/hnap1/ scans router compromised or worm?
Recently, I saw some strange entries on my local-only webserver. The thing is I don't know if the attack came from outside the network or from an infected machine. I have read up a little on the hnap attack, but I'm still unsure what to do about it. Essentially, Cisco routers have vulnerabilities because of the "home network administration protocol." And from what I've read there is no solution.
If it is an infected system I'd like to pinpoint it by listening to network traffic, but I'm not sure how to do that. I tried using snort and wireshark, but these programs seem pretty advanced. Alternatively, I am thinking that if someone was able to compromise my network by cracking the network key, they could join the network and run whatever scans they want. Otherwise, maybe someone is accessing from outside the local network.
Here are the entries (updated to show multiple requests from my PC):
[03/Sep/2017 11:35:13] "GET / HTTP/1.1" 400 67505
Invalid HTTP_HOST header: '192.168.yyy.yyy'.
[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '192.168.1.1' (Router IP).
[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '192.168.1.2' (PC IP).
[03/Sep/2017 11:35:33] "GET /HNAP1/ HTTP/1.1" 400 67699
Invalid HTTP_HOST header: '10.1.0.1' (Virtualbox IP on PC).
What can I do to track down the problem? Is there an easy way to listen for more of these requests and pinpoint the source? Are there better malware/spyware scanners that might pick up on a worm?
(I use up-to-date antivirus and it is not detecting anything, so there's that.)
