Hi All,

This is probably an old topic but I have recently experienced this problem for the first time (on my own pc), in that I keep getting re-directed to outbreak.ntli.net.

I have searched google and the NTLHELL, CABLE Forums for an idea as to what causes it.

Ok, I know NETSKY virus on a pc causes it but I am running LINUX ?
The other thing is My version of Linux is Knoppix which boots from CD and is therefore almost impossible to have a virus. (Everytime I reboot the pc it loads fresh from the CD again - which is nice ;-] )

The only thing I have done recently is upgrade my 750 connection to 2mb.

The NTL TechSupport Line's official answer to my problem is NTL dont support LINUX and they tell me to go and get a local IT GUY to sort it out - "Like Shall I ring Myself LOL "

I know as many others will know, that its not giving me this error because I am using Linux it is something else and I intend to get to the bottom of it!!

I would be interested at this point to hear anyone elses stories on their experiences of this problem.

Tomorow I shall get my WinXP PC on and run through their suggestions "JUST TO PASSIFY THEM" Then I will escelate the problem to their next level of support and keep you all posted!!

Might be an idea to see what ports your setup has in use to make sure that you aren't using ports that the virus would be causing activity on.

NTL's flakey systems think your computer has a virus. I think there was a thread not long back where a poster got stuck in the walled garden and couldn't get out. NTL staff seem to have total faith in their company's systems - i.e. if it says you have a virus, you have a virus. I would check as Paul suggests that you have nothing sending/receiving on the ports commonly used by the various viruses out there, but most likey NTL has got it wrong, again. They don't even check if you have an OS capable of hosting the virus :rolleyes:

Just phone em and tell em youve gotten rid of the virus and ask them to remove you from the Walled garden lol!

He's probably picked up someone's old IP which belonged to a computer that was infected.

He's probably picked up someone's old IP which belonged to a computer that was infected.

I thought the walled garden was done by modem mac address not ip....

anyway, if you download the patches from the walled garden site (yep i know you can't run them on linux but this is irrelevant) the system should then automatically release you after 4 hours.

Reboot the modem and if this doesn't happen, contact technical support and tell them that you have downloaded them and still stuck. It will then be sent off to a team to release you manually :)

NTL staff seem to have total faith in their company's systems - i.e. if it says you have a virus, you have a virus

In defence of the people who came up with the system, I know them well and they're *very* smart - try defining how you'd identify who has a virus or not - it's not a 100% game by any stretch, and you eventually have to err on the side of caution and block people. It has been very effective in stopping viruses and other ISPs have been interested in the technique, so this is NTL being proactive and intelligent, OK? Given that the UK leads the world in PC trojan infection I think any effort to stop it has to be worthy of applause.

In defence of the people who came up with the system, I know them well and they're *very* smart - try defining how you'd identify who has a virus or not - it's not a 100% game by any stretch, and you eventually have to err on the side of caution and block people. It has been very effective in stopping viruses and other ISPs have been interested in the technique, so this is NTL being proactive and intelligent, OK? Given that the UK leads the world in PC trojan infection I think any effort to stop it has to be worthy of applause.

Worth noting too that they worked with MS, Symantec and other parties to come up with this system, and I also heard that other ISP's approached ntl about this.

Your always going to have false positives, but better a few mistakes than a whole network block due to virus propagation.

They may be *SMART* But their system "Doesnt work"!!

It is getting too many "False Positives" and giving their customers a headache!

If you know them so well ask them what is the answer to fixing the problem for people who dont have WINDOWS installed, I am sure it dont take such *SMART* people to design an extra 2 webpages for LINUX and MAC users!

Does their system work on "Virus Patterns" in datastreams coming from a computer or just the amount of traffic on a particular port?

I'm running a packet sniffer and reviewing my log files to view the port activity on my network. Reports nothing unusual.

I think they have a *BUG* in their system.

When they contact me for not paying my bill I shall have my phone automaticaly divert them to an outbreak.lostmypatience.net message on my phone. They will be required to download an antivirus for their telephone and switch off their phone system for 4 hours then turn it back on. Then I might or might not allow them access to my telephone network in my home.
When they tell me their phone system cannot run this particular antivirus I might just tell them to ring local telephone engineer to sort it out as I do not support their phone system.

Anyway Ill keep you posted on how it develops!

I believe it runs on traffic on ports.

I have a mailing list of about 250 addresses and my main mailhost was down at one point so I sent through NTL's SMTP. I then landed myself in the walled garden for 36 hours with NTL insisting that I had Netsky. Wrong!

So yes, as others have suggested, check your ports.

It is getting too many "False Positives" and giving their customers a headache!
How many false positives is this? Do you have numbers?

If you know them so well ask them what is the answer to fixing the problem for people who dont have WINDOWS installed, I am sure it dont take such *SMART* people to design an extra 2 webpages for LINUX and MAC users!
The system was setup originally for the blaster virus, and later extended for netsky etc. by replacing the blaster tools with the more generic Stinger utility. Last I heard netsky was a Windows, not a Mac or Linux problem and ntl do not support Linux anyway. If you could provide a netsky removal tool for a Mac I'm sure there would be no problems getting it added.

The Problem here is not with the detection tool as BBKing said they can't be 100% accurate, the problem is with the process put into place by ntl for dealing with calls from customer with this problem. The issue is that they need to have a way of overriding it for customer who say they are running linux. I'm sure if they really wanted to they could pass it to a third line who could then port scan said machine with something like nessus to identify the host behind it.

The Problem here is not with the detection tool as BBKing said they can't be 100% accurate, the problem is with the process put into place by ntl for dealing with calls from customer with this problem. The issue is that they need to have a way of overriding it for customer who say they are running linux. I'm sure if they really wanted to they could pass it to a third line who could then port scan said machine with something like nessus to identify the host behind it.

as advised earlier in the thread- downloading the files will result in automatic release from the walled garden within 4 hours.

I know them well and they're *very* smart - try defining how you'd identify who has a virus or not
Well first I'd start by identifying whether the OS is capable of hosting the virus :dozey:

The high switching costs associated with moving ISP, plus the minimum contract period, allows NTL to get away with messing customers around. If we could change ISP at the click of a button, NTL would have a better walled garden. At the moment they're just using the system to score points as a "family friendly" ISP that takes its responsibilities seriously bla bla.

Go through the motions, download what it says, and it'll probably release you

Well first I'd start by identifying whether the OS is capable of hosting the virus

How?

1) Get every customer to keep you updated every time they change computers? You'd need to get down to details of which patch level they had.
2) Port scan every PC on the network (have to ban firewalls first) and try and fingerprint them?
3) Analyse everyone's web traffic and see if you can get it from headers?
4) Employ a team of people to ring up thousands of people a day and ask them?

It's all very well saying this, but I don't think it's actually feasible.

At the moment they're just using the system to score points as a "family friendly" ISP that takes its responsibilities seriously bla bla.

This is total poppycock - would you prefer an ISP that didn't take its responsibilities seriously?

It was done partly because we were getting hammered by traffic from worms and viruses, and partly because it became obvious that people don't fix their own PCs. We had to take steps to make them aware of it and how to do it. We could have just banned them, of course, as they were breaking their terms and conditions.

If we wanted to score points as family friendly, surely we'd block porn sites at the proxies and take naughty newsgroups offline, filter all email, etc. Quite what's so bad about trying to stop worms and spam I'm at a loss to understand.

Of course, I'd like to see us encourage Linux use at home by putting out our own distro with remote access tools built in for diagnostics and upgrades, but that's not going to happen, unfortunately.

Tell me something here.

Given most (all?) 'botnets' are controlled by IRC and only a vanishingly small percentage of internet users actually use IRC ... no, I have no stats, but I stand by that assertion :) .. why don't ISPs simply block IRC until a customer asks for it?

I doubt many calls would be made to get it un-blocked.

How?

1) Get every customer to keep you updated every time they change computers? You'd need to get down to details of which patch level they had.
2) Port scan every PC on the network (have to ban firewalls first) and try and fingerprint them?
3) Analyse everyone's web traffic and see if you can get it from headers?
4) Employ a team of people to ring up thousands of people a day and ask them?

It's all very well saying this, but I don't think it's actually feasible.



This is total poppycock - would you prefer an ISP that didn't take its responsibilities seriously?

It was done partly because we were getting hammered by traffic from worms and viruses, and partly because it became obvious that people don't fix their own PCs. We had to take steps to make them aware of it and how to do it. We could have just banned them, of course, as they were breaking their terms and conditions.

If we wanted to score points as family friendly, surely we'd block porn sites at the proxies and take naughty newsgroups offline, filter all email, etc. Quite what's so bad about trying to stop worms and spam I'm at a loss to understand.

Of course, I'd like to see us encourage Linux use at home by putting out our own distro with remote access tools built in for diagnostics and upgrades, but that's not going to happen, unfortunately.

Excellent post, some straight talking common sense.

Not too sure about the Linux distro thing thougj, but still, bang on the money.

:tu: :tu: :tu:

I can certainly vouch for most botnets being controlled via IRC. I adminster an IRC server and I'm always having to kick them off (I hate botnets). However blocking irc isn't that simple, there is no one port that it uses (there is a default one though). And you can be sure that the botnet owners will rapidly change port numbers on you. Better to make sure/encourage people to keep their machines clean. After all, being part of a botnet and ddossing someone may be bad, but having your personal data stolen via a keylogger e.t.c is worse.

I could wish that IRC admins were a little more proactive about booting botnets off their servers. I often see signs of them on varius servers but no-one seems to take action :( Admittedly my server is a small one (we focus on creative writing) and so when a channel with 100+ weirdly named people turns up on it. it's a bit obvious :)

I know them well and they're *very* smart - try defining how you'd identify who has a virus or not
Well first I'd start by identifying whether the OS is capable of hosting the virus :dozey:


Easy to say. Not so easy to do.. I can think of one way they can do it remotely. When you access something with a browser, your browser sends a series of headers that include the platform, OS and browser sending the request. You could (theoretically) check for all Windows PCs this way.

I can think of two problems with this.


It relies on the application accessing the net actually sending these headers. I am pretty sure that only web browsers do.

It is easy to forge/alter these headers. Opera does this so that it can appear to be Internet Explorer. I am pretty sure virus writers would find a way to use these headers to make it appear the machine being checked is running Linux.

You could (theoretically) check for all Windows PCs this way.

3) It doesn't determine 100% that a particular machine can host the virus - two Windows PCs returning the same string could have one vulnerable, one not, depending on whether patches have been installed. It doesn't have enough information to make a certain judgement.

You could force everyone to run an app that walled-gardens them if they've not got all patches installed, but do we really want that?

The surest way is to identify IPs that are sending traffic that looks like it comes from a virus - specific ports, patterns of scanning etc. This can be duplicated by someone on another OS, but it has to be done deliberately and is effectively malicious (if you know how to exploit a vulnerability and program your Linux box to do it, that'll appear indistinguishable from the original infection).

You could (theoretically) check for all Windows PCs this way.

3) It doesn't determine 100% that a particular machine can host the virus - two Windows PCs returning the same string could have one vulnerable, one not, depending on whether patches have been installed. It doesn't have enough information to make a certain judgement.

True, and the only way I can think of (without monitoring ports used and scanning patterns) would be hack into the machine, and check (in the registry) which patches are installed. Of course, this raises a little issue of privacy, and is illegal..


You could force everyone to run an app that walled-gardens them if they've not got all patches installed, but do we really want that?

The surest way is to identify IPs that are sending traffic that looks like it comes from a virus - specific ports, patterns of scanning etc. This can be duplicated by someone on another OS, but it has to be done deliberately and is effectively malicious (if you know how to exploit a vulnerability and program your Linux box to do it, that'll appear indistinguishable from the original infection).


Just imagine the situation... Techy people leaving/avoiding AOL because "you have to run their cr*p software", only to join NTL and find they have to run NTL's cr*p software... :D

BTW, I'm quite happy with the system NTL have in place. Nice to see an ISP actually try and DO something about unpatched users.

It doesn't determine 100% that a particular machine can host the virus - two Windows PCs returning the same string could have one vulnerable, one not, depending on whether patches have been installed. It doesn't have enough information to make a certain judgement.
Exactly - so why write the software in the first place if they know it (a) cannot work because there's no way to identify infected PCs; and (b) users can leave the garden by downloading patches - no installation necessary.

It doesn't determine 100% that a particular machine can host the virus - two Windows PCs returning the same string could have one vulnerable, one not, depending on whether patches have been installed. It doesn't have enough information to make a certain judgement.
Exactly - so why write the software in the first place if they know it (a) cannot work because there's no way to identify infected PCs; and (b) users can leave the garden by downloading patches - no installation necessary.

They may not be able to determine which PCs are patched with 100% efficiency, but they can detect machines acting suspiciously (port scanning, bulk emailing etc). I personally think this is a good thing, and, frankly, don't understand why you don't.
5