1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Consumer Broadband ISP Routers Exposed via New Backdoor Exploit (Netgear, Linksys, Cisco & others)

Discussion in 'Networks & Internet Connectivity' started by KIA, Jan 7, 2014.

  1. KIA

    Man of Honour

    Joined: Nov 14, 2004

    Posts: 13,512

    I forgot to post about this several days ago when the news broke. Thanks go to ISPReview for reminding me.

    Backdoor confirmed in (LISTENING ON THE INTERNET):

    • Cisco WAP4410N-E 2.0.1.0, 2.0.3.3, 2.0.4.2, 2.0.6.1 (issue 44)
    • Linksys WAG120N (@p_w999)
    • Netgear DG834B V5.01.14 (@domainzero)
    • Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
    • OpenWAG200 maybe a little bit TOO open ;) (issue 49)

    Backdoor confirmed in:

    • Cisco RVS4000 fwv 2.0.3.2 (issue 57)
    • Cisco WAP4410N (issue 11)
    • Cisco WRVS4400N
    • Cisco WRVS4400N (issue 36)
    • Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
    • LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
    • Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
    • Linksys WAG120N (issue 58)
    • Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
    • Linksys WAG200G
    • Linksys WAG320N (http://zaufanatrzeciastrona.pl/post...-ruterach-linksysa-i-prawdopodobnie-netgeara/)
    • Linksys WAG54G2 (@_xistence)
    • Linksys WAG54GS (@henkka7)
    • Linksys WRT350N v2 fw 2.00.19 (issue 39)
    • Linksys WRT300N fw 2.00.17 (issue 34)
    • Netgear DG834[∅, GB, N, PN, GT] version < 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
    • Netgear DGN1000 (don’t know if there is a difference with the others N150 ones… issue 27)
    • Netgear DGN1000 N150 (issue 3)
      [*]Netgear DGN2000B (issue 26)
      [*]Netgear DGN3500 (issue 13)
      [*]Netgear DGND3300 (issue 56)
      [*]Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
      [*]Netgear DM111Pv2 (@eguaj)
      [*]Netgear JNR3210 (issue 37)


    http://www.ispreview.co.uk/index.ph...routers-exposed-via-new-backdoor-exploit.html
    https://github.com/elvanderb/TCP-32764
     
  2. Bane

    Mobster

    Joined: Jun 10, 2005

    Posts: 2,605

    Thanks for the heads up. Gives me a reason to upgrade if manual firewall rule isn't enough.

    Wonder if Asus DSL-n55u and n66u are affected?
     
  3. KIA

    Man of Honour

    Joined: Nov 14, 2004

    Posts: 13,512

  4. Doco

    Wise Guy

    Joined: Aug 16, 2011

    Posts: 1,397

    Location: Ireland

    Probing my port eh - result -

    Port - 32764
    Status - Stealth
    Protocol and Application -Unknown Protocol for this port
    Unknown Application for this port

    Bt hub 3.0 Version A
     
  5. KIA

    Man of Honour

    Joined: Nov 14, 2004

    Posts: 13,512

  6. Cosimo

    Man of Honour

    Joined: Jan 9, 2007

    Posts: 163,531

    Location: Londinium

    Same on BT Home Hub 5 (Type A).
     
  7. thenewoc

    Mobster

    Joined: Mar 9, 2012

    Posts: 2,991

    Location: West Sussex, England

    Same on Technicolor 582n, not sure if the router stealth's the port though or whether Kaspersky is doing it.
     
  8. Doco

    Wise Guy

    Joined: Aug 16, 2011

    Posts: 1,397

    Location: Ireland

    Good to know this - getting the hub 5 on Tuesday myself. Just curious are you making use of the ac/5ghz and if so what adapter are you using and what's your thoughts on it, thanks :)

    @thenewoc - you could always disable kaspersky for just a few seconds and re-try test, see if its the technicolor or the anti virus :)
     
  9. KIA

    Man of Honour

    Joined: Nov 14, 2004

    Posts: 13,512

    It'll be the router unless you have the port forwarded.
     
  10. JAMAL

    Soldato

    Joined: Oct 19, 2002

    Posts: 6,936

    Same for me on 582n
     
  11. Ryan-3

    Soldato

    Joined: Sep 14, 2009

    Posts: 7,460

    Location: Northumberland

    My TP Link TD-W8968 has the same.

    Guessing that's good? Good! :)
     
  12. Bane

    Mobster

    Joined: Jun 10, 2005

    Posts: 2,605

    Had a disconnection from router so checked logs and found these two entries that relate to a custom firewall rule I made after this news story.

    Tue, 2014-06-03 18:55:45 - TCP Packet - Source:*****,***** Destination:*****,32764 - [backdoor rule match]
    Tue, 2014-06-03 19:21:46 - TCP Packet - Source:******,***** Destination:*****,32764 - [backdoor rule match]

    Looks like time to shop for a replacement modem router?
     
  13. Orcvader

    Capodecina

    Joined: Oct 11, 2009

    Posts: 13,980

    Location: Havering

    Same on my Asus RT-N53... are you all using the white modem with BT Infinity by any chance?

    And I don't really understand what this result mean... does that mean I'm safe?
     
  14. Bane

    Mobster

    Joined: Jun 10, 2005

    Posts: 2,605

    The above was from a Netgear DG834G V2.

    Probably only know of packets sent as I made firewall rule when backdoor was first reported. Hopefully it won't get bypassed.