• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Time Warner "unwanted activity" message in my browser

L

Lifted

Diamond Member
Does anyone have any idea what this means? I'm 99.99999999% certain I don't have a botnet on my "LAN" (1 computer) as I'm pretty on top of traffic in and out of my PC and network. I turn off my PC whenever I am sleeping or not home, and I've never seen suspicious traffic on my PC or router while in use.

My beef with the notification (which links to McAfee after a couple of clicks through their site) is that it doesn't specify who made this claim to them, or what "it" is, which means I have no way to refute this claim. I could understand if they noticed this traffic coming from my network with their own IPS or other scanners, but they claim they were notified (just not by who).

Dear Time Warner Cable Customer,

Please be aware that Time Warner Cable has received a report of unwanted Internet activity being transmitted from a machine connected to the cable modem on your Time warner Cable Internet connection. This violates the Time Warner Cable AUP (Acceptable Use Policy) for your residential account.

We are aware that the majority of such activity is caused by an infected or compromised computer. To avoid further interruptions of your service, you must take steps to clean and secure both your computer(s) and your wireless device(s) if you have any. Please visit our self-help Web site www.rr.com/security/bothelp once you have read this notice for a suggested course of action. You will be automatically re-directed to this web site when you click the blue link at the bottom of this message. We do recommend that a total system format (all data erased) is the best way to ensure that the computer is safe for use on the Internet again.

We ask that you read the Time Warner Cable Acceptable Use Policy found at help.twcable.com, and bear in mind that violations of the Time Warner Cable AUP can result in actions taken against your account up to and including account suspension and or termination of high speed data service. Please be aware that these steps are taken to protect the quality of service we provide to you and the rest of our customers.

Once your normal Internet service is resumed, please note that you must take steps to resolve the abuse issue or we may disable your service should further reports of unwanted activity be received. We may also require proof that the computer(s) have been cleaned or returned to factory settings.
Click to expand...
What exactly did the report state?

Who submitted the report?

When was it submitted? (maybe it wasn't even my IP at the time)

While I understand the need to notify customers of such issues, notifications like the above are pretty useless. Whoever/whatever supposedly detected something from my IP knows what they/it detected, so why not include that in the friggin report?
 
Last edited:
Are you running any test servers that send out mail as I've gotten a similar notice from Comcast because of that. Are you using port 25 for anything?
 
They're not the only provider. If they won't be more forthcoming about the problem, find a service provider that won't screw with you.
 
Have you done any type of malware or rootkit scans?

+1 to contacting TimeWarner and trying to get them to identify what they identified.

I know when you use OpenDNS, their control panel will notify you if they have seen BotNet activity coming from your IP. I'm sure TimeWarner can have a similar type scan setup for traffic going to known BotNet control IPs.
 
SO one of two things happened, wither you have an e-mail with them and someone got an unwanted e-mail from threat account [could be they got hacked, could be spoofed headers, etc..] or you have unusual activity for a residential account going on, IE you host a server that's always transmitting data [according to TOS no no] or something similar, this got noticed by the system and a report was generated. They are not trying to pry into your life so a general report gets posted with no specifics in case someone else reads the e-mail. its meant to sort of wake you up and have you check your setup [stop the kids from running limeware/torrents or whatever it is these days 24 hours, etc..].

Comcast does similar various default things set it off, some times nothing is wrong, just call in and see ask what needs to be done to get it to stop. It may also just be a cmts bug.
 
It wasn't an email. The actually sent me to that site via while all other internet access was disabled until I clicked some link which stated that I agreed to look into the matter. Once I did that my service was restored.

Maybe all those, uhh, linux distros I've been downloading via BitTorrent set off the alerts. I guess I'll have to download em through level 3 now.
 
Land of the free? Really?

Makes me sad to think people are too freaking stupid to see where this is leading them and this once great nation. 🙁
 
Lifted said:
It wasn't an email. The actually sent me to that site via while all other internet access was disabled until I clicked some link which stated that I agreed to look into the matter. Once I did that my service was restored.

Maybe all those, uhh, linux distros I've been downloading via BitTorrent set off the alerts. I guess I'll have to download em through level 3 now.
Click to expand...

It's extremely easy to see what you're doing and insert the pop-up or redirect you to a page asking you remediate your malicious and/or illegal activity. All of this is done automatically.

I assume you intend to fix your malicious activity per the acceptable use policy you agreed to when you signed up and used the service?
 
Doomer said:
Land of the free? Really?

Makes me sad to think people are too freaking stupid to see where this is leading them and this once great nation. 🙁
Click to expand...

Stopping bad guys is the very foundation of our nation. I am proud to be part of professionals doing it.
 
Malicious? That's a determination of intent made without much to go on. Should we have to worry about any citizens that might end up under your control, or are you content to let the courts determine intent?

Many believe the foundation of our nation to be the Constitution, which has less to say about stopping bad guys than it does about restricting the power of government.

But that's not what this is about anyway. If Time Warner doesn't want this person's business, someone other provider will. My suggestion is to vote with the feet, as they say.
 
Quick clue.

They absolutely don't want his business. This is a nice way of saying go somewhere else. You're not going to conduct illegal activity on my network.
 
spidey07 said:
Quick clue.

They absolutely don't want his business. This is a nice way of saying go somewhere else. You're not going to conduct illegal activity on my network.
Click to expand...
ISPs do tend to freak out when computers on their network contract malware. What with all the spam, DoSing, and other activities botnets do...

Lifted, check all of your computers. Then check them again. And check them a 3rd time. These aren't random messages; it means TW either detected botnet activity coming from your network, or someone filed a complaint after being on the receiving end. Copyright violations (BitTorrent, etc) are a different warning entirely.
 
Last edited:
i downloaded bill mahr's show once, and comcast sent me a nice email about it. they had all the details though... op's warning does seem weird because they wont tell him what he did wrong.
 
wirednuts said:
i downloaded bill mahr's show once, and comcast sent me a nice email about it. they had all the details though... op's warning does seem weird because they wont tell him what he did wrong.
Click to expand...
Again, not the same thing. He didn't do anything wrong; they're trying to tell him one of his machines is infected with malware. In this case they're using a boilerplate letter.
 
if they dont think he did anything wrong, why are they threatening disconnect? shouldnt they just monitor the amount of traffic and leave him alone?
 
wirednuts said:
if they dont think he did anything wrong, why are they threatening disconnect? shouldnt they just monitor the amount of traffic and leave him alone?
Click to expand...
Because a malware infected computer is a threat to the other computers on their network? This is the standard procedure: inform the victim, but don't cut them off entirely so that they can use the Internet to access resources to clean their computer. But if it continues the computer will have to be disconnected.
 
i dont really understand... all the isp is doing is routing traffic... they shouldnt care what is routed as long as its not effecting other people (thats why there are cap limits). its scares me that isp's are the police now...
 
wirednuts said:
i dont really understand... all the isp is doing is routing traffic... they shouldnt care what is routed as long as its not effecting other people (thats why there are cap limits). its scares me that isp's are the police now...
Click to expand...
Network admins have been disconnecting malware infected computers since the beginning of time. If they didn't, then their networks would come crumbling down due to infected machines reaching out and attacking other machines and other networks. This isn't about caps and bandwidth, this is about one of Lifted's machines spamming, DoSing, hacking, and doing god knows what else to other computers. No one benefits from allowing that to continue.
 
ViRGE said:
Network admins have been disconnecting malware infected computers since the beginning of time. If they didn't, then their networks would come crumbling down due to infected machines reaching out and attacking other machines and other networks. This isn't about caps and bandwidth, this is about one of Lifted's machines spamming, DoSing, hacking, and doing god knows what else to other computers. No one benefits from allowing that to continue.
Click to expand...

ok, i get that.. but op stated there isnt high traffic out of his router? so dos attacks wouldnt be happening, and if it was a hacker then why wouldnt time warner go after the people who are trying to hack him?

i guess we just need more detail as to what tw is crying about...
 
wirednuts said:
ok, i get that.. but op stated there isnt high traffic out of his router? so dos attacks wouldnt be happening, and if it was a hacker then why wouldnt time warner go after the people who are trying to hack him?

i guess we just need more detail as to what tw is crying about...
Click to expand...
In short, whoever is controlling Lifted's computer is almost certainly in another country (usually Russia), so they can't go after the bot master. All they can do is shut down infected machines as they are discovered. As such Lifted is not in trouble, but Time Warner will disconnect him if he doesn't take care of his infected machine due to the threat it poses to other computers.

As for getting more details, if Lifted calls up TW I'm sure he can get them (will probably need to be escalated to a higher tier rep). This is a boilerplate letter meant for the average user; if it gets any more technical than this, most users will be completely lost in the technical details.
 
Thanks for the suggestions. Like I said, I've been monitoring my traffic even more closely now and there are no rouge connections to or from my equipment. My computer is also pretty new with not much installed on it other than Office and Steam and some virtualization utilities. NOD32 is up to date, and I only use firefox with noscript and adblock. It's unlikely something got in undetected past this setup and is not showing any networking activity on my desktop or at the gateway.

I'll see if they block my internet access again before contacting them. I rebooted my cable modem a week or two ago, so maybe the IP I grabbed was from somebody who had a malware issue.

spidey07 said:
They absolutely don't want his business. This is a nice way of saying go somewhere else. You're not going to conduct illegal activity on my network.
Click to expand...

WTF are you going on about? 😵 😕 🙄
 
Last edited:
Yes it could be DoS att, If he is only 1 zombie (as many are unknowingly) of a million others, One simple ping from all at once can cause havoc.

Somone had detected an attack and traced it to the attacker IP and notified the ISP of this.
THe ISP cannot privide any info to victim or vise versa for confidentiality agreement, But the ISP notifies the attacker and will block if breach of contract agreement.

As ViRGE says the OP should run many Malware/bot/antiviri detection programs on anything that is sharing the home/work network.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top