Hi Guru,
It is really weired that I only have one table with 72 columns to be collected in one hour interval. but my 5G monthly data plan was blew up.
1. for CR100 & CR6, when data was collected, will whole table stored on data logger be collected or only the new rows of data?
2. is there any other thing can cause this big data usage? the data logger (cr1000 or CR6 is the only thing connected to the cellular modem.
Thank you.
Marvin
Hey Marvin-
We recently experienced the same thing at a couple different sites. I am going to assume you are using a Sierra Wireless device. The first thing you need to do is change the password to access that device.
Next, we've seen a CR1000 also infected with some sort of malware that just sits and creates traffic 24/7. I would recommend collecting all data, saving your current running program and re-installing your current operating system. (Most of the time I would say upgrade the OS but if your system is working, let's not take the risk of breaking it with an upgrade). After you have pushed your OS, set up datalogger security using Device Config. Then you can push your program back on the logger and be on your way.
Thanks,
Kyle
Thank you Kyle.
Most common recently seen was malware on LS300 or RV50 modems. As Kyle said, you just need to change the modem password and reboot it.
Some customers have racked up data with excessive Pakbus comms. Watch the logs in Loggernet to make sure you are dropping the connection between data collections. Maximum Time Online in Setup could resolve that.
Kyle,
A CR1000 found running malware is extremely interesting. Is there more info available on this?
Patrick
Patrick-
We had a CR1000 that was on a satellite modem. Our data was over 3 Gig for that link in 2 weeks. On further investigation, the satellite provider said the traffic was being generated by the device attached to the modem. (Only a cr1000 on the link) Sniffing the traffic on the provider side showed attempted connections to 1000's of different IPs (bot like behavior). When looking at the CR1000, there was a rouge file on the CPU drive with a .c extension. After removing that file, the traffic stopped. In hind site, I wish I would have downloaded that file for troubleshooting purposes but we were in such a rush to stop the traffic on the Sat Modem that we just wanted to solve the problem.
Thanks,
Kyle
Thanks Kyle. That's pretty crazy to hear. It would have been great to see that rogue file or the traffic logs. Very interesting.
It is highly unlikely that the logger would be running any malicious code itself, but with early operating systems and also poor security settings on the logger it is possible someone might have put a file on the logger and they pointed users (by way of spoof webpages) to connect to the logger web interface to get them to run the code in that file on their PC.
Even without the malicious file if you have a public IP address with no network firewall betwwen the logger and the internet there is scope for someone to maliciously create large amounts of traffic or even a full blown DoS which can run up a big bill on connections where the traffic is paid for.
There are measures you can take to minimise these risks, see this blog:
https://www.campbellsci.com/blog/security-measures-for-internet-connected-dataloggers
The alternative is to find a service that provides a firewall at the connection point to the internet and have that configured to limit risks from incoming connections to the logger. More secure still is to get a service with a connection on a private network and either connect to it via a VPN or have the logger call out to the servers it needs to, although the latter rather limits the ability to serve web pages!