mongoose_error.log

Brian

Administrator
Staff member
I'm getting a mongoose_error.log on all of my boxes
Code:
>>> Contents of /var/log/mongoose_error.log 88.00 bytes
[1371846401] [error] [client 192.168.0.6] GET /currentsetting.htm: Error 404: Not Found
The logs are continuing to grow in length.
 
If you google for currentsetting.htm you'll see that it's a hidden web page on a Netgear router with a known exploit.. maybe something on your network (or at least something with access to the Humax web server) has been compromised and is probing open web ports for vulnerabilities? It certainly isn't anything to do with the CFW.
 
I have just got a new Netgear D6300 router, and this issue has arisen since then. I will look into the information that you have provided, Thanks.
 
Solution = Reportedly fixed in firmware version 1.1.0.48. of NetGearDGN1000, not sure about D6300 though
 
I have had a search and can't find anything that is relevant to my router, so unless anyone has any suggestions on how to resolve this, I will just have to live with it, and keep deleting the mongoose_error.log.
 
You could create a file with that name on the Humax. That would stop the errors being logged.
 
Just create a file called currentsetting.htm and put it under /mod/webif/html. Doesn't matter what it contains. From the command line you could just do something like:
Code:
humax# echo test > /mod/webif/html/currentsetting.html
 
Thanks, that seems to have stopped the mongoose_error.log. The echo test command produced no output.

Now I have got to do the same on my other boxes.:)
 
Don't you think you should be trying to stop your router requesting currentsetting.htm from everything? Adding the file to the Humax is treating the symptom rather than the disease.
 
Well, I'm no expert but a quick read suggests to me that attempted accesses containing a request for currentsettings.htm are able to bypass the Netgear security, and are therefore used to probe for vulnerabilities. Could these requests be coming in from outside? I would treat them as indications of being under attack (either from outside or from a compromised system inside your network), so rather than cover them up I would investigate whether you have an infected system or if your firewall needs tweaking, or if the router needs updating.

Maybe you just need to turn off an outward-facing web service port on the router? You could try a web-based vulnerability scan.

http://www.exploit-db.com/exploits/25978/ said:
Unauthenticated command execution on Netgear DGN devices
========================================================

[ADVISORY INFORMATION]
Title: Unauthenticated command execution on Netgear DGN devices
Discovery date: 01/05/2013
Release date: 31/05/2013
Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)

[VULNERABILITY INFORMATION]
Class: Authentication bypass, command execution

[AFFECTED PRODUCTS]
This security vulnerability affects the following products and firmware
versions:
* Netgear DGN1000, firmware version < 1.1.00.48
* Netgear DGN2200 v1
Other products and firmware versions are probably also vulnerable, but they
were not checked.


[VULNERABILITY DETAILS]
Attackers can leverage this vulnerability to bypass existing authentication
mechanisms and execute arbitrary commands on the affected devices, with root
privileges.

Briefly, the embedded web server skips authentication checks for some URLs
containing the "currentsetting.htm" substring. As an example, the following URL
can be accessed even by unauthenticated attackers:

http://<target-ip-address>/setup.cgi?currentsetting.htm=1

Then, the "setup.cgi" page can be abused to execute arbitrary commands. As an
example, to read the /www/.htpasswd local file (containing the clear-text
password for the "admin" user), an attacker can access the following URL:

http://<target-ip-address>/setup.cg.../www/.htpasswd&curpath=/&currentsetting.htm=1

Basically this URL leverages the "syscmd" function of the "setup.cgi" script to
execute arbitrary commands. In the example above the command being executed is
"cat /www/.htpasswd", and the output is displayed in the resulting web
page. Slightly variations of this URL can be used to execute arbitrary
commands.

[REMEDIATION]
For DGN1000, Netgear included a fix for this issue inside firmware version
1.1.00.48. According to Netgear, DGN2200 v1 is not supported anymore, while v3
and v4 should not be affected by this issue; these versions were not tested by
the author.

[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.
 
I purchased my router just under 2 weeks ago, and updated it's firmware within minutes of installation. I have downgraded the firmware today to see if it made any difference, it didn't seem to, so I reinstalled the latest version.

I have had more entries in the mongoose_error.log, this time relating to favicon.ico. I don't know whether they are being caused by my router.
Code:
>>> Contents of /var/log/mongoose_error.log 88.00 bytes
[1371846401] [error] [client 192.168.0.6] GET /favicon.ico: Error 404: Not Found
I have got round this the same way as with the currentsetting.htm issue.

I don't really know what I'm looking for, but have spent quite some time looking at router settings, and firewall settings, with nothing obvious standing out.

I have had a look at Tenable Nessus, this seems to be aimed at business users, and is rather expensive.
 
favicon.ico is requested by browsers, and I believe the WebIF should serve one of those. Have you changed your browser at all? What we need to do is track down what is making these failed requests.

Is your mongoose_error.log listed in the diagnostics page log list, or did you have to go looking for it?

Can I suggest posts 144 onwards are broken off to a specific topic, something like "Mongoose Error Log"?
 
What is 192.168.0.6 on your network? That's the device that is making these requests.
Given the favicon error, could there be some Netgear configuration software on a computer that is scanning for routers?
 
Back
Top