Some routers found to be listening on undocumented port

In a period of time where the NSA has been accused of intercepting data from PCs and online networks, there's now a newly discovered flaw in many routers that could allow people to remotely access the hardware to gain admin access, among other things.

The Netgear DGN2000 is one of the routers found to be listening in on the port 32764.

A few days ago, a known hacker named Eloi Vanderbeken posted up a note on GitHub. He wrote about his discovery that his Linksys WAG200G wireless DSL gateway was listening on the undocumented TCP port 32764. He later found that the port was open on a number of other routers from Linksys, Netgear, Cisco and others. While some of these products have the port open just on their local network, several of them are exposed when connected to the Internet.

So why do so many of these routers have this previously unknown port? It's not currently known, but the GHacks.net website offers up several ways to find out if a home or work router has this undocumented port active.

If the port is found, the site has a number of recommendations to close this vulnerability. They include adding a rule to the router's firewall to block the 32764 port or downloading an open source firmware for the hardware. Of course, the easiest thing to do is simply replace the router with one that is not listening in on the port.

Source: GitHub and GHacks | Image via Netgear

Report a problem with article
Previous Story

Google announces partnership with major automakers to integrate Android

Next Story

Microsoft's video ‘selfie' is the company's year in review

44 Comments

Commenting is disabled on this article.

Made a post a week ago about this, also other routers are affected by various backdoors:

Speedport: http://www.heise.de/netze/meld...elekom-Routern-1558346.html
D-Link: http://www.devttys0.com/2013/1...ineering-a-d-link-backdoor/
TP-Link: http://sekurak.pl/tp-link-httptftp-backdoor/
Cisco: https://web.archive.org/web/20.../cisco-sa-20040407-username

Not to mention counterfeit hardware with who knows what: http://www.mercurynews.com/bus...r-arrested-after-indictment

I highly recommend installing DD-WRT or OpenWRT. I won't use any routers that have original firmware because of stuff like this, it's ridiculous how incompetent these companies are.

You could brick your router and void your warranty but I think the benefits outweigh the risk. Use at your own risk: http://dd-wrt.com/site/support/router-database

Edited by Geezy, Jan 6 2014, 9:00pm :

You have to use their python script which initiates a specific way of interfacing with the router and then issue commands from there. You can't just use your browser to connect to the port.

francescob said,
How comes they found this out now? It's not like portscans are really that rare...

From what I understand the port number is outside the range of ports defined by the IANA, so unless somebody knew to plug this port number into their software, most things wouldn't even look for it.

I guess these are for "remote management and diagnostics".

Virgin Media's routers have a similar feature, but it's only available over a cable connection, not the internet.

Likewise, all BT infinity modems (NOT the homehub) have BT agent built in, I flashed mine with an alternative firmware and have it disabled.

Actually i found out that it was listening to that port. With a telnet i get "MMcS" as response before the connection is reset. Added a rule in the firewall to block that port

I would either put some open source firmware on it like Tomato or DD-WRT, or just get a different router. This backdoor is just the ones they've found out about. If one was intentionally placed there, who knows what else they did that people haven't found out about yet?

Been runnging DD-WRT firmware on my Linksys router for years with no problems. Just checked it for this vulnerability though using the web browser method, the online check, and the python program and I'm g2g.

I always bought routers that can use DD-WRT firmware. The only time that I put stock firmware on is when I have to return or replace the router.

recursive said,
An open source solution is always the best.

Indeed. If you want to hack a smartphone, it's best if it's Android.

OpenWRT

Been running it for years, any router I've bought has been because OpenWRT supports it well (And now Linksys are working with them directly to support new routers apparently)

LeGourmand said,
Easier to buy a new routeur then to block the port, what?

A firmware update may reopen the report is basically the premise for that statement

jakem1 said,
It would have been useful if the author had provided a list of routers that don't contain that vulnerability.

Not even the source does that, because there are too many! lol

Steven P. said,

A firmware update may reopen the report is basically the premise for that statement


I highly doubt there'll be new firmware for a DGN2000, that router is fairly old now