1
I recently noticed in the logs of my home router that it relatively regularly lists the following entry:
[admin login failure] from source 192.168.0.160, Monday, June 20,2011 18:13:25
192.168.0.160
is the internal address of my home server, running Windows Home Server 2011. Is there anyway I can find out what specifically is trying to login to the router? Or is there some explanation for this behaviour? (not sure if this belongs here or on superuser...)
[Update] I've run both Wireshark and netmon for a while on my home server. Wireshark captured the traffic, but didn't really show anything useful (or nothing I could make use of). A simple HTTP GET request is sent from the server (192.168.0.160) to the router (192.168.0.1), from a seemingly random port (I've seen examples from 50068, 52883), and it appears to do it twice in quick succession (incrementing port by 1), about every hour. Running netstat
around the time of the failure didn't show anything (probably too long after anyway).
I tried using netmon as it categorises by process, so I thought it might show a corresponding process for the port. Unfortunately, this comes in under the 'unknown' category, meaning it's basically just a slower, less useful Wireshark.
I know there's not much to go on here, but does this help in anyway?
Thanks for the info. I wondered if Wireshark would be the likely solution - will test it out tonight! – jeffora – 2011-06-20T22:24:13.953
Also, see comment on other answer - are you suggesting that SSDP packets might cause the router to log a failed login attempt, or that there might be other HTTP packets associated with SSDP? – jeffora – 2011-06-20T22:31:14.807
no, ssdp shouldn't cause this log. but it still might be doing it. ;) It may be that your router doesn't support the feature, and therefore logs your error. It also might be something else, but you should be able to narrow it down to the true culprit with Wireshark. – Michael Lowman – 2011-06-21T03:30:12.917
I've updated my question with further Wireshark related information – jeffora – 2011-06-22T14:11:51.480