Something opened my router's status page while I was away

Question

Yesterday I went to work, leaving my PC open as usual. It's a Windows 10, recently updated to Anniversary. After I came back, I moved the mouse to get out of monitor-sleep mode (PC was not in sleep) and I found Firefox open, at this address:

http://10.0.0.138/main.html?redirector=1

Not logged in, showing the router password prompt.

What could do it? The fact that it has redirector in it suggests that it was triggered by a software, and not that some person (either local or remote) tried to open my router status page. I also doubt that it's malware, because I don't see a reason for malware to do that.

I had a look at the Event Log and couldn't find anything relevant.

The router is an ISP-rebranded Sagemcom F@st 4315.

EDIT

It happened again several times when the internet was down. Most likely some software trying to access the internet, as someone mentioned in the comments.

Any ideas?

If your internet went down, routers normally redirect you to their page to resolve the problem. Trying going to a website, disconnecting your phone line or cable and refreshing. — mt025, Aug 10 '16 at 21:38
@mt025 The browser was not open to begin with. Something opened it. Also, I live in a place where internet goes down about once a week, and this never happened. But I still did that test you suggested, I just get the usual errors. Nothing tries to open my router page. — Gimelist, Aug 10 '16 at 21:40
@Michael When you installed the router, did you install any software that came with it? — Ouroborus, Aug 10 '16 at 21:47
@Ouroborus no, it's connected to the PC via LAN. Edited the post to add router info. — Gimelist, Aug 10 '16 at 21:48
This might sound obvious, but no one else could've gotten access to your computer? Either physical or through remote desktop? — Bertware, Aug 10 '16 at 22:36
@Bertware Only wife was home, and she has her own laptop. She doesn't even know what 10.0.0.138 is. Remote desktop is possible, even though I doubt it. I don't have anything like that installed or enabled, and going to that specific URL and just leaving it open seems not like something a human would do. — Gimelist, Aug 10 '16 at 22:45
Just to confirm, you don't have anything like TeamViewer installed? This sounds similar to the kinds of things that were happening to people after the LinkedIn hack exposed a bunch of passwords that were used on TeamViewer. — Nick, Aug 11 '16 at 18:36

score 3 · Accepted Answer · edited Mar 20 '17 at 10:04

It's not possible to definitively say that a certain thing caused it, but we can speculate about why.

A malicious program could have discovered your router's address by looking at your computer's current default gateway (e.g. by parsing the output of ipconfig). Since most consumers' default gateways are small-office/home-office routers, it's a good bet that there's a web interface there. Getting control of a router would be very good for an attacker because the hacker would then have the option of flashing a modified, malicious version of its firmware onto it. If your router gets compromised in that way, it can be used by remote adversaries to mount all kinds of attacks on all the devices on your network.

A program could make web requests to the router directly without trying to go through the very fiddly process of automating a browser's UI. Therefore, it seems more likely to me that if there was an attack going on, it was being perpetrated by a person, maybe hoping to use an authentication bypass exploit.

It would be a good idea to run a scan for malware on your computer. (I like MalwareBytes.) Also check your router's configuration to see if there are any undesired/unnecessary forwarded ports.

In the future, you might be able to get useful information from the event logs if you enable process auditing. You could also look through the Security event log for event 4624 (logon), which for RDP connections specifies the remote IP address.

Is there a specific tool that you recommend for scanning malware? — Gimelist, Aug 11 '16 at 04:54
By rhe way, your link to process auditing in the end leads to the wrong place — Gimelist, Aug 11 '16 at 06:17
@Michael I've used MalwareBytes with success in the past. Sorry about the link, it's fixed now. — Ben N, Aug 12 '16 at 01:41

Rui F Ribeiro · Answer 2 · 2019-10-07T17:55:08.980

1

The OP saying the modem rebooted/the Internet was down is a strong clue. Many ISPs/cable modem vendors, including the one I use at home, are using the WISPr protocol when the modem has an issue, for the customer to see an error in the browser.

In Apple devices, it is "automagic", in Windows or Linux, it should be enough to have Firefox running in background for a WIPSr message to open a web page.

See my anwer at How does Firefox know my ISP login page? for more details.

edited Oct 07 '19 at 17:55

answered Oct 06 '19 at 10:11

Rui F Ribeiro

622
4
12

I realize the question is *old*,but my 5 cents. – Rui F Ribeiro Oct 06 '19 at 10:14

Something opened my router's status page while I was away

2 Answers2