Attackers Search For Exposed "LuCI" Folders: Help me understand this attack

Published: 2022-03-03
Last Updated: 2022-03-03 15:01:32 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

In the last couple of days, some of our web honeypots detected scans for "LuCI," LuCI is a user interface used by the widespread OpenWRT open-source router/firewall implementation. Scans for it are not specifically new. As with all perimeter security devices, they are significant targets, and simple vulnerabilities, as well as weak credentials, are often exploited.

There appear to be three popular URLs among our honeypots:


The scan seems to check if the directories are present by verifying the existence of specific files. A quick Google search shows plenty of exposed "/luci-static" folders. But I haven't found any "top-iot" subdirectories and wonder what exploits may be used against this feature.

Can you help? If you are running OpenWRT (or are more familiar with it ... I haven't used it in a few years), do you know what "top-iot" contains? The name suggests some kind of IoT subsystem. I am mostly wondering what the attacker is exploiting here and what they would get from this request (to possibly better implement the response in our honeypots)

and remember: Never ever expose an admin interface to the internet!

Johannes B. Ullrich, Ph.D. , Dean of Research,

Keywords: iot luci openwrt
5 comment(s)


Do you think that the scan was one of the intense nmap scans that uses Lua scripts? I hope nobody eats me alive for having a hunch that it has something to do with nmap scan with Lua scripts. I think Wireshark and Snort use Lua scripts too.
I've searched through the LuCI repositories for OpenWRT and none of the "standard" plug-ins ("applications") reference anything related to IoT.

However, I did find that a Chinese company called Baima Technologies manufacture a range of cellular IoT gateways; I'm guessing that these might use OpenWRT and that they've developed their own LuCI "application" for management purposes. https : //
It is most likely a vendor specific folder. There could be .js, .asp or other scripts. Your most likely guess will be from the baima_bg.jpg. bg could mean background. Baima might be the company or product's name. It might be related to routers from a telecom company.
There's a bootstrap/favicon.png file in the bootstrap theme for luci which is available in the repos but not installed by default, possibly this was a .ico on older releases? I'd guess that top-iot is also a theme though it's not in the repos.
Perhaps they're scanning for an openwrt based device which uses a custom theme?
Or they've found a vulnerability which these two themes introduce which isn't in the default theme?
To expand on this, I should say that I suggested an nmap scan because it felt like hardware model fingerprinting and I know that nmap is versatile enough to allow for that. However; This could easily be a scan programmed by anyone, I don't have enough info to make a determination.

I think it it may have something to do with the web site They sell IOT hardware that uses OpenWRT. Perhaps if that file exists in that location it will identify a specific model or software version.

Diary Archives