Something opened my router's status page while I was away

Question

Yesterday I went to work, leaving my PC open as usual. It's a Windows 10, recently updated to Anniversary. After I came back, I moved the mouse to get out of monitor-sleep mode (PC was not in sleep) and I found Firefox open, at this address:

http://10.0.0.138/main.html?redirector=1

Not logged in, showing the router password prompt.

What could do it? The fact that it has redirector in it suggests that it was triggered by a software, and not that some person (either local or remote) tried to open my router status page. I also doubt that it's malware, because I don't see a reason for malware to do that.

I had a look at the Event Log and couldn't find anything relevant.

The router is an ISP-rebranded Sagemcom F@st 4315.

EDIT

It happened again several times when the internet was down. Most likely some software trying to access the internet, as someone mentioned in the comments.

Any ideas?

Answer 1

It's not possible to definitively say that a certain thing caused it, but we can speculate about why.

A malicious program could have discovered your router's address by looking at your computer's current default gateway (e.g. by parsing the output of ipconfig). Since most consumers' default gateways are small-office/home-office routers, it's a good bet that there's a web interface there. Getting control of a router would be very good for an attacker because the hacker would then have the option of flashing a modified, malicious version of its firmware onto it. If your router gets compromised in that way, it can be used by remote adversaries to mount all kinds of attacks on all the devices on your network.

A program could make web requests to the router directly without trying to go through the very fiddly process of automating a browser's UI. Therefore, it seems more likely to me that if there was an attack going on, it was being perpetrated by a person, maybe hoping to use an authentication bypass exploit.

It would be a good idea to run a scan for malware on your computer. (I like MalwareBytes.) Also check your router's configuration to see if there are any undesired/unnecessary forwarded ports.

In the future, you might be able to get useful information from the event logs if you enable process auditing. You could also look through the Security event log for event 4624 (logon), which for RDP connections specifies the remote IP address.

Answer 2

The OP saying the modem rebooted/the Internet was down is a strong clue. Many ISPs/cable modem vendors, including the one I use at home, are using the WISPr protocol when the modem has an issue, for the customer to see an error in the browser.

In Apple devices, it is "automagic", in Windows or Linux, it should be enough to have Firefox running in background for a WIPSr message to open a web page.

See my answer at How does Firefox know my ISP login page? for more details.