Author Topic: script kiddie at work :)  (Read 445 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
script kiddie at work :)
« on: March 09, 2023, 03:11:20 pm »
Logfiles are a great source of information. Not just for debugging or statistics, but also to see what the bad guys are doing at the moment. While looking at webserver logs I stumbled across multiple log entries with a specific request:

  "POST /boaform/admin/formLogin HTTP/1.1"

The first thing I noticed is that the request comes from just a few IPv4 addresses, each one trying up to three times a day for the last week (at least). After the first try and a 404 response from the webserver it should be clear that it doesn't work. Why keep running the same request multiple times each day anyhow? A quick search returned a link to an exploit (https://github.com/Haniwa0x01/CVE-2022-30023) for the Tenda HG9, a GPON ONT / WiFi router, and CVE-2022-30023 (https://nvd.nist.gov/vuln/detail/CVE-2022-30023). So someone is looking for vulnerable Tenda HG9s and the multiple requests each day make sense now, as SOHO routers can get a new IP address after running for a while or a power outage (classic dynamic IP address scheme). However, many telcos migrate (or already have) to CGNAT or DS-lite because of the lack of IPv4 addresses and it becomes harder to connect to SOHO routers via IPv4.
 
The following users thanked this post: SiliconWizard


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf