The oldest requests using "admin" username and matching user-agent (not sure about the password; didn't log those) I've seen are from 2013/06/22.
Then a year or two ago, I installed DD-WRT on my Linksys WRT160N router.
I installed it so I could add a guest wireless network, but I probably shouldn't have, because the technical specifics of networking that I see everywhere on the DD-WRT site and forums are mostly over my head.
It appears that even more Linksys models are vulnerable to the exploit used by this worm than have been mentioned....
The WRT160N appears to succumb to the same method of penetration (even if the password has been changed from the default), as do the E800 and E900 and the Valet series.
It shows up in the logs as the "\x80w\x01\x03\x01" string in apache web logs. $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP admin brute force login attempt"; flow:established,to_server; content:"GET|20 2f|HNAP1|2f 20|HTTP|2f|1.1|0d 0a|"; fast_pattern:only; content:"Authorization|3a 20|Basic YWRta W46"; http_header;metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;reference:url, classtype:bad-unknown; sid:10000112; rev:2;)@claudijd Not the same thing; the password is included in the initial HNAP request and it seems to be randomly generated with each request (i.e.
/..request is using different one than the HNAP one).
Looking at web logs it would appear that the malware attempts to spread to other systems by probing ports .
Before seeing the first HNAP probe I can see what appears to be SSL attempts to connect to those ports using TLS/SSL. X - - [11/Feb/ -0800] "\x80w\x01\x03\x01" 400 294 "-" "-" "-" "-" "-" "37382" 76.14. X - - [11/Feb/ -0800] "GET /HNAP1/ HTTP/1.1" 404 225 " "Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]" "text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8" "en-US,en;q=0.5" "gzip, deflate" "37384" So the binding to openssl may be for command and control but it also may be there to allow the malware to try to talk to routers that have the SSL enabled for their remove management web connection.
Soon thereafter, I noticed that Air Print didn't work anymore.