Tag Archives: Web Application

Automatic monitoring and restarting of internet router

Obligatory blog post graphic, to make this more "interesting" 😛 Meanwhile, check out the really nice Tonido Plug at http://www.tonidoplug.com/

My internet connection goes down periodically, and I used to have to power cycle the router in order to fix that.  When it started to become too frequent it posed a problem, since I’m too lazy to keep going to the room (my wife too) to restart it.  There’s also the option of restarting the router via the web admin interface, but it required me to login, click to the page for restarting, and click “restart”!  Very complicated indeed for lazy people.

Inspired by this hack (Hack a Day) where the guy automated the physical power cycling process, I decided to automate mine too.  Since I have a Tonido plug which is almost always on, and I’ve just learnt Python too, I decided to go the scripting method.  As they say: to a man with a hammer, everything looks like a nail 😉

A couple of lessons learnt

I was caught by surprise by when reproducing the login and restart sequence exactly didn’t work, and I went so far as to reproduce ALL the requests made by a “normal human”.  It turned out (after 2 hours and a shower break) that things worked just fine when I simply converted the minimally needed POST parameters to GET parameters.  Nice classic web application hacking trick learnt from my old job as a web application ethical hacker I’d say.

Also, the restart sequence for my router turned out to not only need the form “POST” to request a restart, but also a subsequent request for the “restarting now” status page, interesting…

Download

Note that before you use this, some reverse engineering of the web application calls is needed, and some Python coding too.  You have been forewarned!  Also, I’m not responsible for this script causing you direct/indirect damage in any way, so don’t come crying when your lawnmower starts to act crazy because you installed this script.  The script is released under the GPL, and can be downloaded here.

How to install/use

  • Edit ‘router_host’: ‘10.0.0.1’, in line 8
  • Reverse engineer the web admin login and restart sequence, see what you need.  I used tools like a transparent proxy (Burp Suite), notepad and some brain grease.
  • Hack the restart_router() (lines 43-73) function in the python script according to your needs (you’re on your own here…  Alternatively you could offer me a good amount of Coke/chips for me to help you with the reverse engineering/coding somehow 😉 )
  • Copy into the Tonido plug’s /root directory (assume running as root, for simplicity’s sake)
  • SSH into the Tonido plug as root
  • # chmod 400 /root/internet_connection_monitor.py
  • # crontab -e
  • Add in this line: (makes the script run in the background, 4 minutes after every tonido plug reboot to give the router time to start up)
    @reboot sleep 4m && /usr/bin/python /root/internet_connection_monitor.py &
  • Press Alt-X, then “y” to save the new crontab
  • Reboot the Tonido plug
  • Profit!

What are the risks to note

The script basically is a hardcoded piece of info revealing the password and sequence to your login/router’s workings! Make sure the script is chmod’ed properly, and isn’t accessible via Tonido’s interfaces.  For me I don’t have this problem, since I don’t allow connecting to my Tonido from outside anyway, and people will have to brute force ssh public keys to get in…

Have fun!

Interesting scanner

I know I’m probably the only one in this island that thinks this as interesting, but nevertheless…

It’s normal for the web server to get scanned by other “inquisitive” people/machines/bots, but this tool looks pretty interesting…  Will dig deeper into this later.

The scanners typically try to detect whether I’m running certain vulnerable versions of web apps for them to exploit.  So when the web app does not exist, guess what happens? 😉

This particular scan was interesting, because of the user agent field.  Check it out:

200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /roundcubemail-0.1//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola
200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /wm//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /webmail//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:06 +0800] “GET /webmail2//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:05 +0800] “GET /rms//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:05 +0800] “GET /roundcubemail//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:05 +0800] “GET /mail2//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:05 +0800] “GET /mail//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:04 +0800] “GET /mss2//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”
200.6.121.56 – – [17/Jul/2010:14:51:04 +0800] “GET /rc//bin/msgimport HTTP/1.1” 404 136 “-” “Toata dragostea mea pentru diavola”

If anyone knows more about this particular scanner, feel free to comment and share!

Edit (19 Jul): it seems that I’ve joined the ranks of those who’ve been scanned one way or another.  Apparently it is in Romanian, meaning “All my love for the devil”.