I was just checking my router config today and happen to click on the Remote Dial-in and noticed a VPN connection that i had not created, i can not figure out where this has come from or how long its been there the user name was "hema" i have since deleted it and removed the remote admin settings has anyone seen this before ?

Firmware is 3.8.4.6_BT but was previously on 3.8.4.4 this was my last backup

I agree you are right to be concerned

I would do an integrity check of any connected PCs ... e.g. offline virus scans. Maybe change credentials for important sites like Internet Banking - possibly every password, if you've got the stamina.

The issue is, that you don't know what (if anything) this inbound connection has been used for.

I have setup a syslog server and going to see if it comes back or any wan based login attempts, im also going to load my last config backup to see if it was there then

You should also change your admin password. Perhaps you enabled remote access to the router and left it on default password. Even if that was for one day, hackers are always scanning...

Well the VPN came back i had the sys logs this time..

Looks like it was brute forced on 443 SSL login, i can see lots of unsuccessful login attempts, then soon as they get in, a connection was made from another address where a VPN called Hema was created within seconds so i suspect this is automated and targeted to this type of router, when the VPN connection was made from an IP in the Palestinian Area then this started hammering DNS servers with request and then many web SSL connections

So router password change remote admin locked and brute force protection on..

Any one care to take a look at the syslog database ?

admin wrote: You should also change your admin password. Perhaps you enabled remote access to the router and left it on default password. Even if that was for one day, hackers are always scanning...

Defo not defaulted