Deconz hacked?

Hope someone can help here.

I have hassio installed on Ubuntu. Recently have noticed certain lights turning on at random times, only my zigbee ones connected to deconz. I investigated and removed and added them to no avail.

Then, while going to the phoscon page, I suddenly had multiple gateways showing. They all had odd IP addresses. Mine is the usual 192.168.1.xx and shows up as a Conbee (correct). Some more were showing up as or and they were showing up Raspbees. If I clicked them, my password would not work but would on mine.

I immediately turned off internet access to the hassio pc with my router (it has a phone app where you can turn off individual internet access but leave internal network working).

I then waited a day and there were no phantom lights and, after a refresh and delete of browsing data from chrome, all the other gateays had gone. So, I tried putting the internet access back on again and within an hour more gateways appeared again.

I haven’t got any ports open in my router and have uPNP off. I use the Nabu Casa cloud for external access.

How are the new gateways appearing and how is someone adding them and controlling my lights with them ? Is there any other way someone is accessing my deconz / phoscon app ? via the API maybe ?

I have turned off the SSH, MQTT and samba add-ons to see if it was that but it is still happening with them off.

Also have installed a VPN to see if that would help but it still happens with that enabled too. Obviously I have changed all my passwords and logins.

I could reinstall the PC and start again but without knowing how this happened it might well just happen again ?

Anyone have any ideas ?

It’s weird,

Tell us a bit more about your setup. What kind of smart devices do you own?

And also, we cannot help without some logs where we can actually dive into some detailing.

Nothing out of the ordinary. Lots of ZigBee lights, switches and sensors connected to conbee. Some zwave lights and sensors on a zwave USB. A few Alexa, hive heating, all connected to HA.

There is nothing in the logs that shows any connections but will copy the deconz logs tomorrow to see if you can spot anything. Is there any other log that would help ?

Checking my External IP (VPN) on shows an open port 1900 UPNP with the IP address of the rogue gateway ( I have no open ports on my router, is something else opening a port ?