Strange and concerning errors in my router Log - Community home

1

Ask

2

Reply

3

Solution

Since last week when Vodafone had a major broadband outage for a few minutes, I have had various strange errors in my Router Error Log. This is is just a sample. Can anyone help? I have removed my router address from the DST= section for obvious reasons.

12:47:00

[ 1697.786370] DROP wan out: IN=pppoe-wan OUT=pppoe-wan MAC= src=2001:0470:0001:0c84:0000:0000:0000:025c DST=xxx LEN=64 TC=0 HOPLIMIT=243 FLOWLBL=0 PROTO=TCP SPT=58302 DPT=143 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x800e000

firewall

02/16/2025

12:46:59

[ 1696.900081] DROP wan in: IN=pppoe-wan OUT= MAC= src=195.89.93.190 DST=xxx.xxx.xxx.xxx LEN=176 TOS=0x00 PREC=0x00 TTL=58 ID=48773 PROTO=UDP SPT=20141 DPT=51820 LEN=156 MARK=0x8000000

firewall

02/16/2025

12:46:51

2025/02/16 12:46:51 [error] 6912#0: *51 open() "/www/docroot/css/chosen-sprite@2x.png" failed (2: No such file or directory)

system

02/16/2025

12:46:50

[ 1687.875282] DROP wan out: IN=pppoe-wan OUT=pppoe-wan MAC= src=2001:0470:02cc:0001:0000:0000:0000:00d1 DST=xxx LEN=64 TC=0 HOPLIMIT=243 FLOWLBL=0 PROTO=TCP SPT=43703 DPT=444 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8008000

firewall

02/16/2025

12:46:49

[ 1686.397319] DROP wan out: IN=pppoe-wan OUT=pppoe-wan MAC= src=2001:0470:0001:0c84:0000:0000:0000:0198 DST=xxx LEN=64 TC=0 HOPLIMIT=243 FLOWLBL=0 PROTO=TCP SPT=50707 DPT=444 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8008000

firewall

02/16/2025

12:46:44

2025/02/16 12:46:44 [warn] 6912#0: *52 [lua] session.lua:103: changeUser(): changing user to vodafone

system

02/16/2025

12:46:38

2025/02/16 12:46:38 [error] 6912#0: *50 [lua] sessionmgr.lua:262: redirectIfNotAuthorized(): Unauthorized request

system

02/16/2025

12:46:38

2025/02/16 12:46:38 [error] 6912#0: *50 [lua] sessionmgr.lua:262: redirectIfNotAuthorized(): Unauthorized request

system

02/16/2025

12:46:38

2025/02/16 12:46:38 [warn] 6912#0: *50 [lua] session.lua:354: new(): new session for default user

system

8 REPLIES 8

The one's starting "DROP wan" are you router's firewall doing its job blocking unsolicited connections.

The four at the end mentioning "lua" look like part of the normal logon process. You see similar lines when the router does a reboot.

None of the log that you have shared is of any concern.

Thanks, however they are happening from numerous addresses every minute or so.

I also get the following multiple times every minute

02/16/2025

15:02:14

2025/02/16 15:02:09 [error] 6912#0: *114 open() "/www/docroot/css/chosen-sprite@2x.png" failed (2: No such file or directory)

system

Don't worry about that one either. It's common for images (pictures) to be missing from the firmware, especially when vodafone love to chop and change it. It's not going to affect the operation of the router.

Had you been checking the logs before the outage, and were there not similar entries there then?

I would suggest factory resetting the router and starting again, that will at least get you a new I.P. address as the one you have now might be being targeted as the previous user might have had a compromised system.

Yes I had checked the logs before hand and they were clear.

@RedRouter wrote:
Yes I had checked the logs before hand and they were clear.

Now that is surprising, there are always a few unsolicited probes.

Depending on total randomness one day can have none and another day few extends to many. If you're interested you can lookup the source IP address, but the fascination wears off after the first hundred.

https://www.abuseipdb.com/

Thanks, yes I've looked them up previously. Will reset the router tonight and see what happens