Backdoor gives attackers admin access to DSL modems/routers

Discussion in 'malware problems & news' started by lotuseclat79, Jan 2, 2014.

Thread Status:
Not open for further replies.
  1. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Nice find! Thanks. I wonder how many other makes and models that would work on.

    edit. Worked great. Couldn't help but notice those posts mentioned Quest and Comcast. I'm not on either of those.
     
    Last edited: Jan 7, 2014
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    I believed the same.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Glad it worked :)
     
  4. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    152
    You're right, MAC filters would protect against an uninformed adversary; but I would assume that if an adversary were probing undocumented ports specifically on a wireless router, they'd likely know how to get around MAC filtering (with a quick internet search). However, you're correct: if one knows the limitations and recognizes that it is not fully secure, then there's really not an issue. I tried filtering for a while, but then got tired of having to remember to add new devices to the filter table, especially transitory ones. And I figured basic security (strong passwords, etc.) protect against the uninformed adversaries, and if filtering doesn't protect against informed adversaries, then it was likely more overhead for little gain.

    Thanks for the info on the other points. Too much to learn, too little time.

    @ noone_particular et al -- My memory is fuzzy but I recall trying to close a port on an ISP's gateway device (I don't remember the model), because at the time I couldn't find any reason for it to be open (and no searches helped). However, the rule I established disappeared after the next ISP firmware update. Unfortunately, I never had time to pursue it further, and no longer have that device (I now have my own router behind the ISP's modem). But something to check on once in a while, to make sure your ports remain redirected/blocked.
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I went through this with every one of the DSL modems I've used. On all but this last one, I searched for info on the make,model, and open port, and found nothing. The one time I don't look it up, the info is there. Figures. I'm pretty sure that my ISP is buying used leftover modems from bigger ISPs. This is the 4th one I've had. As far as I know, they're not affiliated with Quest or Comcast. They were using Verison lines at one point. Might be associated with Frontier now.

    I've been thinking about this for a while now. The biggest threat to users is someone changing the modem settings without the user realizing it. The issue then is how to make sure that the user is aware of it should the modems settings be changed. The simplest way to accomplish this IMO would be to set the modem to pass through mode and configure your router/hardware firewall to your real internet IP. Let your router/firewall handle the DNS and NAT duties. This way, the modem does nothing but pass the signal on. If an attacker changes the modem settings, you lose connection and are alerted in the process.
     
  6. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Default settings leave external hard drives connected to (Asus) routers wide open
    http://www.cso.com.au/article/53557...hard_drives_connected_asus_routers_wide_open/
     
  7. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Warning, also on the WAN side:
     
  9. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,872
    They appear to be modem pinging/firmware update ports. Its safe to keep them open.

    If there are ports listening you're not sure about, its ok to stealth those. But you don't want to brick your router modem.
     
  10. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  11. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,872
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The modem is working fine with those ports forwarded. I've had full administrative access to this modem since the day I got it. The ISP accidentally shipped a replacement modem that was still on factory settings. My service had already been down for almost a week when I got it. Instead of returning it and waiting even longer, I asked if I could input the settings here. To my surprise, they agreed.

    While I haven't bricked any of them yet, I have accidentally caused several of them to lock up and fail to pass traffic. It's surprising just how easy it is to cause such problems. On a couple of them, just accessing the interface with javascript disabled or filtered was sufficient to disrupt them. I'd forgot to set Proxomitron to bypass. It took several hard reboots to clear one of them.

    Regarding routers and specific open ports, I'm inclined to believe that this changes depending on the make, model, or firmware version. Instead of checking single ports reported elsewhere, those concerned about open ports on routers should scan them all. On mine, I was aware of port 51080 but didn't know about port 4567.
     
  13. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Thanks for posting back your results.
     
  14. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.