-
Does your router have a backdoor?
Find out if your router is listening on backdoor port 32764
Some days ago it became public knowledge that some routers, that's devices used for establishing Internet connections among other things, are listening on the undocumented port 32764.
First, it was only discovered in one device, the Linksys WAG200G, but it was soon discovered that many routers were also listening on that port. Among the devices are the Cisco WAP4410N-E, the Netgear DGN2000, the OpenWAG200, or the LevelOne WBR3460B.
The list on the Github website is large, and it is likely that here are other routers affected not listed there yet. It seems to be predominantly Cisco, Linksys and Netgear which listen on the port, even though not all routers by the mentioned companies are affected by it. The Linksys WRT160Nv2 for example is not listening.
It is currently not known why the routers are listening on that port. Many have suggested that this is yet another way for the NSA to spy on people around the world, and while that is a possibility, it is not the only one.
Find out if your router is listening on port 32764
http://cdn.ghacks.net/wp-content/upl...r-backdoor.png
If your router is not on the positive or negative list, you may want to find out if it is listening on port 32764, and if it is, stop the process to protect your systems.
There are several options to find that out. Here are several ones:
- Load http://yourRouterIP:32764/ in your web browser of choice. If affected, you should see ScMM or MMcS on the screen. I cannot confirm that this works for all set ups though. You can check your IP address here.
- Run the Python script poc.py on your system. You do need Python installed on it for that to work though. Run the script in the following way: python poc.py --ip yourRouterIP.For instance python poc.py --ip 192.168.1.1
- If telnet is running, you can also use the command telnet yourRouterIP 32764 to find out if the router is vulnerable. You see ScMM or MMcS in that case on the command prompt.
- Alternatively, try running router backdoor scanner, a script that attempts to establish a connection on the port.
Fixes if your router is leaking information
If your router is listening on port 32764, you may want to block this from happening. You have quite a few possibilities to cope with the situation and secure your system.
- Add a rule to the router's firewall to block the port 32764. How that is done depends on the model you are using. Usually, it involves loading the router's web interface on its local address, e.g. http://192.168.1.1/, typing in the password (on the back of the router usually if default), and finding the firewall or network options there.
- Install an Open Source firmware like Tomato or OpenWRT. Note that some have been reported to be vulnerable as well, so make sure you test again after you install.
- Get a router that is not affected by the vulnerability.
Testing
Once you have made changes, it is highly recommended to test for the vulnerability again to make sure that you have successfully blocked the port on your system.
CREDIT: http://www.ghacks.net/2014/01/06/fin...or-port-32764/
-
Re: Does your router have a backdoor?
cannot connect using ip:32764
also
Result of Backdoor Scans
Your router does not provide the port 32764 backdoor. Glückwunsch!
-
Re: Does your router have a backdoor?
When I join my routers gateway ip with minecraft, I came on a server called: NsaCraft
Sent from my ST26i using Tapatalk
-
Re: Does your router have a backdoor?
I just checked. I only have these ports on, 80 3306, 30000 and 30001. :p
Thanks anyways Dan!
Sent from my iPhone using Tapatalk
-
Re: Does your router have a backdoor?
Confirmed as probably not vulnerable on the Superhub.
-
Re: Does your router have a backdoor?
Wasn't affected but appreciate this Mental! Much love & keep it up!
-
Re: Does your router have a backdoor?
Checking up the opened ports should matter of course. It's a part of configuration to do when setting up the router for the first use.
However, thanks for clarify this, MentaL.
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
שเ๒єtгเ๒є
Checking up the opened ports should matter of course. It's a part of configuration to do when setting up the router for the first use.
However, thanks for clarify this, MentaL.
A backdoor is not something you configure out of the box.
-
Re: Does your router have a backdoor?
Thanks MentaL for posting this!
I already heard that some routers are backdoored like this ...
Now I can check my router :)
-
Re: Does your router have a backdoor?
Seems to not be vulnerable on Virgin Media Superhub. (I tried two different methods to test this, the python method, and rouerip:32764)
-
Re: Does your router have a backdoor?
Not vulnerable :D Netgear R6300 and some chinees thing are clean :p
Even thought the netgear has a backdoor, wouldn't matter for us, it's behind an other router >.>
-
Re: Does your router have a backdoor?
pfSense does not have this backdoor thingy :)
Better use pfSense than those expensive routers.
-
Re: Does your router have a backdoor?
Thanks for the heads up, luckily it's not open on my end :L
-
Re: Does your router have a backdoor?
I installed https://openwrt.org/ on my router, you should try it if your router is in the compatible list.
It has an amazing GUI and it's very advanced with many features.
-
Re: Does your router have a backdoor?
Clean on Asus RT-AC66U :)
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
MentaL
A backdoor is not something you configure out of the box.
ye right, you will not see the port is open in the router settings, my bad. ^^
-
Re: Does your router have a backdoor?
Just to let you all know that ActionTec Routers have the same issue though it is a different port "4567" it cant be removed from port forwarding list nor is it offered as a blocking rule in your router's firewall. The only way I found around it is to telnet into your router and remove the rule manually from the Iptables. :):
-
Re: Does your router have a backdoor?
I wouldn't be surprised if it's used by ISP's to push settings into the router or something similar, i doubt it's for NSA snooping lol.
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
PRIZM
I just checked. I only have these ports on, 80 3306, 30000 and 30001. :p
Thanks anyways Dan!
Sent from my iPhone using
Tapatalk
Haha, I wonder what those ports are used for ;)
OT: Checked that port in my browser and have come out clean. Using the Nethgear WNR1000
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
Ddos Attack
Haha, I wonder what those ports are used for ;)
OT: Checked that port in my browser and have come out clean. Using the Nethgear WNR1000
Haha, i knew someone from the Habbo section would comment my post. :P
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
PRIZM
I just checked. I only have these ports on, 80 3306, 30000 and 30001. :p
Thanks anyways Dan!
Sent from my iPhone using
Tapatalk
Why would you keep port 3306 open? Bit of an amateurish mistake?
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
MentaL
Why would you keep port 3306 open? Bit of an amateurish mistake?
There are many reasons to let ports open. I.e. using your PC to host an own written service that listens the port. Even when a port is open, the hackers need to know whats listening to it and need to find any exploit to the software to attack your PC.
As long as we know what ports are listened by what software, it's our own decision.
MentaL, when there is a hidden port open for the NSA (xD), what software is listening to it, what you think? Any software on the routers itself?
EDIT: What about netstat -a, you will not find it? O.o
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
MentaL
Why would you keep port 3306 open? Bit of an amateurish mistake?
Why not? It's for MySQL?
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
PRIZM
Why not? It's for MySQL?
Because 3306 should always be kept local....
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
MentaL
Because 3306 should always be kept local....
but keeping something local means not using it. ^^
is 3306 so popular to hackers or what?
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
שเ๒єtгเ๒є
but keeping something local means not using it. ^^
is 3306 so popular to hackers or what?
Face palm...
Sent from my Galaxy Note 3
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
שเ๒єtгเ๒є
but keeping something local means not using it. ^^
is 3306 so popular to hackers or what?
Remote exploits.
-
Re: Does your router have a backdoor?
Clean on Netgear WNDR3800.
If anyone needs help using/setting up Python, I'm here.
-
Re: Does your router have a backdoor?
Best solution. Reformat PC. Wash out all RATs and Backdoor
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
AfterShockEx
Best solution. Reformat PC. Wash out all RATs and Backdoor
Backdoor is not related to the PC, its the router.
-
Re: Does your router have a backdoor?
Bahahahahaha how many morons can you fit in one thread? xD
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
Rishwin
Bahahahahaha how many morons can you fit in one thread? xD
There's more coming!
The next one will probably be "what's a router?"
-
Re: Does your router have a backdoor?
No next will be "I just formatted, I'm safe" and they'll be like an admin of some MMO server
-
Re: Does your router have a backdoor?
This news is over 10 years old, first publicly posted here.
Quote:
Originally Posted by
Rishwin
I wouldn't be surprised if it's used by ISP's to push settings into the router or something similar, i doubt it's for NSA snooping lol.
Correct, there's more info to it in this document. It's a shell that allows remote control, pretty sure it's for ISP's.
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
MentaL
Face palm...
Sent from my Galaxy Note 3
Sry, router configuration / network systems are not my best ride. As I know a port is only open, when an application is listening to it. When there is no application that listens to the port, then it's not open. So I misunderstood something, because this open port is not a usual open port.
Quote:
Originally Posted by
Dave
Remote exploits.
Reading http://www.ispreview.co.uk/index.php...r-exploit.html and https://news.ycombinator.com/item?id=6997159 I finally got the line.
This open port grants access to the router configuration, not the PC system at all. So the software that is listening to the port is burned on the router (firmware). Sadly with the exploit everybody can get access to the routers configuration from outside without admin password. When anybody modifies anything i.e. port forwarding he can get access on the PC system, too.
Did I understand this right now? Please correct me when I'm wrong and stop the facepalm. >.>
Quote:
Originally Posted by
Solaire
This news is over 10 years old, first publicly posted
here.
Correct, there's more info to it in
this document. It's a shell that allows remote control, pretty sure it's for ISP's.
The last documentation is very horrible, but at the end your statement is correct.
So I hope the manufacturers will do something against the exploit. Or should we also really protect us against the services of the ISP?
-
Re: Does your router have a backdoor?
K so i did a little data gathering today, we have the majority of our customers running Technicolor/Thompson/Alcatel routers and every single one of them has the default port for remote access into that router in the 32000-35000 range. Which to me, seems like a huge coincidence considering the range.
I am now 95% certain this port is used by the ISP to remotely access / remotely push settings into the router when required.
-
Re: Does your router have a backdoor?
Your router does not provide the port 32764 backdoor. Glückwunsch!
Motorola's safe I guess :blush:
Quote:
Originally Posted by
dha12oks
it's not open on my end :L
With that emoticon, it seemed like you were disappointed.
-
Re: Does your router have a backdoor?
Quote:
Originally Posted by
Rishwin
K so i did a little data gathering today, we have the majority of our customers running Technicolor/Thompson/Alcatel routers and every single one of them has the default port for remote access into that router in the 32000-35000 range. Which to me, seems like a huge coincidence considering the range.
I am now 95% certain this port is used by the ISP to remotely access / remotely push settings into the router when required.
If thomson used their routers to gather other data than firmware then they would probably be one of the few who would know how to do so reliably and in a sneaky way. Those french motherfuckers knew how to build a router and built them so well that it's probably one of the significant contributing factors that sent them into bankruptcy and although I could never obtain firmware for my router the default one and associated software is flawless and still works well today. Which says a lot.
Proud owner of 10 year old low-range thomson router and posting from it.
-
Re: Does your router have a backdoor?
-
Re: Does your router have a backdoor?
No backdoor on BT HomeHub 3.
-
Re: Does your router have a backdoor?
Not effected thank you :)