Topic '2Wire 3801HGV - ports open (even when I didn't open it)' in forum 'AT&T U-verse' - dslreports.com http://www.dslreports.com/forum/2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27785776 en Wed, 19 Jun 2013 14:24:42 EDT Wed, 19 Jun 2013 14:24:42 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27833174
I found that TCP port 3476 is open on my 3600. Clearly, it is waiting for some data after connect. I just hope it is not a backdoor to access my LAN. Luckily, I have another router behind it to protect from this madness. But if someone hacked the 3600 and change its DNS, I am screwed. Maybe it is time to use a public DNS like 8.8.8.8.

Port 25 will result in immediate disconnect. ]]> http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27833174 Mon, 17 Dec 2012 20:04:12 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27788412 said by lanwarrior:

Is there a syntax I can use to check if the open ports really have open services? I.e. if I telnet to port 25, run some syntax to see if this is truly an SMTP service.

Yes.

Port 25: ehlo test.example
If there's a mail server there it will respond with something like:
telnet gmail-smtp-in.l.google.com 25Trying 74.125.25.26...Connected to gmail-smtp-in.l.google.com.Escape character is '^]'.220 mx.google.com ESMTP zw4si4576639pbc.64ehlo test.example250-mx.google.com at your service, [76.171.149.106]250-SIZE 35882577250-8BITMIME250-STARTTLS250 ENHANCEDSTATUSCODESquit221 2.0.0 closing connection zw4si4576639pbc.64Connection closed by foreign host.
Both "ehlo test.example" and "quit" were typed by me.

For ports 80 and 8080: GET / HTTP/1.0 (and then hit 'Enter' twice)
telnet google.com 80Trying 74.125.224.197...Connected to google.com.Escape character is '^]'.GET / HTTP/1.0 HTTP/1.0 200 OKDate: Wed, 05 Dec 2012 00:14:15 GMTExpires: -1Cache-Control: private, max-age=0Content-Type: text/html; charset=ISO-8859-1Set-Cookie: PREF=ID=4683a86bd76be483:FF=0:TM=1354666455:LM=1354666455:S=TEj_dOEgqeCVVkI6; expires=Fri, 05-Dec-2014 00:14:15 GMT; path=/; domain=.google.comSet-Cookie: NID=66=RsydMO-p4v_qBH_jrcbz9sM84wyPxivLSjgUvWL2NHPsj-qT2PIXBdpiXCpX88-NxsG_wdY4ZhSotKdVjGaOH0RMEMfyvKxEXrE_Tfa5oavkjvgtood6CK0pbv0-lhkq; expires=Thu, 06-Jun-2013 00:14:15 GMT; path=/; domain=.google.com; HttpOnlyP3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."Server: gwsX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGIN <!doctype html><html itemscope="itemscope" itemtype="http://schema.org/WebPage"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp" name="robots"><meta itemprop="image" content="/images/google_favicon_128.png"><title>Google</title><script>(function(){window.google={kEI:"15G-UNfWM4WFiAL3pIGQCQ",getEI:function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI},https:function(){return"https:"==window.location.protocol},kEXPI:"25657,39523,39976,40363,4000116,4000473,4000566,4000945,4000955,4001372,4001456,4001569,4001855,4001933,4001959,4001966,4002000,4002036,4002048,4002161,4002240,4002348,4002359,4002378,4002391,4002436,4002460,4002466,4002510,4002562,4002710,4002733,4002756,4002789,4002883",kCSI:{e:"25657,39523,39976,40363,4000116,4000473,4000566,4000945,4000955,4001372,4001456,4001569,4001855,4001933,4001959,4001966,4002000,4002036,4002048,4002161,4002240,4002348,4002359,4002378,4002391,4002436,4002460,...

/M]]> http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27788412 Tue, 04 Dec 2012 19:15:47 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27788042
Anyways, I have tried running the scan using 2 different mobile hotspots from Clear and T-Mobile and in both cases, NMAP shows the same ports open.

Is there a syntax I can use to check if the open ports really have open services? I.e. if I telnet to port 25, run some syntax to see if this is truly an SMTP service.

If there is a tool that can do that (I used to use Nessus, but they're no longer open source), let me know.

PS: I am now using the ASUS router as an "internal" firewall, so if it is determined that the 2WIRE modem/router that have the open ports, at least my internal network is still secured by the ASUS router. I am not sure if there is a performance issue for having a router connecting to another router...]]> http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27788042 Tue, 04 Dec 2012 17:05:40 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27787927 http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27787927 Tue, 04 Dec 2012 16:37:51 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27787060 http://your.ip.address in a web browser, etc... if the ports really are open, you'll be able to connect, and maybe get some more info that way.

If the connections are actually going to your office proxy server, rather than to your U-Verse box, you don't need to worry about it.

BTW, 110 is POP3, and 143 is IMAP.]]> http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27787060 Tue, 04 Dec 2012 12:39:09 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27786725 http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27786725 Tue, 04 Dec 2012 11:11:40 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27786002 said by lanwarrior:

However, if my testing is correct, it seems that the 2WIRE router is opening up all the above ports to the Internet.

Port 3479 shows up in an Internet search as registered by AT&T for their U-verse modems.

Nice! Pace bought 2Wire, and my ISP issued me a Pace 4111N-030 residential gateway. Guess which port is open!
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:02:57

Results from scan of ports: 3470-3490

1 Ports Open
0 Ports Closed
20 Ports Stealth
---------------------
21 Ports Tested

NO PORTS were found to be CLOSED.

The port found to be OPEN was: 3479

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------


I don't have AT&T service; it is Sonic.net, LLC "Fusion" service. The GRC Shields Up! graphic lists port 3479 as, "2Wire RPC".

Port 3479 is NOT listed as listening when I run 'netstat -an' at a command prompt. So you can see my Pace 4111N modem from the Internet, though I have no clue how secure it is; but you can't reach the equipment on the LAN.

I expect it is used for remote configuration of the modem. Without access to the lowest OS layer in the RG, I see no way to "stealth" this port.

FWIW, none of your other enumerated 2Wire open ports tested open on my Pace. Below 1030, and 1720, 5000:
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:16:00

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
0 Ports Closed
26 Ports Stealth
---------------------
26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------


Port 8080:
quote:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2012-12-04 at 09:16:53

Results from scan of ports: 8070-8090

0 Ports Open
0 Ports Closed
21 Ports Stealth
---------------------
21 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------


Maybe AT&T is doing something with proxies, or maybe there are multiple issues with your hardware.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum]]> http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27786002 Tue, 04 Dec 2012 04:25:02 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27785897
1). Through »www.whatismyip.com/
2). Using Dynamic DNS

I did not port forwards or put anything on DMZ.

I went to Settings --> Firewall --> Advanced Configuration --> "Stealth Mode" and verified this was ALREADY checked.

The ports are open, according to NMAP:

Discovered open port 80/tcp
Discovered open port 25/tcp
Discovered open port 110/tcp
Discovered open port 21/tcp
Discovered open port 443/tcp
Discovered open port 8080/tcp
Discovered open port 143/tcp
Discovered open port 3479/tcp

For testing, I unplug EVERYTHING from the 3801HGV and connect only the ASUS router. This ASUS router has been configured to block EVERYTHING. Then I configure the WAN IP address for the ASUS router and test it again as follow:

I. ASUS router uses private IP address from 2WIRE DHCP (192.168.1.xxx)
Run NMAP again (I was connected to the office via VPN, so all traffic are routed through there). The SAME IP addresses above are shown.

II. ASUS router uses public IP address from 2WIRE
From 2WIRE, go to Settings --> LAN --> IP Address allocation and for the ASUS router selected "Public (Select WAN IP mapping). The ASUS WAN port now have the public IP address (99.xxx.xxx.xxx). Run NMAP again, SAME IP addresses are shown.

Any other test I should do to ensure the ports were NOT open on the 2Wire router? I am not a security expert, so other than NMAP port scanning from another network (not while connected to the U-Verse network), I am not sure what other test I can do.

However, if my testing is correct, it seems that the 2WIRE router is opening up all the above ports to the Internet. ]]> http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27785897 Tue, 04 Dec 2012 01:09:31 EDT Re: 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27785865
1. The IP that you're nmapping is the correct one.

2. You have no port forwards or any DMZ+'ed clients.

Resetting the RG to defaults should alleviate issues such as these. There should be a setting called something like "Stealth ports" in the advanced firewall settings which should fix this.

That being said, are you sure that the ports are OPEN and not CLOSED? AFAIK a port can be OPEN, CLOSED, or, STEALTH with the latter being the state where the router does not reply to a port scan.

As for turning the RG into a modem, not possible at this time. The best you can do is connecting the ASUS router behind the 2Wire router and DMZ+ing the ASUS router giving it a public IP as well as all the ports open to it.]]> http://www.dslreports.com/forum/Re-2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27785865 Tue, 04 Dec 2012 00:48:43 EDT 2Wire 3801HGV - ports open (even when I didn't open it) http://www.dslreports.com/forum/2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27785776 - Strict UDP session
- NO Inbound NetBIOS session
- etc..etc..

Running NMAP from my office (thus I am not connected to the U-Verse service), I see the following ports open:

- TCP 21: FTP
- TCP 25: SMTP
- TCP 80: HTTP
- TCP 110: POP
- TCP 143: IMAP
- TCP 443: HTTPS
- TCP 8080: ???
- TCP 3479: 2Wire RPC

The one that concern me are those with the (*) above.

1). Why are these ports open when I explicitly did NOT open or forward them?

2). Anyway I can block them?

3). If no. 2 is NO, can I turn the 2WIRE 3801HGV as a modem only instead of modem/router hybrid? I have an unused ASUS RT-N56U router that I can install custom firmware and make that as the primary router.]]> http://www.dslreports.com/forum/2Wire-3801HGV-ports-open-even-when-I-didnt-open-it-27785776 Tue, 04 Dec 2012 00:07:23 EDT