?  They are becoming more frequent.

Réponses

Remerciements0

Re: zyxel command injection cve-2023-28771

You cannot stop someone from trying to access your IP address. Your Norton has blocked the attempts to connect and that is all that you need. 

If the attack is aimed at zyxel products, if you have none of those there is no threat to your system.

Remerciements2 Stats

Re: zyxel command injection cve-2023-28771

I've asked this same question. It is a daily attack, so they are pretty persistent. I've been blocking the IPs but they keep coming back with different IPs. I'm grateful that Norton has blocked it, but the daily nature of this is frustrating. Their persistence might win out sooner or later.

What I found out online is that this apparently relates to a Zyxel driver being compromised and Zyxel has an updated patch to resolve it. It effects their firewall software, advanced threat protection software, vpn software, and I have no idea what the USG Flex product is. Zyxel security advisory for OS command injection vulnerability of firewalls — Zyxel Community

Nothing I have is Zyxel, I use Norton for Firewall, and for VPN, and as far as I know all my threat protection is through that. So that leaves whatever Flex is, or maybe the unused software for security that came with the computer is still there but dormant. Until I can figure out what driver needs updated I'm stuck.

I did a search of all my drivers, but it does not list by publisher and Zyxel is not in the driver name apparently. I selectively tried different devices and so far nothing uses a driver published by Zyxel. Ought to be a better way to find out.

Starting to suspect it is the internal driver for one of my routers, but I have no idea how to see what the drivers are for those external devices. I suppose I ought to find out how to update my firmware for all my routers and such.

Maybe this info gives you an idea what to look into next. If I find out anything I'll share it with you, and would appreciate if you do likewise.

Remerciements1 Stats

Re: zyxel command injection cve-2023-28771

Thanks for your informative reply.  These attacks started out daily about a week ago but they are getting more frequent for me.  Yesterday, I got 2 and today I already got 3.  I have since blocked the IPs that they are coming from but from reading your post, it is just a temporary solution. 

I also do not have any Zyxel products and have found the same information you have while looking for help online.  I don't even have a router.  Just a modem that I use to connect online.  I think it would be a good idea for you to update your router's firmware, even though it isn't a Zyxel.

I hope you're able to find a way to stop these attacks and will share.  I will definitely do the same.

To the poster who told me there's nothing I can do and since Norton is blocking the intrusion attempts, I have nothing to worry about, I have to disagree with you.  About 5 years ago I experienced something similar.  I was getting a virus attack that became more and more persistent.  Norton was blocking them all but it was using so much of my computer's resources that my computer became so slow that it was unusable.  I ended up having to get a new PC.

Remerciements1 Stats

Re: zyxel command injection cve-2023-28771

I'm having the same issue. No Zyxel products on my computer. Daily intrusion notifications; intrusion blocked; no action required.

Question: Could the source of the problem be previous networking with a computer that uses a Zyxel firewall or router?

Remerciements3 Stats

Re: zyxel command injection cve-2023-28771

@TinaH @skeeterj ebersole This command injection issue will come from a "botnet" where the sender will have the ability to use different IP addresses that have already been compromised. Below I linked the issues that were patched yesterday with the MS June release. There are tons of related issues this botnet could be looking for to exploit. Have you guys patched? Please review:

https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2023-patc...

- Were there ever any Zyxel software, other VPN software installed at any time which has since been removed?

- Can you ascertain whether your ISP is using a Zyxel solution within THEIR network? 

- Has your ISP device had its login credentials changed from the factory default? Is there a firmware update available for it? 

Can either of you provide and post a screenshot from your Norton history where this is blocked? Make sure you select "more options" in the right hand details area and get that screenshot for us to review. Here is how to post a screenshot:

https://community.norton.com/en/forums/how-post-image-forums-0

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
Remerciements0

Re: zyxel command injection cve-2023-28771

@SoulAsylum I have taken a screenshot for you to review.

Thank you for letting me know about the latest MS update.  I am updating that now. 

One of the first things I did when I started getting these attacks was contact my ISP technical support.  I thought that since I'm not even using a router, just a modem that they provide for me, that the modem might be the culprit.  The person I spoke with assured me that that's not how a modem works and they don't use anything Zyxel on their network.  He said the problem was with the PC and they couldn't help me with that.

Your question about whether there was any Zyxel software that was installed in the past and has since been removed on my PC makes me wonder.  My PC is an off-lease refurbished one that I bought from a local computer shop.  I've had it for 5 years and never had any problems with it until now.  How would I find out what was installed in the past but has since been removed?  I'm afraid I'm not very tech savvy.

Thanks for your reply and any additional help you may have.

Remerciements0

Re: zyxel command injection cve-2023-28771

@Sam J. 

That's a good question.  Unfortunately I don't know how to find out what was installed on my PC in the past and has since been removed.

Remerciements0

Re: zyxel command injection cve-2023-28771

Your ISP may have given you the old snowball answer about the modem they provide you with. Can you tell us what the manufacturer of your modem is and what model it is? That information should be on the router itself and visible. I would like to look up a few things to possible determine if your modem is the actual attack vector.

The IP address 109.207.200.44 in your screenshot traces to Ukraine as shown in the URL below. More likely than not there is a nation state sponsor behind whatever is going on:

https://www.ip-tracker.org/lookup.php?ip=109.207.200.44

As far as determining what software has been installed and removed on your devices, that is basically fishing for a needle in a haystack. Conversely, software most times leave rogue files that can be removed if done properly, it should state what the software was and used for when it is detected for removal. I often suggest using CCleaner to declutter a hard drive of files that are just taking up space and can cause issues down the road over time when left. You can get a "free trial" at the link below. Please let us know what you find so we can help further.

https://www.ccleaner.com/

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
Remerciements0

Re: zyxel command injection cve-2023-28771

@SoulAsylum

The modem I'm using is a Comtrend CT-5072T https://us.comtrend.com/ct-5072t/

I have CCleaner and have looked there for a list of applications installed on my PC.  I also have Revo Uninstaller and looked there as well.  I don't see anything from Zyxel in either program.

Thanks for your help.

Remerciements1 Stats

Re: zyxel command injection cve-2023-28771

I have been dealing with the exact same thing starting on June 11th.

These "Zyxel Command Injection Attacks" coming from IP 109.207.200.47 and 109.207.200.44 were happening a few times at first and then increased to over 40 times a day.

Norton told me I don't need to take any action and also said it is pointless to even add a new Traffic Rule to block this specific IP in my firewall settings. 

I am wondering if they are correct, because if one specific IP address is hammering you over and over, surely there is a way to stop these attacks permanently?  

1. Would it help to report this to US Cyber Security or to contact my ISP?

2. I am tempted to hit "STOP NOTIFYING ME" so I don't see these notifications every ten minutes, but then I'm concerned that I might miss an important notification about this issue.  Would you select "STOP NOTIFYING ME"?

Remerciements0

Re: zyxel command injection cve-2023-28771

I too have been having the same issue since a couple of days ago. Constant Zyxel Command Injection CVE-2023-28771 ip attacks from certain foreign addresses targeting certain ports like listed above.

I have formatted my PC and reinstalled Windows twice (the attacks also started to happen on my brand new laptop that has Norton installed in it after I connected it to the network), called my ISP and they confirmed that they do not use Zyxel equipment and haven't noticed any malicious activity. I do not have any own router (broadband is part of rent and distributed invidually through Ethernet from central cabinet to all apartments), so I called my maintenance service as suggested by ISP and they checked and confirmed that they too do not use any Zyxel equipment and have not received yet any complaints about this type of issue and according to them there's no possibility that the attack could spread from any other apartment.

I'm personally running out of options and that makes this quite a stressful situation. Only reports online at the moment about this kind of issue are few and pretty much Norton product related, so is there a chance that this is a recent bug in a Norton product?

I don't know much about the subject, but there are also a few government buildings in my area, so if a botnet would try to attack them, could they also summarily probe at my ip?

Remerciements0

Re: zyxel command injection cve-2023-28771

Same here, always from 109.207.200.44.

I sent a mail to the ISP tied to the attacking IP in Ukraine recently so hopefully they take action and the attacks will stop eventually. I'm so sick and tired of this. 20+ attacks yesterday, 20+ and counting today.

Remerciements0

Re: zyxel command injection cve-2023-28771

Just to add to the list, I am also experiencing these attacks from the same IP as above. Has been going on multiple times a day for the past week. It has happened to both computers in my home (one on WiFi on a router and one wired directly to my modem). I have no Zyxel products, nor does my ISP as far as I'm aware. Norton has successfully blocked the intrusion attempts on both PCs, and scans from both Norton and Malwarebytes have detected nothing on either computer. Happy to provide any additional information that may help.

Remerciements0

Re: zyxel command injection cve-2023-28771

Same here. Once from 193.32.162.190, other attacks from 109.207.200.44. I've contacted my ISP, they dont use Zyxel devices. Now i'm testing connected mobile phone (as USB modem), after 3+ hours zero attacks. I'll continue testing.

Remerciements0

Re: zyxel command injection cve-2023-28771

All: Your ISP SHOULD be filtering port 500 as most ISP's generally do as a rule related to VPN usage.

Are ANY of you using a third party VPN OR other software that requires UDP port 500 to remain open to function? 

Do any of you NOT have NAT transition enabled on your modem / routers firewall settings? If so enable it and reboot the modem or router. Additionally, IF your ISP does NOT require IPV6 to be enabled disable it as well. 

Check the setting below within your Norton product. This won't stop the attacks from happening but will at least slow down the frequency of notifications.

Also ensure you open the "General Settings" tab and have "stealth blocked ports" as enabled.

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
Remerciements0

Re: zyxel command injection cve-2023-28771

All:

You need to realize that these attempted attacks are not targeting you personally. They are bots that hammer as many IP addresses as they can looking for a system that in this case will have a Zyxel device on their network. If you to not have any of these device on your personal system, you have nothing to worry about. If you do, as you have seen, your Norton has blocked the attempt. So again you have nothing to worry about. 

Given time, these attacks should stop as the attackers realize that there is nothing at your IP address.

This is nothing Norton can do to stop the attackers from trying to access your system. 

1. Would it help to report this to US Cyber Security or to contact my ISP?

This might be the best course of action.

Remerciements0

Re: zyxel command injection cve-2023-28771

Peterweb,

So in other words 'they' (via their bot) are sending this Zyxel exploit broadly to a huge batches of IPs not knowing which, if any, use a Zyxel product. Norton is blocking it, but only computers using one of the affected Zyxel products are even at risk from this particular exploit anyhow? Is that right.

So basically this just serves as a reminder to do what we all ought to periodically do anyhow, which is make sure all our devices have the latest updates, and to check our settings on everything for the best practices in regard to optimizing protection.

Thanks everyone for your input and advice on what to check and change.

Remerciements0

Re: zyxel command injection cve-2023-28771

skeeterj ebersole:

Peterweb,

So in other words 'they' (via their bot) are sending this Zyxel exploit broadly to a huge batches of IPs not knowing which, if any, use a Zyxel product. Norton is blocking it, but only computers using one of the affected Zyxel products are even at risk from this particular exploit anyhow? Is that right.

Correct.

So basically this just serves as a reminder to do what we all ought to periodically do anyhow, which is make sure all our devices have the latest updates, and to check our settings on everything for the best practices in regard to optimizing protection.

This is also correct. All users should always endeavour to ensure all software and drivers are up to date to protect against new malware.

Thanks everyone for your input and advice on what to check and change.

Remerciements0

Re: zyxel command injection cve-2023-28771

Everyone. My last post was/is just informative that, there are some things you can do that will possibly prevent the intrusions at your modem/router level due to ISP's not actually doing their professional job to protect customers. As peterweb also said, there are "probes" looking to find any avenue possible into other routers for the intention of adding to their botnet. Norton is stopping the intrusions attempts at its level. My view is, your ISP should prevent it at their level. 

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
Remerciements0

Re: zyxel command injection cve-2023-28771

Dear 

My Laptop computer was also attacked by  the same  intrusion attempt came from 109.207.200.44 or 109.207.200.47 from 14 June 2023 and the problem still exists today. I have not used any Zyxel products. 

I am trying your suggestion but in the Intrusion Autoblock page, I cannot enter the attacking IP as the row was frozen. 

I wonder many Norton users are encountering same problem this week. 

Remerciements0

Re: zyxel command injection cve-2023-28771

@SoulAsylum

I am not using any type of VPN.  Just Firefox browser and I just checked to make sure it has the latest update.  I have no idea if I'm using any software requiring UDP port 500.  How would I check that?

When it comes to my modem settings, I have no idea what the settings are.  I assume they are set by my ISP.

I totally agree with you that ISPs should be doing something about stopping these virus attacks at their level but when I had contacted my ISP, they basically told me it had nothing to do with their end and were absolutely no help to me at all.

If peterweb is correct and these attacks aren't personal, then why aren't I and others that have posted here complaining about all the other probably million of bots that are looking for computers to compromise?  We all seem to have just 1 (Zyxel) that is constantly attacking us. 

If peterweb is correct, and that these attacks will stop when the attackers realize that there is nothing at our IP addresses, then why are other posters complaining that the attacks have in fact increased in frequency instead of stopping or dying off.

Thanks SA for your help and suggestions to help us deal with this instead of saying there's nothing we can do and don't worry about it.

Remerciements0

Re: zyxel command injection cve-2023-28771

That is not the right place for adding a permanent block.

Open your security tab, at the top of the window click on a settings gear icon. There choose firewall, at the top tabs on firewall you want to go to traffic rules. Search for an item in the rules that says block known attacker and add the IP address to a list there, or create a new item for block known attacker if you don't have an existing one, or wish to track it separately.

(Edit, that is what I found I had to do, but it took some time to figure that out. It was not easy to find or get to the first time around)

Remerciements0

Re: zyxel command injection cve-2023-28771

Tina you are most welcome. Skeeter, you don't want to indefinitely block port 500 since there are things that require it to work properly. Otherwise I would have suggested a traffic rule earlier. Blocking port 500 will cause some VPN's and other software not to properly function as they are intended. Its a personal choice though. Just trying to help where others say its not possible.

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
Remerciements0

Re: zyxel command injection cve-2023-28771

I was not suggesting it for blocking the port, which I haven't done, I was suggesting it for blocking specific IP addresses. So far I've been adding the attacking IPs to it, but there are no end of new ones they can use to keep it up, so it is a bandaid and not a long term solution.

Remerciements0

Re: zyxel command injection cve-2023-28771

I at least want to stop this popup and let it go to the logs, I set it to not show me, not notify me any longer and go to logs only, but Norton refuses and continues with the popup for the Zyxel garbage.. how do I stop the Norton popups 1000x day...??? I don't think anyone has been helped,,, and maybe al us poor souls is to stop the popup from Norton...

Remerciements0

Re: zyxel command injection cve-2023-28771

As far as stopping the Norton notifications, you can select "STOP NOTIFYING ME" when these "threat blocked" messages appear.

I was questioning the wisdom of doing so just in case a more important message relating to these attacks ever happens, but I'm not sure.

I'm just wondering, how did these hackers get our IP addresses?  I haven't been using a VPN, but really I don't know how my IP address would be public?  I play a lot of chess on the internet on public sites, could they maybe have gotten it that way?

Remerciements0

Re: zyxel command injection cve-2023-28771

@WOPR From what I understand these are bots that are scanning for vulnerable computers to attack.  Scroll up to the first post by SoulAsylum for his/her explanation. 

So my question is, if we aren't using any Zyxel products which these particular bots are scanning for, what do we have on our computers that they are finding and are trying to exploit?

I just don't accept peterweb's explanation that it's all random attacks because we would all be bombarded with notifications of tons of attacks from different viruses.  I believe the reason we're not seeing notifications of other attacks is not because they're not happening, it's because our computers are patched up with the latest updates from MS and other companies.  If we actually were using a Zyxel product, then the solution would be to get the latest patch/update and everything would be fine.  The problem is no one here is using any Zyxel product so we can't apply the patch to fix the problem.  I'm thinking the only way to stop these attacks is to get a Zyxel product, make sure it has the latest update and then use it !

Remerciements0

Re: zyxel command injection cve-2023-28771

I sent a copy of numerous intrusion events to "abuse@maximuma.net.ua" which is listed as the abuse contact for Domain 109.207.200.xx.  If "Maximuma.net.ua" isn't a complete scam, I may get a reply back or the internet provider may stop the accounts associated with 109.207.200.44 and 109.207.200.47.  We'll see . . .

Remerciements0

Re: zyxel command injection cve-2023-28771

@Ronald McDowell

The problem I'm running into now is that I have already blocked those 2 IPs that you mentioned.  I stopped receiving attacks for about a day.  They have then started again, now I'm getting attacks from 109.205.213.30.  I know that if I block this one, they will just attack using another compromised computer.

Remerciements0

Re: zyxel command injection cve-2023-28771

I used to manage security issues on a small UNIX system.  About 75% of the time, I was able to get internet providers and subnets to stop users who were making attacks.  But that was predicated on the "abuse" contacts being honest and nobody "spoofing" ip addresses.  So far, I've had no response from "abuse@maximuma.net.us."  My next option is to stop all inbound traffic from Domain 109.... I've experienced these types of attacks escalate to the point where they became so numerous and frequent that internet access slowed significantly or stopped.

Remerciements0

Re: zyxel command injection cve-2023-28771

@Ronald McDowell

I hope this time will be part of the 75% of the time that you're successful in getting ISPs to do something about these attacks. 

This is probably a dumb question but if you block all inbound traffic from a certain domain, wouldn't that block access to certain sites? 

Thanks for your reply and help.

Remerciements0

Re: zyxel command injection cve-2023-28771

I have a few more questions about these attacks, but first off I just want to thank everyone for your help and information thus far, for an issue that seems to have little practical information available outside of this topic.

First, given that this is seemingly from a botnet searching for possible holes rather than personally targeted, especially since no here seems to have any actual Zyxel products, would it be safe to assume that there is nothing on the user end broadcasting/calling for these attacks. Since neither Norton or Malwarebytes have detected any threats on my computers themselves, I assume I can think of my machines themselves as not being threatened, correct?

Second, since these attacks have happened to a computer connected to a separate wireless router, as well as one directly plugged in to my modem, should I be concerned in any way that my router or modem may be compromised and thus the cause of these attacks or pose a risk to any other devices on my network?

Finally, I have been looking to replace my wireless router with newer one for better coverage, prior to these attacks. Would it be safe or advised to setup a new router during these attacks or should I just wait and hope that they eventually stop first?

Again, thanks for the assistance so far.

Remerciements0

Re: zyxel command injection cve-2023-28771

Hi all, I too have been receiving these Zyxel intrusion events. I am not IT savvy, but I always try and solve my computer problems via forums etc. 

Mine started about a week ago and the first was while watching a You Tube video someone recommended called The Awakening. Any chance any of you have watched this? It would be considered controversial. 

I have been getting these intrusion events regularly since this. It may be coincidental, but I thought I'd ask. 

Remerciements0

Re: zyxel command injection cve-2023-28771

I checked stop notifying me, and log only, but it ignores my request. I tried that a bunch of times.. stop doesn't work... that is what I already said in my post... stop doesn't work, it hasn't done it today... but for several days it ignored my stop request

Remerciements0

Re: zyxel command injection cve-2023-28771

btw, the ip I got for this attack abuse was at an internet service in Texas... but that means nothing as it can hop all over the world. If the law would stop messing around and go after scum we wouldn't be harassed so much.

Remerciements0

Re: zyxel command injection cve-2023-28771

@WolfmanL 

Second, since these attacks have happened to a computer connected to a separate wireless router, as well as one directly plugged in to my modem, should I be concerned in any way that my router or modem may be compromised and thus the cause of these attacks or pose a risk to any other devices on my network?

In an earlier post I gave recommendations for users concerning their modems and routers. Check for firmware updates for your current devices and ensure the company who makes them are still supporting firmware updates. If they are not, I would replace with a more modern router that is supported. Conversely, if you are using an ISP provided device ask your ISP to assist with the latest firmware and whether they have patched said firmware against these types of attack vectors. Log into your devices and check settings and logs for excessive traffic and whether the attacks are being dinged within the firewalls that are built into these devices. 

I need to again stress the issue that, your ISP SHOULD be filtering for these attack avenues so they are mitigated BEFORE you ever see them make it into your network. I would ask why they are not. Most of the vulnerable devices that MiraBot is scanning for is being used by ISP's and other large corporations. If they don't patch, don't see the internal obfuscation happening or just plain ignore it we the consumer will see it. Corporations are driven by "policy" vice common sense. Data breeches are a dime a dozen in todays world, and its a fact that, companies tell their IT people to remain moot about breeches as well as other issues that may cost them regarding their bottom line. 

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
Remerciements0

Re: zyxel command injection cve-2023-28771

Yes, a Domain block would be pretty extreme.  However, on my home computer, I could live with it and could always write an exception rule to allow specific sites to access me.  Still no contact from "maximuma.net.ua" . . .

Remerciements0

Re: zyxel command injection cve-2023-28771

Since i perma blocked two IP addresses i  haven't had an intrusion attempt since the 15th. However if the problem returns perhaps i should just ask my IPS for a new ip address?

Remerciements0

Re: zyxel command injection cve-2023-28771

Certain domains can be blocked if there is nothing you want from there. Particularly those based in certain countries that are problematic. You can also IPs by region.

I live in Paraguay South America and for my job, working remote for a place out of Kansas, I must source parts from a variety of places. Some of the sites I need to go to block me because of my IP address location, so for those I have to access them via my VPN set to a US IP. 

Home Depot and Tractor Supply are two that won't deal with foreign IPs. Then there are other places I go to that block IPs associated with VPNs, and for those sites I have to turn my VPN off. Fortunately I've not had to do business anywhere that blocks both foreign and VPN IPs

So there are several ways to block large segments of addresses, I don't know exactly how they do either one, I just know it is done because it is done to me.

Remerciements0

Re: zyxel command injection cve-2023-28771

You mention the abuse is from an internet service in Texas, that is relevant to me since I'm using a Texas ISP.  Perhaps others in this thread are also, maybe you're onto something.

You said they scanned for vulnerable computers, why would I be vulnerable?  I don't think I'm even using a Zyxel firewall, the original attack said:

"The attack was resulted from a \DEVICE\HARDDISKVOLUME4\WINDOWS\SYSTEM32\SVCHOST.EXE"

Does this mean I do have a Zyxel vulnerability?

By the way, I seriously think we should consider reporting these attacks to:  

https://www.ic3.gov/Home/ComplaintChoice/default.aspx

Remerciements0

Re: zyxel command injection cve-2023-28771

So how exactly do I safely block/ban these 2 IPs through Norton and/or Windows if needed? I don't want anything to do with them ever again:

109.207.200.44
109.207.200.47

How do I block ALL traffic from Ukraine if I have to? Let's say I do it for a couple of months and then I can remove the block later without issues, right?

Today (Sunday) I've had 25+ attacks during the past 6 hours and still no reply from "maximuma" (I don't expect any but anyway) I sent them a mail last Tuesday. I'm so effing tired of this, been going on since the first week of June.

Remerciements0

Re: zyxel command injection cve-2023-28771

Trough Norton Click on Open Device Security/settings/Firewall/Intrusion Browser Protection. On Intrusion Autoblock click configure. If the 2 IPs are currently blocked by autoblock they will be listed. Choose Restricting instead of the 30 min default and click apply.

Remerciements0

Re: zyxel command injection cve-2023-28771

Habe das gleiche Problem wie oben gezeigt und kann in dem eingefrorenem Fenster keine IP- Adresse eingeben. 

Remerciements0

Re: zyxel command injection cve-2023-28771

I looked there earlier but I don't have any IP listed in the box at the bottom even tho I'm getting these attacks as I'm typing this. All I have is AutoBlock On (Recommended) or Off. I have no option to manually add an IP and then perma block? No IP is ever added to that box, all I get is the pop-up warning telling me that the attempt was blocked but they can keep spamming these attemps non-stop and I've had over 40 attemps today alone...

Remerciements0

Re: zyxel command injection cve-2023-28771

For me the IP was listed there during the 30 minute autoblock duration and then disappeared and reappeared  from the list until the next intrusion attempt. The restriction option was available in the bottom of the list below 48 hours.  If it doesn't pop up for you maybe you should consider other options to block the IP somewhere else or contacting your ISP and ask for a new IP address.

Remerciements0

Re: zyxel command injection cve-2023-28771

@WOPR

I'm not in Texas, I'm in Canada.  Skeeter mentioned in a previous post that he/she is in Paraguay.

@Ar0n

You can try blocking those 2 IPs if you wish.  I already have.  They just start using a different IP address for the attacks.  In my case the attacks are coming from 109.205.213.30.  I think it's a waste of time trying to block them.

Remerciements0

Re: zyxel command injection cve-2023-28771

is CC Cleaner safe to use. I was looking it up and saw it too has been hacked in the past

Remerciements0

Re: zyxel command injection cve-2023-28771

All: Since these are attacks that are using random IP addresses, AND, you are all living in different geo-locations, my suggestion is disable the UPnP setting in your ISP device and/or router settings. This will prevent the automatic opening of ports on BOTH those devices when scans occur. It will be an inconvenience since you would have to manually setup new devices and services, but at this point, the risk of having it enabled is greater than not having it enabled. The attacks should stop at that level. Some time ago I had an issue with my NAS where UPnP enabled for it was a backdoor into my network connecting to the NAS locally. It was firmware related. The OEM refused to patch, even to this date, so I have it offline and use is when its only necessary via USB direct. Here are some other suggestions as well. 

If you turn off UPnP altogether, your router will ignore all incoming requests so you'll have to set up devices manually. This means that the router will no longer automatically open ports on your LAN, ignoring even legitimate requests

https://www.tomsguide.com/us/home-router-security,news-19245.html

SA

MS Certified Professional : Windows 11 Home/Pro 23H2 x 64 build 22631.3155 / Windows 10 Pro x 64 version 22H2 / build 19045.4046 / Norton Security Ultra / Norton 360 Deluxe ver. 22.24.1.6 / Opera GX LVL5 (core:106.0.4998.76) 64 bit-Early Access w/Norton Chrome Extensions / Android 14 One UI 6.1
Remerciements0

Re: zyxel command injection cve-2023-28771

Four days ago I decided I wanted a break from the popup notifications about this virus so I clicked "stop notifying me".  I don't know why some posters here are having trouble with that feature claiming it's not working because it works perfectly for me.  I got zero popups and there were no notifications in the Security History either.  After 48 hours, I decided I wanted to see how bad the attacks were so I clicked "notify me".  It's been another 48 hours and I still haven't got any virus attacks.  I have no idea why but I'm not complaining.

Remerciements0

Re: zyxel command injection cve-2023-28771

I set up my ISP device and second router like 6 years ago, made the username and password something I'd remember. Six years after never touching it again, I can't remember what they were. If I knew one for sure I could stand a chance at guessing the other.

The ISP people don't understand why I didn't just leave it with the factory name/password, and can't tell me what settings I'll need to know when I factory reset their machine. They also won't send a tech out to help while everything is working fine.

So when I can afford to be without the internet for a day, I'm going to factory reset it and when it won't connect to their end, get a tech out to play with the settings.

This thread is closed from further comment. Please visit the forum to start a new thread.