DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

mainfunction.cgi hack

  • akwe-xavante
  • Topic Author
  • Offline
  • Member
  • Member
More
27 Apr 2020 15:31 #1 by akwe-xavante
mainfunction.cgi hack was created by akwe-xavante
I have a draytek router 2860 & 2862 at different locations but this query is about entries i'm getting in my apache server log files.

I'm getting a lot of long lines of code begining cgi-bin/mainfunction.cgi... blah.....blah.

and allso cgi-bin/luci

I believe these are aimed at my router but they are passing through to my server and ending up in my servers error log file. They do end with the server code 301 351 though. This i think is a redirect of some sorts.

I don't want to post these long lines of code here on this forum unless a moderator says it's ok to do so in advance.

I'm happy to share these lines of code with draytek though if it's of any interest to them.

Do people have some ways of knowing i have a draytek router or is this just a coincidence?

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
27 Apr 2020 18:49 #2 by hornbyp
Replied by hornbyp on topic Re: mainfunction.cgi hack

akwe-xavante wrote:
Do people have some ways of knowing i have a draytek router or is this just a coincidence?



Go to https://shodan.io and see what it knows about you... :cry:

(As an example of the sort of info that is (sadly) readily accessible, here is someone I found, using PPTP on their Vigor :cry: https://www.shodan.io/host/212.159.119.27 .)

Please Log in or Create an account to join the conversation.

More
27 Apr 2020 20:31 #3 by admin
Replied by admin on topic Re: mainfunction.cgi hack

akwe-xavante wrote:
long lines of code here on this forum unless a moderator says it's ok to do so in advance.

I'm happy to share these lines of code with draytek though if it's of any interest to them.



It may be nothing but wise to report it just in case...

Forum Administrator

Please Log in or Create an account to join the conversation.

  • akwe-xavante
  • Topic Author
  • Offline
  • Member
  • Member
More
28 Apr 2020 07:59 #4 by akwe-xavante
Replied by akwe-xavante on topic Re: mainfunction.cgi hack
It's a fairly long string and (to me) very complex line of code. Are we happy for me to publish this here??

Please Log in or Create an account to join the conversation.

  • akwe-xavante
  • Topic Author
  • Offline
  • Member
  • Member
More
28 Apr 2020 08:26 #5 by akwe-xavante
Replied by akwe-xavante on topic Re: mainfunction.cgi hack
I found visiting shodan.io very interesting indeed.

Yes the scan reveals i do have a Draytek Router on port 1723.

It displayed an incomplete list of open ports, this i found surprising.

It shows that i have a VPN in place but doesn't detail anything about it.

It shows open port 443 (but not port 80) to an Apache web server. No surprises there, well i expected port 80 to be listed because it is an open port!!.

It does not show the port i have open for SSH access to my server and it doesn't show the port i have allocated for secure SSH access to the router.

So i'm at a loss as to why someone is trying to (i think) gain access to my router via ports that are open to my server!

An error with the scan, it incorrectly displays the model number of both of my Draytek Routers at Home and at a remote location to which i have a VPN connection.

My router models are 2862a and 2860, the scan says they are both models 2820n!!

Please Log in or Create an account to join the conversation.