Note the "typo". However, when this is done on a MikroTik with RouterOS, it does return a JSON file with some info about the router, most notably the version of RouterOS installed!
The first scan I have seen used "Wget(linux)" as the user-agent (May 1st), but later scans (today, May 3rd) use "python-requests/2.18.4".
Maybe the first was a shellscript as proof-of-concept and they now switched to a python program.
Is this the indication of the next vulnerability? Or maybe just a project to investigate all the MikroTik installations to later launch the existing or new exploits?
Interesting enough, the 188.92.74.189 IP adress is registered in Latvia:
Code: Select all
inetnum: 188.92.74.0 - 188.92.74.255
org: ORG-SNI2-RIPE
netname: NANO-ADTECH-DC-NET
descr: NANO ADTECH DC
country: LV
admin-c: RST1
tech-c: RST1
status: ASSIGNED PA
mnt-by: NANO-MNT
created: 2015-04-22T07:37:25Z
last-modified: 2015-04-22T07:37:25Z
source: RIPE
organisation: ORG-SNI2-RIPE
org-name: Sia Nano IT
org-type: LIR
address: Maskavas iela 240 - 510
address: LV-1063
address: Riga
address: LATVIA
phone: +37166100107
fax-no: +37167876478
For now, it is a mystery. Of course I don't allow access to the router from outside and have now put that address on a general blocklist to stop such idiocy.