I received an alert email from my ISP flagging a potential security issue. I called to get more information, but they told me that they wouldn’t be able to provide any more info on the source of the alert or any IPs associated with it because I’m not using their special equipment.
Instead, they directed me to contact my router provider, stating that they would be ale to access my router and see more information on the event. It sounded like BS to me, but is this true? I have an Arris G34.
The logs on the router itself aren’t too helpful. The only strange thing is a number of entries starting about two days before the security email arrived:
IGD: config.utapi s_add_portmapdyn: add entry (index 1): add/overwrite entry param portmap_dyn_1 value:enabled,none,43431,192.168.0.***,7070,tcp,165600,1721088246,AnyDesk
There are 66 of these entries in total, with three occurring almost exactly at the 4th minute of every hour, for 22 hours. The redacted local IP is my desktop.
So, is this an attempt to remap a port to create an anydesk connection? The exact timing to me feels like an auto-login attempt and I do have anydesk on my phone, however I haven’t used it in ages. And I’m on a brand new Windows install in any case, so haven’t installed anydesk yet.
(NOTE: since typing this post, I’ve discovered that these entries also appeared as long as 2 months ago, and there was no security email then. So I’m starting to doubt that this was the source of it.)
Any thoughts on what to make of all this (and whether this is the sort of thing that Arris is even willing/capable of assisting in troubleshooting) would be much appreciated.