Malware Botnet Activity from Router IP

gnomesofzurich · ‎09-21-2020

I've been using the premium OpenDNS at home for several months. Occasionally I get the less than useful "Malware / Botnet Activity" warning. It's less than useful because it's not time stamped, it doesn't show the file, and the IP address in every case is the range of the modem, not an actual device on the network. I use dynamic IPs generated by a wifi hub hooked up to a gig speed modem.

To make matters more interesting, when I switch between my two networks (I have two houses) with same setup, I get a new one from the router at the other house. In both bases the IP range is the range of the network, coming from *two different ISPs*, not the range of what's served up on the local 192.168 etc network. I also use different wifi equiptment on each network, google mesh on one eero on the other.

So three questions for the community

1) Which the Tango Foxtrot is this? Is this just some kind of roving malware coming in from the routers?

2) Is this a device on the network that is not part of the OpenDNS domain? Wouldn't that just show up with a 192.168 address from my hub?

3) Is there any way to isolate the actual machine

Any help appreciated!

R

rotblitz · ‎09-22-2020

You are not alone.
https://support.opendns.com/hc/en-us/community/posts/360073352692-Homepage-alerts-Malware-Botnet-Activity-Detected-Last-14-Days-but-stats-show-no-domains-blocked-due-to-malware-

rotblitz · ‎10-01-2020

This seems to be a bug. I have raised a ticket, and I have been informed that the engineering team is working on it.

rotblitz · ‎10-19-2020

Today I got this message from support:
“Our development team have pushed out a fix for this issue. The malware alert on the homepage was a false positive.”