dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4982
share rss forum feed

lanwarrior

join:2007-08-09
Los Angeles, CA

1 edit

2Wire 3801HGV - ports open (even when I didn't open it)

I have a 2WIRE 3801HGV and I did NOT open any ports, nor forwarding anything. I enabled Firewall, with additional things such as:
- Strict UDP session
- NO Inbound NetBIOS session
- etc..etc..

Running NMAP from my office (thus I am not connected to the U-Verse service), I see the following ports open:

- TCP 21: FTP
- TCP 25: SMTP
- TCP 80: HTTP
- TCP 110: POP
- TCP 143: IMAP
- TCP 443: HTTPS
- TCP 8080: ???
- TCP 3479: 2Wire RPC

The one that concern me are those with the (*) above.

1). Why are these ports open when I explicitly did NOT open or forward them?

2). Anyway I can block them?

3). If no. 2 is NO, can I turn the 2WIRE 3801HGV as a modem only instead of modem/router hybrid? I have an unused ASUS RT-N56U router that I can install custom firmware and make that as the primary router.



Mangix

join:2012-02-16
united state

I'm gonna assume several things:

1. The IP that you're nmapping is the correct one.

2. You have no port forwards or any DMZ+'ed clients.

Resetting the RG to defaults should alleviate issues such as these. There should be a setting called something like "Stealth ports" in the advanced firewall settings which should fix this.

That being said, are you sure that the ports are OPEN and not CLOSED? AFAIK a port can be OPEN, CLOSED, or, STEALTH with the latter being the state where the router does not reply to a port scan.

As for turning the RG into a modem, not possible at this time. The best you can do is connecting the ASUS router behind the 2Wire router and DMZ+ing the ASUS router giving it a public IP as well as all the ports open to it.


lanwarrior

join:2007-08-09
Los Angeles, CA

Yes, the IP address is correct. I tried it twice:

1). Through »www.whatismyip.com/
2). Using Dynamic DNS

I did not port forwards or put anything on DMZ.

I went to Settings --> Firewall --> Advanced Configuration --> "Stealth Mode" and verified this was ALREADY checked.

The ports are open, according to NMAP:

Discovered open port 80/tcp
Discovered open port 25/tcp
Discovered open port 110/tcp
Discovered open port 21/tcp
Discovered open port 443/tcp
Discovered open port 8080/tcp
Discovered open port 143/tcp
Discovered open port 3479/tcp

For testing, I unplug EVERYTHING from the 3801HGV and connect only the ASUS router. This ASUS router has been configured to block EVERYTHING. Then I configure the WAN IP address for the ASUS router and test it again as follow:

I. ASUS router uses private IP address from 2WIRE DHCP (192.168.1.xxx)
Run NMAP again (I was connected to the office via VPN, so all traffic are routed through there). The SAME IP addresses above are shown.

II. ASUS router uses public IP address from 2WIRE
From 2WIRE, go to Settings --> LAN --> IP Address allocation and for the ASUS router selected "Public (Select WAN IP mapping). The ASUS WAN port now have the public IP address (99.xxx.xxx.xxx). Run NMAP again, SAME IP addresses are shown.

Any other test I should do to ensure the ports were NOT open on the 2Wire router? I am not a security expert, so other than NMAP port scanning from another network (not while connected to the U-Verse network), I am not sure what other test I can do.

However, if my testing is correct, it seems that the 2WIRE router is opening up all the above ports to the Internet.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit

said by lanwarrior:

However, if my testing is correct, it seems that the 2WIRE router is opening up all the above ports to the Internet.

Port 3479 shows up in an Internet search as registered by AT&T for their U-verse modems.

Nice! Pace bought 2Wire, and my ISP issued me a Pace 4111N-030 residential gateway. Guess which port is open!
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:02:57

Results from scan of ports: 3470-3490

1 Ports Open
0 Ports Closed
20 Ports Stealth
---------------------
21 Ports Tested

NO PORTS were found to be CLOSED.

The port found to be OPEN was: 3479

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

I don't have AT&T service; it is Sonic.net, LLC "Fusion" service. The GRC Shields Up! graphic lists port 3479 as, "2Wire RPC".

Port 3479 is NOT listed as listening when I run 'netstat -an' at a command prompt. So you can see my Pace 4111N modem from the Internet, though I have no clue how secure it is; but you can't reach the equipment on the LAN.

I expect it is used for remote configuration of the modem. Without access to the lowest OS layer in the RG, I see no way to "stealth" this port.

FWIW, none of your other enumerated 2Wire open ports tested open on my Pace. Below 1030, and 1720, 5000:
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:16:00

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

Port 8080:
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:16:53

Results from scan of ports: 8070-8090

0 Ports Open
0 Ports Closed
21 Ports Stealth
---------------------
21 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

Maybe AT&T is doing something with proxies, or maybe there are multiple issues with your hardware.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

lanwarrior

join:2007-08-09
Los Angeles, CA

Try to run the test using nmap or any other open source tool. Make sure you use SYN TCP scan.



dahan

join:2000-10-25
Leander, TX
reply to lanwarrior

Maybe your office is running a transparent proxy that intercepts connections to those common ports. Have you tried accessing them the way they're supposed to be accessed to see what happens? E.g., try to ftp to your IP address, or open http://your.ip.address in a web browser, etc... if the ports really are open, you'll be able to connect, and maybe get some more info that way.

If the connections are actually going to your office proxy server, rather than to your U-Verse box, you don't need to worry about it.

BTW, 110 is POP3, and 143 is IMAP.



Mangix

join:2012-02-16
united state
reply to lanwarrior

conspiracy theory: AT&T is doing NAT. So those open ports are not yours. I have no idea...


lanwarrior

join:2007-08-09
Los Angeles, CA
reply to dahan

Crap, I was typing a response and Chrome crashed... Had to re-type.

Anyways, I have tried running the scan using 2 different mobile hotspots from Clear and T-Mobile and in both cases, NMAP shows the same ports open.

Is there a syntax I can use to check if the open ports really have open services? I.e. if I telnet to port 25, run some syntax to see if this is truly an SMTP service.

If there is a tool that can do that (I used to use Nessus, but they're no longer open source), let me know.

PS: I am now using the ASUS router as an "internal" firewall, so if it is determined that the 2WIRE modem/router that have the open ports, at least my internal network is still secured by the ASUS router. I am not sure if there is a performance issue for having a router connecting to another router...



mackey
Premium
join:2007-08-20
kudos:8

said by lanwarrior:

Is there a syntax I can use to check if the open ports really have open services? I.e. if I telnet to port 25, run some syntax to see if this is truly an SMTP service.

Yes.

Port 25: ehlo test.example
If there's a mail server there it will respond with something like:
telnet gmail-smtp-in.l.google.com 25
Trying 74.125.25.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP zw4si4576639pbc.64
ehlo test.example
250-mx.google.com at your service, [76.171.149.106]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
quit
221 2.0.0 closing connection zw4si4576639pbc.64
Connection closed by foreign host.
 
Both "ehlo test.example" and "quit" were typed by me.

For ports 80 and 8080: GET / HTTP/1.0 (and then hit 'Enter' twice)
telnet google.com 80
Trying 74.125.224.197...
Connected to google.com.
Escape character is '^]'.
GET / HTTP/1.0
 
HTTP/1.0 200 OK
Date: Wed, 05 Dec 2012 00:14:15 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=4683a86bd76be483:FF=0:TM=1354666455:LM=1354666455:S=TEj_dOEgqeCVVkI6; expires=Fri, 05-Dec-2014 00:14:15 GMT; path=/; domain=.google.com
Set-Cookie: NID=66=RsydMO-p4v_qBH_jrcbz9sM84wyPxivLSjgUvWL2NHPsj-qT2PIXBdpiXCpX88-NxsG_wdY4ZhSotKdVjGaOH0RMEMfyvKxEXrE_Tfa5oavkjvgtood6CK0pbv0-lhkq; expires=Thu, 06-Jun-2013 00:14:15 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
 
<!doctype html><html itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp" name="robots"><meta itemprop="image" content="/images/google_favicon_128.png"><title>Google</title><script>(function(){
window.google={kEI:"15G-UNfWM4WFiAL3pIGQCQ",getEI:function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI},https:function(){return"https:"==window.location.protocol},kEXPI:"25657,39523,39976,40363,4000116,4000473,4000566,4000945,4000955,4001372,4001456,4001569,4001855,4001933,4001959,4001966,4002000,4002036,4002048,4002161,4002240,4002348,4002359,4002378,4002391,4002436,4002460,4002466,4002510,4002562,4002710,4002733,4002756,4002789,4002883",kCSI:{e:"25657,39523,39976,40363,4000116,4000473,4000566,4000945,4000955,4001372,4001456,4001569,4001855,4001933,4001959,4001966,4002000,4002036,4002048,4002161,4002240,4002348,4002359,4002378,4002391,4002436,4002460,
...
 

/M

ipman

join:2010-08-31
San Jose, CA

Only if you know the type of service it is running.

I found that TCP port 3476 is open on my 3600. Clearly, it is waiting for some data after connect. I just hope it is not a backdoor to access my LAN. Luckily, I have another router behind it to protect from this madness. But if someone hacked the 3600 and change its DNS, I am screwed. Maybe it is time to use a public DNS like 8.8.8.8.

Port 25 will result in immediate disconnect.