Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SANS Internet Storm Center SANS.edu Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Thu, Mar 3rd):Recognizing Biased/Fake News; FortiMail Bug; IBM; Google Chrome; Conti Leak; Middlebox DDoS

Latest Diaries

Attackers Search For Exposed "LuCI" Folders: Help me understand this attack

Published: 2022-03-03
Last Updated: 2022-03-03 15:01:32 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

In the last couple of days, some of our web honeypots detected scans for "LuCI," LuCI is a user interface used by the widespread OpenWRT open-source router/firewall implementation. Scans for it are not specifically new. As with all perimeter security devices, they are significant targets, and simple vulnerabilities, as well as weak credentials, are often exploited.

There appear to be three popular URLs among our honeypots:

/luci-static/top-iot/favicon.ico
/luci-static/bootstrap/favicon.ico
/luci-static/top-iot/baima_bg.jpg

The scan seems to check if the directories are present by verifying the existence of specific files. A quick Google search shows plenty of exposed "/luci-static" folders. But I haven't found any "top-iot" subdirectories and wonder what exploits may be used against this feature.

Can you help? If you are running OpenWRT (or are more familiar with it ... I haven't used it in a few years), do you know what "top-iot" contains? The name suggests some kind of IoT subsystem. I am mostly wondering what the attacker is exploiting here and what they would get from this request (to possibly better implement the response in our honeypots)

and remember: Never ever expose an admin interface to the internet!

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: iot luci openwrt
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Top of page

Recent Diaries

The More Often Something is Repeated, the More True It Becomes: Dealing with Social Media
Mar 2nd 2022
1 day ago by Johannes (0 comments)

Geoblocking when you can't Geoblock
Mar 1st 2022
1 day ago by Rob VandenBrink (0 comments)

TShark & Multiple IP Addresses
Feb 28th 2022
3 days ago by DidierStevens (0 comments)

Video: Quick & Dirty Shellcode Analysis - CVE-2017-11882
Feb 27th 2022
4 days ago by DidierStevens (0 comments)

Using Snort IDS Rules with NetWitness PacketDecoder
Feb 26th 2022
5 days ago by Guy (0 comments)

Windows, Fixed IPv4 Addresses and APIPA
Feb 25th 2022
6 days ago by DidierStevens (0 comments)

Ukraine & Russia Situation From a Domain Names Perspective
Feb 24th 2022
1 week ago by Xme (0 comments)

View All Diaries →
Top of page

Latest Discussions

Dshield Sensor
created Jun 8th 2021
8 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
10 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
10 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
11 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 year ago by astraea (0 replies)

View All Forums →
Top of page

Latest News

Top Diaries

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
1 month ago by Johannes (0 comments)

CinaRAT Delivered Through HTML ID Attributes
Feb 11th 2022
2 weeks ago by Xme (0 comments)

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
1 month ago by Xme (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
1 month ago by Xme (0 comments)

Use of Alternate Data Streams in Research Scans for index.jsp.
Jan 14th 2022
1 month ago by Johannes (0 comments)