how to block ports 22 & 23
First let me say - I am not an IT guru. High five to those who are!!!
I received snail mail from AT&T stating we have a possible Mirai infection on our network (it has been slow AF lately...)
A few days later I received an email (below)
The IP address it is linking to I am unable to find. We do not have security cameras, or anything like that in our office. I am unsure of how to block ports 22 and 23. Can you walk me through it? I've called AT&T but "longer than average hold times" and then was hung up on.
AT&T U-verse Site ID: xxxxxxxx
Billing Acct Ending: 8063
AT&T has received information indicating that one or more devices using your Internet connection may be infected with malicious software. Internet traffic consistent with a Mirai infection was observed on Apr 11, 2020 at 7:01 PM CDT from the IP address 18.104.22.168. Our records indicate that this IP address was assigned to you at this time.
The Mirai malware is different than regular malware because it targets equipment on your network, such as surveillance cameras, rather than traditional PCs. Presence of Mirai on one of your devices allows hackers to use your equipment to attack websites.
Since this malware targets equipment rather than a PC, it can be difficult to detect and remediate.
To address this matter we ask that you take the following actions. If your equipment is managed by an Information Technology (IT) group at your place of work, please pass this information on to them.
Determine which devices on your network may be exposed to the Internet. Pay special attention to cameras, digital video recorders (DVR's), and video surveillance systems; and devices with model numbers LS300, GX400, GX/ES440, GX/ES450, and RV50k manufactured by Sierra Wireless.
Ensure that your firewall or wireless router is configured to block access to ports 22/tcp (ssh) and 23/tcp (telnet). If you are not able to disable access to these ports, limit access to only the remote IP addresses you need for remote management.
Restart the equipment. If you continue to receive alerts, you may need to reset the device to factory settings. Consult the equipment manual for more information.
Visit the manufacturer's website for the latest firmware updates for your device.
After restarting, change the administrator password for the device.
Additional tools and information:
US CERT ALERT regarding Mirai: https://www.us-cert.gov/ncas/alerts/TA16-288A
US CERT ALERT regarding Sierra Wireless Equipment: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-286-01
Regards, AT&T Internet Services Security Center
Incident details for 22.214.171.124
Source port: 10089
Destination port: 23
DISCLAIMER: The information above contains links to software by third-party vendors (hereafter, “the Software”). AT&T is not responsible for support or assistance for any of the Software. If you need support or assistance with any of the Software, please contact the Software's vendor directly. AT&T is unable to provide a warranty or guarantee, either expressed or implied, for any of the Software. You will be responsible for your own system software and system security and not hold AT&T, its partners, agents or affiliates liable for any costs or damages whatsoever (including, without limitation, damages to access system, hardware and/or software) to your computer as a result of installing or using any of the Software. You also understand that use of all hardware and/or software must comply with the AT&T Acceptable Use Policy.
Important Note: This email contains links to various websites. You may copy and paste the URL(s) into your browser rather than clicking directly on the link.