Logfiles are a great source of information. Not just for debugging or statistics, but also to see what the bad guys are doing at the moment. While looking at webserver logs I stumbled across multiple log entries with a specific request:
"POST /boaform/admin/formLogin HTTP/1.1"
The first thing I noticed is that the request comes from just a few IPv4 addresses, each one trying up to three times a day for the last week (at least). After the first try and a 404 response from the webserver it should be clear that it doesn't work. Why keep running the same request multiple times each day anyhow? A quick search returned a link to an exploit (
https://github.com/Haniwa0x01/CVE-2022-30023) for the Tenda HG9, a GPON ONT / WiFi router, and CVE-2022-30023 (
https://nvd.nist.gov/vuln/detail/CVE-2022-30023). So someone is looking for vulnerable Tenda HG9s and the multiple requests each day make sense now, as SOHO routers can get a new IP address after running for a while or a power outage (classic dynamic IP address scheme). However, many telcos migrate (or already have) to CGNAT or DS-lite because of the lack of IPv4 addresses and it becomes harder to connect to SOHO routers via IPv4.