internet of things say port 7547 open

Discussion in 'other security issues & news' started by david banner, Oct 29, 2016.

  1. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    670
    Note Title wrong it is 7547

    BullGuard's IoT Scanner says my port 7547 is open. I cannot find what it is with netstat -a. There is no reference to it

    How do I close or stealth it?
     
    Last edited: Oct 29, 2016
  2. M3gatron

    M3gatron Registered Member

    Joined:
    Oct 3, 2016
    Posts:
    41
    Location:
    ::1
    Hi David

    Are you scanning your public IP or just the internal asset?If it's an internal host, what's the OS? If it's the public IP , do you have post forwarding enabled on your router? Also Is it TCP or UDP port 7547 (maybe provide the output of your IoT report)?
     
  3. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    670
    Hi M3gatron

    I was scanning my public IP from this link http://iotscanner.bullguard.com/. Not sure what you mean by "just the internal asset"


    As far as i can discover is cwmp service https://en.wikipedia.org/wiki/TR-069 and is used by ISP to access router and allow update and for remote assistance as explained at http://www.pcworld.com/article/2463...-be-compromised-en-masse-researchers-say.html

    I am on win 7 64 bit. I do not have port forwarding. Not sure how to do it. I do not have any smart TV etc. I have two computers- Win vista 32 bit and win 7 64 bit-, a windows phone and an android tablet on the lan. I can connect a camera but only do that to copy photos

    The report says:

    "You are public on Shodan.
    Shodan has found that a device in your network is accessible from the internet.

    Last deep scan 2016-10-21 13:36 | Deep scan

    To improve the security of your network, read our Internet of Things Security Guide.

    Your network is reachable through port 7547.

    This means your network and devices are vulnerable, and can potentially be accessed and controlled by hackers.

    If you deliberately opened this port to enable specific device functionality, then you’re probably OK. If not, you should check which device is using this port and whether it affects the device’s functionality. You will need to modify your router’s configuration in order to restrict usage of this port."

    It says TCP open and UDP filtered?

    Is the above what you mean by output of your IoT report. i do not see any other info.
    Tried blocking the port with Comodo but report the same
    If i went to a computer not on my network how would i test it?. What scanner would i use and how would i know it was my computer
     
  4. Der Alte

    Der Alte Registered Member

    Joined:
    Apr 4, 2012
    Posts:
    125
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    It sounds as though the source of the scans was on the Internet side and basically it was your modem/router that was scanned (rather than your computer). The results seem to suggest that your are using an ISP provided (or at least controlled) device which has been configured to have an open management port and said management port is accessible from the Internet.

    If that is indeed the case and your ISP has made the decision to use such a management port then the ball is in their court. I doubt their firmware would allow you to disable the management port. I doubt they would disable the management port for you. You could look into such things. Perhaps also look for a logging feature in that device so that you can confirm such scans *really* hit it.

    One question would be: why is an ISP allowing such a management port to be accessible to the Internet at large vs implementing filtering rules to assure that it can only be accessed from their own internal systems and network.

    Privately owned and controlled routers *shouldn't* have such a management port/feature open by default, and if it is open the owner should be able to close it. Assuming this is a router, would you be able to eliminate the ISP provided device and purchase/use your own?
     
  6. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    670
  7. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    670
    Yes the scan were from the internet of things scan. What is the difference between the router and the computer being scanned in terms of security? If the port is open on the router, is it not correct someone could hack and then reach the computer?

    It is my ISP supplied router and to my knowledge it cannot be changed re this port. I am not sure if another router would work. Will look into it

    If i go to another PC outside my hme lan how do i scan my router?
    Thanks
     
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Normally you fix router issues in the router and fix computer issues in the computer*. So it helps to know what is being scanned and where the issue really is.

    * There is some interplay of course, due to UPnP and NAT for example.
    Having an open port doesn't mean you definitely can be hacked, but it does mean you should look into the open port, what it can be used for, how secure the listener is, etc. Closing it if that makes sense. You wouldn't want to dismiss an Internet accessible open port/server in the router. Partly because it might provide a foothold from which deeper penetration is done, but also because a pwned router could allow for capturing traffic, redirecting traffic, etc.
    Also try to determine if they have a good reason for not blocking Internet access to the port.

    FWIW, when I mentioned using your own router I was thinking of using a separate modem (doesn't really matter if you own it) and a separate router (which you would own). This detail becomes important in arrangements like cable where the device that directly connects to the ISP network must be DOCSIS enabled and support ISP control/management. Rather than that, some add their own router as a second to the ISP provided unit. More issues there, but read up on your options.
    The public IP Address you see reported by "what is my ip" sites (and also online scanning tools) is probably the IP Address assigned to the WAN/Upstream/Internet interface of your router. One way to verify this is to log into the router, find the page that shows IP Address assignment, and compare.

    Once you know you know the IP Address of that upstream router interface port, you can send traffic to it. You could use software with port scanning capabilities from another network connection. Bear in mind, though, that the provider of that other network connection may interpret doing so as abuse, you might run into filters or trigger a block, etc. You might want to stick to the reputable online tools where you can.

    Note: if you were using a separate router you could disconnect it from the Internet, connect it directly to a computer, and scan it from that computer. At far greater speed and without any other parties potentially getting in the way. So this is another potential plus of going that route.

    Edit: Sometimes it is necessary to power cycle an ISP owned/controlled device as a way to cause it to reboot and perform the steps that can lead to a firmware update. I don't know the details of your ISP and equipment. The point is that while you are looking into this you might also want to make sure you are using the latest firmware that you are supposed to have. In addition to a power cycle you could also login to the device, find the page that reports firmware version, then do some searches. You may find the latest appropriate version mentioned on an ISP page, in an ISP forum, at DSL reports, etc.
     
    Last edited: Oct 31, 2016
  9. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    670
    ok thanks. but would not the router prevent the computer from being scanned? Si the port closed on router computer is OK?
    I think it is for remote assistance and possibly updates it is left open. That is what I gather from other ISPs. Nt got a reply from miney yet

    Need two routers for that? Thanks for the feedback. Will check firmware
     
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    It would if the router is designed/configured to block the traffic in question. For example, the stateful firewall [and NAT] in most home routers should interfere with scans originating on the Internet. But LAN traffic is normally left alone. So a machine behind such a gateway router can probably scan/probe other machines which are also behind it, as well as perform more targeted probes/attacks.

    Strictly speaking no, based on the assumption you can, if necessary, manually configure them to have IP connectivity. However, that second router could act as a DHCP server.
     
  11. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    670
    "It would if the router is designed/configured to block the traffic in question. For example, the stateful firewall [and NAT] in most home routers should interfere with scans originating on the Internet." OK. Then how is having the port open a danger and how can internet of things scan it?
     
  12. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    IP traffic comes in on your ISP connection and is received by the WAN interface of the gateway/router. Then the router decides what to do with it. It can:
    1. Treat the traffic as its own, processing and responding to it in whatever way it considers appropriate from its own perspective
    2. Forward the traffic to another device, such as a computer on your LAN. In which case that other device decides whether and how to process/respond to it.
    3. Ignore the traffic as though it was never received and send no response
    4. Send a response which explicitly informs the sender that nothing is receptive to the traffic that was sent.
    A router can make different decisions for different port numbers, TCP vs UDP, IPv4 vs IPv6, source and/or destination IP Address, and the state of things (like whether a computer inside the network is communicating with the sender of this incoming traffic). You can predict what the router should do by knowing what functions it provides, how it is configured, and what the other relevant context-specific details are.

    It sounds as though incoming port 7547 (TCP) traffic is getting the #1 treatment and inside the router there is software which is acting as a server, listening on that port, in order to receive/process/respond to device management commands. Note: This is my impression and confirming reality is something that you should do through your research, testing, etc.

    When you have an open port and server listening (especially one that can be communicated with from the Internet at large) then you know you may have a problem. However, to assess that you have to understand the protocol, what can/can't be done via the mechanism in question, etc. Does the server implement its own source/destination based filtering? Does it use (require) additional authentication? In one direction or both? What can be commanded and/or retrieved? What is/isn't encrypted? Does the actual code do what it is supposed to do? Was it properly tested? Are there any vulnerabilities in the specific implementation you are using?
     
    Last edited: Nov 1, 2016
  13. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    670
    OK thanks for your detailed response. I will check it out with ISP
     
  14. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    670
    @ TheWindBringeth How come it is safe to have port 80 open? Or does it just open to send a request and to receive the webpage
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,319
    Location:
    U.S.A.
    This Bullguard test is scanning the WAN side of your router. It does the same thing the GRC Shields Up test does.

    For example, I have a port open on my WAN side that is used my desktop TV devices. It is the LAN side of the router that counts. My router's firewall blocks any connections from that WAN port except to the TV devices. If anyone wants to use those for a DDoS attack, complain to AT&T.
     
  16. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Very many systems have port 80 open because that is the "system port" aka "well known port" for HTTP service. HTTP servers open/listen on that port (by default, and perpetually in most cases), waiting for and responding to requests from clients. When an HTTP client wants to talk to an HTTP server the client can assume the server is available on port 80 (unless it is told otherwise).

    The HTTP client needs a port of its own, on the system it is running on. In the case of HTTP, the client port doesn't have to be well known and it will often be used in a temporary fashion. So the client uses a "dynamic port" aka "ephemeral port" for its side of the communication. The standard range for these ports is 49152 through 65535.

    In a typically home arrangement you'd normally want to see port 80 closed on a gateway router's WAN side. Because few need access to their router from the Internet side and if they do it would be better for them to use HTTPS or other encrypted protocol for access. However, you'd normally want for there to be a way to access the router from the LAN side. Many would make that HTTPS too, but in practice port 80 is probably available in numerous [default] setups.

    Where do you see port 80 open, or were you just asking a general question?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.