Does your router have a backdoor?

Find out if your router is listening on backdoor port 32764

Some days ago it became public knowledge that some routers, that's devices used for establishing Internet connections among other things, are listening on the undocumented port 32764.

First, it was only discovered in one device, the Linksys WAG200G, but it was soon discovered that many routers were also listening on that port. Among the devices are the Cisco WAP4410N-E, the Netgear DGN2000, the OpenWAG200, or the LevelOne WBR3460B.

The list on the Github website is large, and it is likely that here are other routers affected not listed there yet. It seems to be predominantly Cisco, Linksys and Netgear which listen on the port, even though not all routers by the mentioned companies are affected by it. The Linksys WRT160Nv2 for example is not listening.
It is currently not known why the routers are listening on that port. Many have suggested that this is yet another way for the NSA to spy on people around the world, and while that is a possibility, it is not the only one.

Find out if your router is listening on port 32764

http://cdn.ghacks.net/wp-content/upl...r-backdoor.png

If your router is not on the positive or negative list, you may want to find out if it is listening on port 32764, and if it is, stop the process to protect your systems.

There are several options to find that out. Here are several ones:

1. Load http://yourRouterIP:32764/ in your web browser of choice. If affected, you should see ScMM or MMcS on the screen. I cannot confirm that this works for all set ups though. You can check your IP address here.
2. Run the Python script poc.py on your system. You do need Python installed on it for that to work though. Run the script in the following way: python poc.py --ip yourRouterIP.For instance python poc.py --ip 192.168.1.1
3. If telnet is running, you can also use the command telnet yourRouterIP 32764 to find out if the router is vulnerable. You see ScMM or MMcS in that case on the command prompt.
4. Alternatively, try running router backdoor scanner, a script that attempts to establish a connection on the port.

Fixes if your router is leaking information
If your router is listening on port 32764, you may want to block this from happening. You have quite a few possibilities to cope with the situation and secure your system.

1. Add a rule to the router's firewall to block the port 32764. How that is done depends on the model you are using. Usually, it involves loading the router's web interface on its local address, e.g. http://192.168.1.1/, typing in the password (on the back of the router usually if default), and finding the firewall or network options there.
2. Install an Open Source firmware like Tomato or OpenWRT. Note that some have been reported to be vulnerable as well, so make sure you test again after you install.
3. Get a router that is not affected by the vulnerability.

Testing
Once you have made changes, it is highly recommended to test for the vulnerability again to make sure that you have successfully blocked the port on your system.


CREDIT: http://www.ghacks.net/2014/01/06/fin...or-port-32764/

cannot connect using ip:32764

also

Result of Backdoor Scans
Your router does not provide the port 32764 backdoor. Glückwunsch!

When I join my routers gateway ip with minecraft, I came on a server called: NsaCraft

Sent from my ST26i using Tapatalk

I just checked. I only have these ports on, 80 3306, 30000 and 30001. :p
Thanks anyways Dan!


Sent from my iPhone using Tapatalk

Confirmed as probably not vulnerable on the Superhub.

Wasn't affected but appreciate this Mental! Much love & keep it up!

Checking up the opened ports should matter of course. It's a part of configuration to do when setting up the router for the first use.
However, thanks for clarify this, MentaL.

Quote:

---

Originally Posted by שเ๒єtгเ๒є

Checking up the opened ports should matter of course. It's a part of configuration to do when setting up the router for the first use.
However, thanks for clarify this, MentaL.

---

A backdoor is not something you configure out of the box.

Thanks MentaL for posting this!
I already heard that some routers are backdoored like this ...
Now I can check my router :)

Seems to not be vulnerable on Virgin Media Superhub. (I tried two different methods to test this, the python method, and rouerip:32764)

Not vulnerable :D Netgear R6300 and some chinees thing are clean :p

Even thought the netgear has a backdoor, wouldn't matter for us, it's behind an other router >.>

pfSense does not have this backdoor thingy :)

Better use pfSense than those expensive routers.

Thanks for the heads up, luckily it's not open on my end :L

I installed https://openwrt.org/ on my router, you should try it if your router is in the compatible list.
It has an amazing GUI and it's very advanced with many features.

Clean on Asus RT-AC66U :)

Quote:

---

Originally Posted by MentaL

A backdoor is not something you configure out of the box.

---

ye right, you will not see the port is open in the router settings, my bad. ^^

Just to let you all know that ActionTec Routers have the same issue though it is a different port "4567" it cant be removed from port forwarding list nor is it offered as a blocking rule in your router's firewall. The only way I found around it is to telnet into your router and remove the rule manually from the Iptables. :):

I wouldn't be surprised if it's used by ISP's to push settings into the router or something similar, i doubt it's for NSA snooping lol.

Quote:

---

Originally Posted by PRIZM

I just checked. I only have these ports on, 80 3306, 30000 and 30001. :p
Thanks anyways Dan!


Sent from my iPhone using Tapatalk

---

Haha, I wonder what those ports are used for ;)

OT: Checked that port in my browser and have come out clean. Using the Nethgear WNR1000

Quote:

---

Originally Posted by Ddos Attack

Haha, I wonder what those ports are used for ;)

OT: Checked that port in my browser and have come out clean. Using the Nethgear WNR1000

---

Haha, i knew someone from the Habbo section would comment my post. :P

Quote:

---

Originally Posted by PRIZM

I just checked. I only have these ports on, 80 3306, 30000 and 30001. :p
Thanks anyways Dan!


Sent from my iPhone using Tapatalk

---

Why would you keep port 3306 open? Bit of an amateurish mistake?

Quote:

---

Originally Posted by MentaL

Why would you keep port 3306 open? Bit of an amateurish mistake?

---

There are many reasons to let ports open. I.e. using your PC to host an own written service that listens the port. Even when a port is open, the hackers need to know whats listening to it and need to find any exploit to the software to attack your PC.

As long as we know what ports are listened by what software, it's our own decision.
MentaL, when there is a hidden port open for the NSA (xD), what software is listening to it, what you think? Any software on the routers itself?

EDIT: What about netstat -a, you will not find it? O.o

Quote:

---

Originally Posted by MentaL

Why would you keep port 3306 open? Bit of an amateurish mistake?

---

Why not? It's for MySQL?

Quote:

---

Originally Posted by PRIZM

Why not? It's for MySQL?

---

Because 3306 should always be kept local....

Quote:

---

Originally Posted by MentaL

Because 3306 should always be kept local....

---

but keeping something local means not using it. ^^
is 3306 so popular to hackers or what?

Quote:

---

Originally Posted by שเ๒єtгเ๒є

but keeping something local means not using it. ^^
is 3306 so popular to hackers or what?

---

Face palm...

Sent from my Galaxy Note 3

Quote:

---

Originally Posted by שเ๒єtгเ๒є

but keeping something local means not using it. ^^
is 3306 so popular to hackers or what?

---

Remote exploits.

Clean on Netgear WNDR3800.

If anyone needs help using/setting up Python, I'm here.

Best solution. Reformat PC. Wash out all RATs and Backdoor

Quote:

---

Originally Posted by AfterShockEx

Best solution. Reformat PC. Wash out all RATs and Backdoor

---

Backdoor is not related to the PC, its the router.

Bahahahahaha how many morons can you fit in one thread? xD

Quote:

---

Originally Posted by Rishwin

Bahahahahaha how many morons can you fit in one thread? xD

---

There's more coming!
The next one will probably be "what's a router?"

No next will be "I just formatted, I'm safe" and they'll be like an admin of some MMO server

This news is over 10 years old, first publicly posted here.

Quote:

---

Originally Posted by Rishwin

I wouldn't be surprised if it's used by ISP's to push settings into the router or something similar, i doubt it's for NSA snooping lol.

---

Correct, there's more info to it in this document. It's a shell that allows remote control, pretty sure it's for ISP's.

Quote:

---

Originally Posted by MentaL

Face palm...

Sent from my Galaxy Note 3

---

Sry, router configuration / network systems are not my best ride. As I know a port is only open, when an application is listening to it. When there is no application that listens to the port, then it's not open. So I misunderstood something, because this open port is not a usual open port.

Quote:

---

Originally Posted by Dave

Remote exploits.

---

Reading http://www.ispreview.co.uk/index.php...r-exploit.html and https://news.ycombinator.com/item?id=6997159 I finally got the line.
This open port grants access to the router configuration, not the PC system at all. So the software that is listening to the port is burned on the router (firmware). Sadly with the exploit everybody can get access to the routers configuration from outside without admin password. When anybody modifies anything i.e. port forwarding he can get access on the PC system, too.

Did I understand this right now? Please correct me when I'm wrong and stop the facepalm. >.>

Quote:

---

Originally Posted by Solaire

This news is over 10 years old, first publicly posted here.

Correct, there's more info to it in this document. It's a shell that allows remote control, pretty sure it's for ISP's.

---

The last documentation is very horrible, but at the end your statement is correct.

So I hope the manufacturers will do something against the exploit. Or should we also really protect us against the services of the ISP?

K so i did a little data gathering today, we have the majority of our customers running Technicolor/Thompson/Alcatel routers and every single one of them has the default port for remote access into that router in the 32000-35000 range. Which to me, seems like a huge coincidence considering the range.

I am now 95% certain this port is used by the ISP to remotely access / remotely push settings into the router when required.

Your router does not provide the port 32764 backdoor. Glückwunsch!
Motorola's safe I guess :blush:

Quote:

---

Originally Posted by dha12oks

it's not open on my end :L

---

With that emoticon, it seemed like you were disappointed.

Quote:

---

Originally Posted by Rishwin

K so i did a little data gathering today, we have the majority of our customers running Technicolor/Thompson/Alcatel routers and every single one of them has the default port for remote access into that router in the 32000-35000 range. Which to me, seems like a huge coincidence considering the range.

I am now 95% certain this port is used by the ISP to remotely access / remotely push settings into the router when required.

---

If thomson used their routers to gather other data than firmware then they would probably be one of the few who would know how to do so reliably and in a sneaky way. Those french motherfuckers knew how to build a router and built them so well that it's probably one of the significant contributing factors that sent them into bankruptcy and although I could never obtain firmware for my router the default one and associated software is flawless and still works well today. Which says a lot.

Proud owner of 10 year old low-range thomson router and posting from it.

Temp clean for mine! :)

No backdoor on BT HomeHub 3.

Not effected thank you :)