1

I'm seeing notifications from my antivirus software that scans are being blocked. Some are from external IP addresses, but others are coming from my router. For example, here's the text from one notification from my antivirus about a scan that, apparently, came from my router.

Attack: an intrusion attempt was blocked.
Risk Level | Medium
Attacker Computer
{router internal ip address}:53768
Destination Computer
{webserver internal ip address}:80
Protocol
TCP
Attack Signature
Web Attack: Malicious Scan Request
Attack URL
{webserver external ip address}/cgi/common.cgi
Targeted Application
SYSTEM
Status
Blocked
Action
Resolved - No Action Required
Date & Time
12/4/2017 3:07 PM

Does anyone have any idea of what is going on here?

umsrato
  • 11
  • 1

1 Answers1

1

If it's coming from your router, then your router's been compromised, no question about that. Someone is tunneling through it.

Simply resetting the IP isn't enough. You should do a factory reset of the device, reset the password, and report the incident to the ISP.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dwad
  • 13
  • 1
  • 1
  • 6
  • If you're resetting the IP, I'd also suggest considering blocking all incoming communication and never using that ID and password again. If you're on a home network, there shouldn't be much reason for anyone to reach in to your network. This assumes that the firmware on your router hasn't been altered... – baldPrussian Dec 05 '17 at 20:40
  • What about the possibility of a device on my network that is spoofing the attack? – umsrato Dec 05 '17 at 20:50
  • @umsrato spoofing is unlikely and would not do the attacker any good – schroeder Dec 05 '17 at 21:31
  • Yea, @schroeder is right, spoofing wouldn't help – Dwad Dec 06 '17 at 14:04