[Chilli] Apparent intrusion attempt on AP running coova-chilli 1.2.9, ways to mitigate?

Xabier Oneca -- xOneca xoneca at gmail.com
Sun Feb 15 22:13:44 UTC 2015


Hello Ben,

2015-02-15 22:35 GMT+01:00 Ben West <ben at gowasabi.net>:
> A Nanostation M2 running Openwrt AA with coova-chilli v1.2.9 stopped its
> periodic heartbeat, and I had a chance to SSH in locally w/in 1 hour of the
> last heartbeat.
>
> I didn't get a chance to inspect the APs local state very well before having
> to issue a "reboot -f" after the initial SSH session appeared to freeze.
>
> Besides, the device only have 1Mbyte of remaining free memory, I did notice
> these log messages from coova-chilli (trimmed and anonymized):
>
> Feb 15 20:43:56 Openwrt local6.notice coova-chilli[2056]: chilli.c: 5005:
> Client MAC=8C-84-01-XX-XX-XX assigned IP 101.209.43.124
> Feb 15 20:44:16 Openwrt local6.err coova-chilli[18240]: redir.c: 3462:
> invalid file extension! [wwwroot/apkupdate.php]
> Feb 15 20:44:19 Openwrt local6.err coova-chilli[18243]: redir.c: 3462:
> invalid file extension! [wwwroot/xmlupdate.php]
> ...
> Feb 15 20:44:42 Openwrt local6.err coova-chilli[18283]: redir.c: 3462:
> invalid file extension! [getTasklist.php]
> Feb 15 20:44:42 Openwrt local6.err coova-chilli[18284]: redir.c: 3462:
> invalid file extension! [getAccountNum.php]
> Feb 15 20:44:46 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
> IEEE 802.11: authenticated
> Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
> IEEE 802.11: authenticated
> Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
> IEEE 802.11: associated (aid 3)
> Feb 15 20:44:48 Openwrt daemon.info hostapd: wlan0: STA 8c:84:01:XX:XX:XX
> RADIUS: starting accounting session 0000002F-000001AD
> Feb 15 20:59:46 Openwrt local6.err coova-chilli[18919]: redir.c: 3462:
> invalid file extension! [getTasklist.php]
> ...
> Feb 15 20:59:49 Openwrt local6.err coova-chilli[18923]: redir.c: 3462:
> invalid file extension! [getTasklist2.php]
> ...

The PHP file names seem like Android API function calls. Maybe it's
some sort of Android managing software that has a web interface, and
the App is making calls to it, thinking Chilli is the manager
server...

I googled those names, but the searches came empty.

Cheers,

Xabier Oneca_,,_


More information about the Chilli mailing list