HTTP requests from D-Link devices | Joachim De Zutter
January 2017 - March 2017

See also: HTTP requests from systems with Avtech network cameras

The following suspicious entries were witnessed in logfiles of an HTTP server:
...
82.67.106.87 - - [31/Jan/2017:19:07:41 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
78.194.52.13 - - [03/Feb/2017:09:04:25 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
90.227.84.155 - - [04/Feb/2017:00:15:08 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
85.118.99.93 - - [08/Feb/2017:10:54:33 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
95.157.153.176 - - [08/Feb/2017:23:18:16 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
46.47.176.118 - - [12/Feb/2017:01:46:02 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
94.190.187.129 - - [24/Feb/2017:01:26:02 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
77.70.111.103 - - [26/Feb/2017:09:41:14 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
130.204.184.190 - - [27/Feb/2017:10:25:08 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
94.236.206.136 - - [28/Feb/2017:01:14:24 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
87.97.171.9 - - [07/Mar/2017:09:35:15 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
87.126.11.234 - - [14/Mar/2017:20:24:24 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
94.190.187.129 - - [15/Mar/2017:07:52:44 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
87.121.163.101 - - [18/Mar/2017:02:03:28 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
91.139.206.230 - - [19/Mar/2017:01:04:46 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
83.89.70.127 - - [19/Mar/2017:10:03:53 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
87.126.11.234 - - [20/Mar/2017:00:45:40 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
87.97.171.9 - - [20/Mar/2017:22:39:47 +0200] "GET / HTTP/1.0" 200 10720 "-" "-"
...
87.126.11.234 - - [27/Mar/2017:08:59:40 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
188.60.228.156 - - [27/Mar/2017:11:11:24 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
46.10.223.162 - - [28/Mar/2017:16:38:48 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
84.43.185.93 - - [31/Mar/2017:21:43:15 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
93.152.165.43 - - [05/Apr/2017:00:49:11 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
88.159.172.30 - - [13/Apr/2017:18:59:23 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
84.43.185.93 - - [15/Apr/2017:05:42:09 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
84.43.185.93 - - [17/Apr/2017:00:56:58 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
130.204.34.17 - - [19/Apr/2017:01:00:57 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
84.54.187.253 - - [24/Apr/2017:12:04:56 +0300] "GET / HTTP/1.0" 200 13000 "-" "-"
...
78.130.187.194 - - [30/Apr/2017:21:45:13 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
89.2.28.49 - - [02/May/2017:14:44:02 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
95.87.234.71 - - [04/May/2017:06:15:06 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
212.36.29.158 - - [05/May/2017:07:33:21 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
158.58.199.210 - - [11/May/2017:19:33:34 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
93.152.144.155 - - [11/May/2017:19:33:41 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
188.254.146.138 - - [14/May/2017:10:54:53 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
92.247.10.82 - - [19/May/2017:13:01:44 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
188.254.146.138 - - [22/May/2017:11:32:33 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
213.91.210.68 - - [22/May/2017:19:31:35 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
188.124.95.169 - - [24/May/2017:06:18:48 +0300] "GET / HTTP/1.0" 200 13000 "-" "-"
...
84.3.68.25 - - [25/May/2017:10:19:14 +0300] "GET / HTTP/1.0" 200 10720 "-" "-"
...
83.251.103.249 - - [11/Jun/2017:15:29:29 +0300] "GET / HTTP/1.0" 200 43296 "-" "-" "-"
It was easy to verify that these devices have a lighttpd server running on port 80.
$ telnet 46.10.223.162 80
Trying 46.10.223.162...
Connected to 46.10.223.162.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: 46.10.223.162

HTTP/1.1 200 OK
Content-Language: en
P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR'
Content-Type: text/html
Accept-Ranges: bytes
ETag: "4020591650"
Last-Modified: Fri, 14 Sep 2012 01:32:42 GMT
Content-Length: 10199
Date: Wed, 29 Mar 2017 14:26:52 GMT
Server: lighttpd/1.4.28

Connection closed by foreign host.
When such an IP would be opened in a browser a ShareCenter by D-Link login page would be displayed.