Some older exploits for Axis devices used malformed HTTP requests like:
GET /axis-cgi/indexframe.shtml?language=1l HTTP/1.1
The 1l (one-L) might cause a logging error or odd behavior in the HTTP parser. While no high-profile CVE ties directly to “adds 1l”, it could be a leftover from:
If you encounter "-adds 1l" in a log entry, treat it as a low-effort automated probe. Inurl Indexframe Shtml Axis Video Server-adds 1l
adds 1l is not a standard parameter for Axis devices. Possible interpretations:
If you were to click a result from a legitimate security test (on a test range), you might see: Some older exploits for Axis devices used malformed
URL: http://192.168.1.100/axis-cgi/indexframe.shtml
Page Title: AXIS 2400 Video Server - Live View
Frames:
Axis produces:
Their embedded web servers are identifiable by URLs containing /axis-cgi/, /view/viewer_index.shtml, or indexframe.shtml. The 1l (one-L) might cause a logging error
Modern Axis devices (2019+) use /axis-cgi/applications/viewer/index.html or control.html instead of indexframe.shtml. Thus, indexframe.shtml is a sign of aging hardware – which is often less secure.