What's in the honeypot? CVE-2014-4019 - Attack on SOHO Router to Download Admin Password

Looking at the honeypots one more time today I found the miscreants searching for an unprotected router configuration that provides the username and password.  By utilizing the router it has been known that they can modify the DNS settings of these routers to conduct man-in-the-middle attacks intercepting or relaying all traffic through their servers.

Below is the log entry that I found:

According to the exploit published by exploit-db located here by requesting, through a GET request, the rom-0 file contains the admin username and password.  Then in the following link are instructions how to decompress the file.

The following CVE's have been recorded for these vulnerabilities that have been identified:

CVE-2014-4018

CVE-2014-4019

CVE-2014-4154

CVE-2014-4155

Also applicable is http://www.exploit-db.com/exploits/33737

Here is an article by SC Magazine about 300,000 SOHO routers that were compromised due to this vulnerability: http://www.scmagazine.com/attackers-alter-dns-configurations-remotely-compromise-300k-routers/article/336792/

I am also interested in the IP Address that touched the honeypot looking for this vulnerability.  IP Address is 95.213.143.180.  Looking at ripe.net the following record is pulled:

When you search for this IP Address on http://www.virustotal.com nothing comes up about this IP Address. 

However, as you search the web you find a history for this IP Address as shown below:

https://twitter.com/atma_es/status/575725495708479488

http://www.blocklist.de/en/view.html?ip=95.213.143.180

If you do a reverse DNS lookup no PTR records are identified.