If you were to click a result from a legitimate security test (on a test range), you might see:
URL: http://192.168.1.100/axis-cgi/indexframe.shtml
Page Title: AXIS 2400 Video Server - Live View
Frames:
Some indexframe.shtml pages are honeypots. Accessing them logs your IP, and law enforcement may be alerted. Always assume any exposed Axis device you do not own is either a trap or a live crime scene. Inurl Indexframe Shtml Axis Video Server-adds 1l
You may have noticed the odd suffix adds 1l in the original topic. This often appears due to Google's search syntax variations or auto-suggestions in exploit databases. It typically signifies a search modifier or a remnant from a pastebin dump.
In practical terms, security researchers use slight variations of this query (adds 1l, adds 1i, etc.) to bypass Google’s duplicate content filters and find different servers that basic searches might miss.
The inurl: operator instructs Google (or other search engines that support it) to return only results where a specific string appears in the URL. For example: If you were to click a result from
inurl:indexframe.shtml
This would show all publicly indexed webpages with indexframe.shtml in their URL path.
No – running a Google search is not illegal. However, accessing a device you do not own without authorization is illegal under laws like the Computer Fraud and Abuse Act (CFAA) in the U.S., or the Computer Misuse Act in the U.K.
If you are a researcher:
When this query returns results, it often points to legacy Axis video servers that have been exposed to the public internet without proper authentication. The indexframe.shtml file is designed to serve a video stream to a browser. If an administrator sets up the device without requiring a password to access the root directory or the specific CGI paths, search engine crawlers can index the page.
This creates a significant security vulnerability for several reasons:
Performing this search (legally on your own infrastructure or with explicit permission) may reveal: You may have noticed the odd suffix adds
| Type of Exposure | Description |
|----------------|-------------|
| Unprotected public cameras | No login required – live video streams accessible |
| Default credentials | Devices still using root / pass or admin / 12345 |
| Firmware version disclosure | The login page may reveal vulnerable firmware versions |
| Video encoder panels | Industrial or city surveillance encoders |
| Obsolete devices | Axis 2100, 2400, 2411 series – no longer receiving security updates |
The owner of this website has made a commitment to accessibility and inclusion, please report any problems that you encounter using the contact form on this website. This site uses the WP ADA Compliance Check plugin to enhance accessibility.