Router reporting failed admin login attempts from home server

I recently noticed in the logs of my home router that it relatively regularly lists the following entry:

[admin login failure] from source 192.168.0.160, Monday, June 20,2011 18:13:25

192.168.0.160 is the internal address of my home server, running Windows Home Server 2011. Is there anyway I can find out what specifically is trying to login to the router? Or is there some explanation for this behaviour? (not sure if this belongs here or on superuser...)

[Update] I've run both Wireshark and netmon for a while on my home server. Wireshark captured the traffic, but didn't really show anything useful (or nothing I could make use of). A simple HTTP GET request is sent from the server (192.168.0.160) to the router (192.168.0.1), from a seemingly random port (I've seen examples from 50068, 52883), and it appears to do it twice in quick succession (incrementing port by 1), about every hour. Running netstat around the time of the failure didn't show anything (probably too long after anyway).

I tried using netmon as it categorises by process, so I thought it might show a corresponding process for the port. Unfortunately, this comes in under the 'unknown' category, meaning it's basically just a slower, less useful Wireshark.

I know there's not much to go on here, but does this help in anyway?

jeffora

Posted 2011-06-20T13:32:49.493

Reputation: 143

Answers

You can run Wireshark to log the traffic and see exactly what your Home Server is doing. If it really is nefarious you'll be able to read the whole packet payload and determine what's wrong and how to fix it.

Guesswork follows:

Of the top of my head, I know that Windows can generate some strange network traffic: My 7 box spewed out HTTP m-search requests, which I believe are associated with auto-discovery of uPnP devices using SSDP. This is what provides auto-config of your home router. If you don't feel like you particularly need to have your router managed for you and can open ports on your own just fine, thank you very much, you can disable the SSDP auto-discovery service.

If these packets are what's causing your messages it should clear that up. But if that's the case, they're merely cosmetic and causing no real harm.

Michael Lowman

Posted 2011-06-20T13:32:49.493

Reputation: 768

Thanks for the info. I wondered if Wireshark would be the likely solution - will test it out tonight! – jeffora – 2011-06-20T22:24:13.953

Also, see comment on other answer - are you suggesting that SSDP packets might cause the router to log a failed login attempt, or that there might be other HTTP packets associated with SSDP? – jeffora – 2011-06-20T22:31:14.807

no, ssdp shouldn't cause this log. but it still might be doing it. ;) It may be that your router doesn't support the feature, and therefore logs your error. It also might be something else, but you should be able to narrow it down to the true culprit with Wireshark. – Michael Lowman – 2011-06-21T03:30:12.917

I've updated my question with further Wireshark related information – jeffora – 2011-06-22T14:11:51.480

I'm assuming this is Windows Home Server attempting to automatically configure and/or test your home router. Windows Home Server attempts to configure your home router in order to facilitate remote access to your Home Server (https://domain.homeserver.com) by configuring the port forwarding settings on your router via UPNP.

joeqwerty

Posted 2011-06-20T13:32:49.493

Reputation: 5 259

Surely the UPNP protocol doesn't actually require admin login to a router to configure? Nothing here http://en.wikipedia.org/wiki/Universal_Plug_and_Play#Protocol indicates that SSDP packets are synonymous with router admin login?

– jeffora – 2011-06-20T22:24:53.763