Finding interesting requests for timepro.cgi in the logs / 2022-09-01

2022-09-01 Finding interesting requests for timepro.cgi in the logs
There are always attacks in the logs, but this one caught my eye because someone mentioned it, I saw it in logs and searching for a simple explanation for what I saw gave no answers.

Those are the interesting ones. So here is the logline split into multiple parts in an attempt to make it more readable:
"GET /cgi-bin/timepro.cgi?tmenu=netconf&smenu=wansetup&act=save&
sel=dynamic&dns_dynamic_chk=on&fdns_dynamic1=128.0.104.18&
fdns_dynamic2=128.0.104.33&fdns_dynamic3=128.0.104.18&
fdns_dynamic4=128.0.104.18&sdns_dynamic1=128.0.104.18&
sdns_dynamic2=128.0.104.33&sdns_dynamic3=128.0.104.18&
sdns_dynamic4=128.0.104.33&userid=&passwd=&mtu=1454&
ip1=192&ip2=168&ip3=254&ip4=2&
sm1=255&sm2=255&sm3=255&sm4=0&
gw1=192&gw2=168&gw3=254&gw4=254&
fdns1=&fdns2=&fdns3=&fdns4=&
sdns1=&sdns2=&sdns3=&sdns4=&static_mtu=150 HTTP/1.1"
Searching for timepro.cgi finds a2004ns-mod/timepro.cgi at master · hklcf/a2004ns-mod · GitHub which seems to be compiled code: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped.

Based on Honware: A virtual honeypot framework for capturing CPE and IoT zero days my best guess is that requests to timepro.cgi attempt to reconfigure a home router. And my next guess is that the attempt is to set the DNS resolvers to 128.0.104.18 and 128.0.104.33. Further searching finds another attempt from the same source IPv4 address which also looks a lot like an attempt to reconfigure DNS settings:
"GET /dnscfg.cgi?dnsPrimary=128.0.104.18&dnsSecondary=128.0.104.33&dnsDynamic=0&dnsRefresh=1 HTTP/1.1"
The theory that this is an attempt to redirect DNS traffic is somewhat confirmed by the fact that 128.0.104.18 indeed runs an open resolver which will give me answers. For the few things I have tried those are valid answers (no clear attempts to redirect traffic to other places). I get no answers from 128.0.104.33 at the moment.

Update: Searching for the string 128.0.104 finds more:
"POST /dnscfg.cgi?dnsPrimary=128.0.104.18&dnsSecondary=128.0.104.18&dnsDynamic=0&dnsRefresh=1&dnsIfcsList= HTTP/1.1"
"POST /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=128.0.104.18&dnsSecondary=8.8.8.8 HTTP/1.1"
Based on the names of the parameters I guess more of the same: attempts to redirect DNS traffic.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.57 2022/02/15 21:48:18 koos Exp $ in 0.009407 seconds.