Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest

Find out if your router is listening on backdoor port 32764

Reefa

By Reefa
in Security & Privacy News

 Share

Recommended Posts

Reefa

Reefa

Posted
Posted

Some days ago it became public knowledge that some routers, that's devices used for establishing Internet connections among other things, are listening on the undocumented port 32764.

First, it was only discovered in one device, the Linksys WAG200G, but it was soon discovered that many routers were also listening on that port. Among the devices are the Cisco WAP4410N-E, the Netgear DGN2000, the OpenWAG200, or the LevelOne WBR3460B.

The list on the Github website is large, and it is likely that here are other routers affected not listed there yet. It seems to be predominantly Cisco, Linksys and Netgear which listen on the port, even though not all routers by the mentioned companies are affected by it. The Linksys WRT160Nv2 for example is not listening.

It is currently not known why the routers are listening on that port. Many have suggested that this is yet another way for the NSA to spy on people around the world, and while that is a possibility, it is not the only one.

Find out if you router is listening on port 32764

router-backdoor.png

If your router is not on the positive or negative list, you may want to find out if it is listening on port 32764, and if it is, stop the process to protect your systems.

There are several options to find that out. Here are several ones:

1.Load http://yourRouterIP:32764/ in your web browser of choice. If affected, you should see ScMM or MMcS on the screen. I cannot confirm that this works for all set ups though. You can check your IP address here.

2.Run the Python script poc.py on your system. You do need Python installed on it for that to work though. Run the script in the following way: python poc.py --ip yourRouterIP. For instance python poc.py --ip 192.168.1.1

3.If telnet is running, you can also use the command telnet yourRouterIP 32764 to find out if the router is vulnerable. You see ScMM or MMcS in that case on the command prompt.

4.Alternatively, try running router backdoor scanner, a script that attempts to establish a connection on the port.

Fixes if your router is leaking information

If your router is listening on port 32764, you may want to block this from happening. You have quite a few possibilities to cope with the situation and secure your system.

1.Add a rule to the router's firewall to block the port 32764. How that is done depends on the model you are using. Usually, it involves loading the router's web interface on its local address, e.g. http://192.168.1.1/, typing in the password (on the back of the router usually if default), and finding the firewall or network options there.

2.Install an Open Source firmware like Tomato or OpenWRT. Note that some have been reported to be vulnerable as well, so make sure you test again after you install.

3.Get a router that is not affected by the vulnerability.

Testing

Once you have made changes, it is highly recommended to test for the vulnerability again to make sure that you have successfully blocked the port on your system.

Source

Link to comment
Share on other sites
  • Replies 8
  • Views 2.8k
  • Created
  • Last Reply

Top Posters In This Topic

  • nuthut

    1

  • GRiM

    1

  • jackieo

    1

  • Reefa

    1

Popular Days

Top Posters In This Topic

Popular Days

nuthut

nuthut

Posted
Posted

- If it's an officially IANA-assigned port (with a number between 0 and roughly 30000) then its number should correspond with a service in /etc/services ('getent services portnumber'), the services file of a scanner like Nmap or an online database like Sans' ISC. *Note that ephemeral port usage can be configured locally using the /proc/sys/net/ipv4/ip_local_port_range sysctl. An old default was 1024-5000, for servers a value of 32768-61000 is used and some applications want something like 1025-65535. *Also note these are static number-to-service mappings and while for instance /etc/services will say TCP/22 matches SSH that doesn't have to be the case in a particular situation,
- Else if it's a port of which you don't know which process did bind to it then if you have access to the host you can interrogate it using 'netstat -anp', 'lsof -w -n -i protocoltongue.gifortnumber' or 'fuser -n protocol portnumber' *This is the most accurate method,
- Else if you do not have access to the host you could interrogate it by for instance telnetting to it *This is not an accurate method and in the case of a compromised host you may alert the intruder you're on her case.

If you have access to the host you'll probably find the short-lived process died and the port isn't bound anymore.

source: http://www.linuxquestions.org/questions/linux-security-4/what-runs-on-port-32764-and-49152-a-588331/

Link to comment
Share on other sites
Yorel

Yorel

Posted
Posted

Telnet to to router on 32764 port is the best option, you don't need anything else to find it out.

Thanks for the info.

Link to comment
Share on other sites
Rok

Rok

Posted
Posted (edited)

1.Load http://yourRouterIP:32764/ in your web browser of choice. If affected, you should see ScMM or MMcS on the screen. I cannot confirm that this works for all set ups though. You can check your IP address here.

At the begining of the line above, your are talking to add the IP address of the router, and than at the end of the line your directing to check the IP address with internet lookup. In short, both the IP's are different...router IP is always local.

It is better to use online scanner at 

http://www.router-backdoor.de/?lang=en
outer Backdoor Scanner
Result of Backdoor Scans

Your router does not provide the port 32764 backdoor. Glückwunsch!

Edited by Rok
Link to comment
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...