▲ 4 r/HomeNetworking
[ISP Botnet Warning] How to Identify a Potentially Infected Device in My Home Network? v
I received a warning from my ISP that one of my android devices attempted to connect to a botnet (Kimwolf) at a specific timestamp (single event).
Since then, I’ve tried to systematically identify the affected device:
- Windows PC → scanned with Defender & Malwarebytes (no findings)
- Pixel 7 & Pixel 9 → fully updated, Play Protect + Malwarebytes (no findings)
- LG TV → factory reset and reconfigured
- Heat pump → disconnected from network
- Toniebox → removed from the network
- UniFi Protect cameras → factory reset
- UniFi setup (Cloud Key Gen 2, USW 24 PoE) → firmware up to date (Cloud Key not reset)
- Basic log analysis via UniFi → no obvious anomalies
Additionally, I captured network traffic for about 1 hour and analyzed which external IPs my devices (192.x.x.x range) were connecting to. I checked those destination IPs on VirusTotal and found no issues.
Complication: I only have a single timestamp from my ISP and no historical traffic logs, so I can’t correlate past activity.
My questions:
- How realistic is it that this was a one-time event vs. an ongoing infection?
- What’s the most reliable way to detect an infected IoT device in a setup without a dedicated firewall/IDS?
- Would you recommend resetting the Cloud Key or even my router (Fritzbox), or is that overkill?
- Are there additional measures I can take to scan my entire network for suspicious activity? I’ve heard about tools like SNORT, but I have no experience setting it up to monitor all traffic.
Appreciate any guidance on how to narrow this down further.
u/Likimypopo — 6 hours ago