How to check your router for viruses and protect your home network

Modern users often forget that a router is a full-fledged computer running an operating system such as Linux or proprietary platforms. This makes it vulnerable to malicious code that can intercept traffic, redirect requests to phishing sites, or connect the device to botnets. Checking your router for viruses becomes a critical task when you notice strange network behavior or a drop in internet speed.

Unlike PCs, where antivirus software runs in the background, routers often go unnoticed for years. Default factory passwords and outdated firmware create ideal conditions for hackers to gain access. In this article, we'll detail diagnostic and cleaning methods to restore your network's security and stability.

There's a common misconception that antivirus software installed on your computer will also protect your router. This isn't true: security software installed on endpoints doesn't have access to the router's system files. You'll need to perform a series of manual steps via the web interface or command line to ensure the router's hardware is clean.

Symptoms of a router infection

The first sign of a device compromise is often an inexplicable slowdown in your internet connection. If you're paying for a 100 Mbps plan and your speed drops to 1-2 Mbps even when you're not actively downloading, this is a warning sign. Malware could be using your connection to send spam or conduct DDoS attacks on other servers.

Another clear sign is DNS addresses changing without your intervention. You might enter a bank or social media address, but end up on fake pages that require passwords. Also, be wary if the router's lights are flashing wildly, even though you're not downloading anything or watching videos.

⚠️ Attention: If pop-up windows appear on connected devices demanding payment of a fine or unblocking of the device, the problem may lie in the router's DNS settings, not the computer itself.

Check the list of connected clients in the admin panel. If you see any unfamiliar devices, for example, Unknown Device or your neighbors' gadgets, it means someone has gained access to your network. Hackers may have brute-forced a weak Wi-Fi password or exploited a WPS vulnerability.

Diagnostics via web interface

The most accessible way to check for a primary connection is to log into your router's control panel. To do this, enter the gateway's IP address in the browser's address bar, usually 192.168.0.1 or 192.168.1.1You will need your login and password, which are often located on a sticker on the bottom of the case by default if you haven't changed them.

First of all, pay attention to the section System Log or Event logAttempts to log in, change settings, and connect new devices are recorded here. Look for entries showing successful logins at unusual times or multiple password guessing attempts.

📊 How often do you change your Wi-Fi password?
Once a month
Once a year
Never changed
I use the factory one

Check your current firmware version. Manufacturers regularly release security patches that close holes that allow viruses to penetrate. If your firmware version is significantly older than the one available on the official website, the risk of infection increases significantly.

Pay special attention to the WAN or Internet Settings section. This is where DNS servers are listed. If you see addresses you didn't set (for example, strange IP addresses instead of automatic ones or Google servers) 8.8.8.8), this is an almost guaranteed sign DNS hijacking.

Analysis of logs and connected devices

Deep log analysis requires attention to detail. System records can be voluminous, but we're interested in specific events. Look for status lines. login success from IP addresses other than your internal devices, or configuration change messages.

Compare the list of active clients (Client List / Attached Devices) with the actual number of gadgets in the home. Smart kettles, lamps, and TVs are also counted. Any unnecessary device should be immediately blocked using the function. MAC Address Filter or Blacklist.

Sometimes a virus disguises itself as a system process. In advanced routers based on OpenWrt or DD-WRT You can list the running processes. If you see processes with names like kworker (if it is not systemic), httpd (if you don't need the web interface from the outside) or a random set of characters that consume a lot of CPU, this is a cause for concern.

Hidden processes in Linux routers

On Linux-based systems, some viruses can disguise themselves as system services. For example, a process named 'sh' or 'bash', running as root but not part of the standard startup, could be a mining script.

For ease of comparison of data, the following table of characteristics can be used:

Parameter Normal condition Sign of infection
CPU load 0-15% at idle Constantly 80-100%
DNS servers Automatic or known (Google, Cloudflare) Unknown IP addresses
Traffic Depends on user actions High outgoing traffic during idle time
Ports Closed (except for essential) Ports 22, 23, 8080 from WAN are open

Using specialized scanners

You can check your router for viruses online using specialized utilities that scan your network for known vulnerabilities. One popular tool is F-Secure Router CheckerThis service is not installed on the router, but checks your browser settings and DNS responses.

There are also network scanners such as Nmap or Angry IP Scanner, which allow you to scan your router's open ports from within the network. If the Telnet ports (23) or SSH (22) are open to (WAN), this is a huge security hole.

Some modern antiviruses for PC, for example, solutions from Kaspersky or ESET, have home network scanning modules. They can detect if a router is attempting to distribute malware or if its settings have been modified by malware.

It's important to understand that no online scanner has access to the router's file system. They only check for external signs of infection. Therefore, a negative scan result doesn't guarantee the device is 100% clean.

Manual cleaning and reset

If your suspicions are confirmed, the most effective treatment is a full factory reset. Find the button on the case. Reset (often recessed into the housing). Press it with a paperclip and hold for 10-15 seconds until the indicators flash simultaneously.

⚠️ Attention: After a hard reset, the router will return to its default state. You'll need to reconfigure your ISP connection (PPPoE, L2TP, or Dynamic IP) and set a Wi-Fi network name.

Immediately after the reset, you need to change the administrator password. Factory passwords are like admin/admin are known to all hackers and bots scanning the internet 24/7. Come up with a complex combination of letters, numbers, and symbols.

☑️ What to do after resetting your router

Completed: 0 / 4

Then update the firmware. Download the latest version only from the manufacturer's official website. Do not use files from third-party sources, as they may already contain malicious code. In the router menu, select System ToolsFirmware Upgrade and specify the downloaded file.

Setting up protection after cleaning

After a successful cleanup, it's important to consolidate the results. Turn off the function. WPS (Wi-Fi Protected Setup), as it contains critical vulnerabilities that allow someone to guess the PIN code in a matter of hours. This will significantly complicate the lives of potential hackers.

Enable MAC address filtering if you have a static set of devices. Allow access only to known devices. It is also recommended to disable Remote Management from the external network if you don't use it regularly.

Make sure the wireless network encryption protocol is set to WPA2-PSK (AES) or WPA3Old standards WEP And WPA/TKIP They can be hacked in minutes even by a novice with a phone.

Don't forget to check your DNS settings again after all the manipulations. Install reliable servers, for example, from Google (8.8.8.8, 8.8.4.4) or Cloudflare (1.1.1.1) to avoid address substitution in the future.

Prevention of re-infection

Router malware often exploits known security vulnerabilities. To avoid this, make it a rule to check for updates quarterly. Many modern routers can update automatically—enable this feature.

Avoid connecting to your router via cable in public places or over untrusted networks if debugging ports are open on the device. Also, avoid clicking suspicious links from devices connected to your network, as some viruses can transfer from a PC to the router.

If you're using older router models that the manufacturer has stopped supporting (no longer provides updates), consider replacing them. Using a device without security patches in 2026-2026 poses a huge risk to your personal data.

⚠️ Attention: Interfaces and menu item names may differ depending on the model (TP-Link, ASUS, Zyxel, MikroTik) and firmware versions. Always check the official documentation for your specific device.

Regular traffic monitoring will help you spot anomalies early. If your router starts to run hotter than usual or the fan starts making noise even when not under load, this could be a sign of a hidden miner or botnet operating within the device.

The myth about antivirus software for routers

There's no "antivirus" that can be simply installed on a regular home router like a phone app. Protection is provided only by up-to-date firmware and proper settings.

Is it possible to check a router for viruses from a phone?

A full file system check from a phone is impossible without root access and specific apps. However, you can access the router's web interface via a mobile browser and check the DNS settings and the list of connected devices, as described in this article.

Will a virus reset my router settings on its own?

Viruses typically seek to establish a foothold in a system by changing passwords and DNS settings, rather than resetting settings. However, some types of malware can cause instability, triggering cyclical reboots that visually resemble a reset.

Will an antivirus program on a computer protect a router?

No. Antivirus software on a PC only protects that computer. It can prevent the virus from spreading. on router, if the virus tries to register itself in the settings, but is unable to clear an existing infection within the router itself.

How often should I change my Wi-Fi password?

It is recommended to change your Wi-Fi and router admin panel password at least once every 6-12 months, or immediately if you suspect you may have shared it with third parties or lost the device with the saved password.