Question dLAN 1200+ WiFi ac: Does firmware update check via Cockpit still work ?

[Otiggen]

I have reason to suspect my home network may contain a botnet- but so many devices and minimal logs from the fibre company's equipment. One thing I have is a Devolo dLAN 1200+ WiFi ac Powerline system.
When I run Cockpit on my Windows box and try and check for updates it says (after along pause) "Error while searching for updates" "A problem occurred while looking for updates. Please check your Internet connection.". I wonder if other people see this same message?

[Devolo web pages (UK, Global) have firmware 5.8.5 for download but my devices shows v6.0.1 which I believe it auto-updated to. I saw someone else post they also had been upgraded to 6.0.1 and saw a link to a v6.0.1 on the Devolo domain so I think it was a legit update - perhaps originally intended for the Magic series of products]

 

[bill001g]

Connect your pc directly to the router and see what happens.

If you really suspect the devices unplug them and put them on a table and see if the problem goes away.

It is highly unlikely. First and most important your router prevent access to any internal device just because it is stupid. The NAT function in the device shares the common IP so all your internal devices appear the same. When traffic comes into your router from some unknown source on the internet your router does not know which device to give it to so it just discards it.
Now in theory someone could hack devolo firmware server and then if your device had auto update it could go out to that server and download something bad. It would be much more likely that you got tricked into manually downloading from a invalid site.
But this is all getting into tin foil hat territory.

The stuff that is hacked are going to be things like cameras that are designed to be accessed from the internet not powerline plugs that are never visible to the internet.

 

[Otiggen]

The problem is I don't have a sure-fire way of detecting when/if the bot is active on my network - BCC emails were getting flagged as from the ip of a spammer (Spamhaus blocklist), and sometimes also flagged as coming from the ip of a botnet. These lists are not updated on a regular basis that I am aware of.
I believe my ISP blocked port 25 and then the IP stopped appearing on the spam blocklist, but I have to suspect that some device in the home has malware.
[Yes my ip is relatively fixed so I don't think the warning is due to someone else's use of it]

You make a good point that the Devolo should be relatively invisible to an attacked on the WAN - but the fact that updates might be being blocked meant that nevertheless I thought that might be one possibility (if some other device is also compromised I guess an attacker may be able to do things on the LAN side too).

 

[kanewolf]

I have reason to suspect my home network may contain a botnet- but so many devices and minimal logs from the fibre company's equipment. One thing I have is a Devolo dLAN 1200+ WiFi ac Powerline system.
When I run Cockpit on my Windows box and try and check for updates it says (after along pause) "Error while searching for updates" "A problem occurred while looking for updates. Please check your Internet connection.". I wonder if other people see this same message?

[Devolo web pages (UK, Global) have firmware 5.8.5 for download but my devices shows v6.0.1 which I believe it auto-updated to. I saw someone else post they also had been upgraded to 6.0.1 and saw a link to a v6.0.1 on the Devolo domain so I think it was a legit update - perhaps originally intended for the Magic series of products]

Hijacked hardware would show up as unexplained traffic. If your ISP router doesn't provide the insight you desire, then get a new one.
How many devices do you have on your network? 30? 100? 200?

 

[Otiggen]

Maybe 20 devices on the LAN. I was thinking of installing PFSENSE on an old laptop (I have a USB-Ethernet adapter to give it a second Ethernet port) and inserting that between router and Optical 'modem' but it is a case of getting around to it... been some months with that as a plan but no nearer actually doing it. Even when I do there will probably be a learning curve trying to work out what traffic is 'unexplained' and what is not.

 

[kanewolf]

Maybe 20 devices on the LAN. I was thinking of installing PFSENSE on an old laptop (I have a USB-Ethernet adapter to give it a second Ethernet port) and inserting that between router and Optical 'modem' but it is a case of getting around to it... been some months with that as a plan but no nearer actually doing it. Even when I do there will probably be a learning curve trying to work out what traffic is 'unexplained' and what is not.

20 devices on LAN. If device "A" generates 1 or 2 connections every few min then you can probably ignore it. Most connections are encrypted so you get very little insight. I would think if there was a "bot" that it would use encrypted traffic and you would not be able to get any insight.
Rather than going to PfSense, maybe start with PIHole for DNS. Quite a lot of insight can be had from DNS requests. Not foolproof but much simpler than PfSense.

 

[Otiggen]

Thanks - that sounds like a good idea. I already have a Raspberry Pi B that I had previously used for Wireguard (until the installation on the SDcard became corrupt). I guess I can use that.