What's in the honeypot? CVE-2014-4019 - Attack on SOHO Router to Download Admin Password

Looking at the honeypots one more time today I found the miscreants searching for an unprotected router configuration that provides the username and password.  By utilizing the router it has been known that they can modify the DNS settings of these routers to conduct man-in-the-middle attacks intercepting or relaying all traffic through their servers.

Below is the log entry that I found:

According to the exploit published by exploit-db located here by requesting, through a GET request, the rom-0 file contains the admin username and password.  Then in the following link are instructions how to decompress the file.

The following CVE's have been recorded for these vulnerabilities that have been identified:
Also applicable is http://www.exploit-db.com/exploits/33737

Here is an article by SC Magazine about 300,000 SOHO routers that were compromised due to this vulnerability: http://www.scmagazine.com/attackers-alter-dns-configurations-remotely-compromise-300k-routers/article/336792/

I am also interested in the IP Address that touched the honeypot looking for this vulnerability.  IP Address is  Looking at ripe.net the following record is pulled:

When you search for this IP Address on http://www.virustotal.com nothing comes up about this IP Address. 

However, as you search the web you find a history for this IP Address as shown below:


If you do a reverse DNS lookup no PTR records are identified.  


Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

VBA - Script to Download a file from a URL

IoT Malware Analysis - CnC Server - Part 3

vulnhub - Pandora's Box by c0ne Level 1 - Following walkthrough by strata