dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3701

pasko
@Red-80-35-210.pooles

pasko

Anon

Scanning ports of F5D7230-4

Hi, guys:

I'm a bit intrigued about my Belkin: it shows tcp port 10101 as opened!.
Anybody knows something about this stuff?. Has it been discussed before?.

Regards.
PAsko.
hpkuo
join:2001-04-29
Cupertino, CA

hpkuo

Member

A search of PCFlank's Port database »www.pcflank.com/ports_se ··· arch.htm shows:

Port/Protocol:
10101/TCP

Trojans using this port:
Brain Spy, New Silencer

Your system(s) might be infected.

nozero
Eschew Obfuscation
MVM,
join:1999-12-29
InnerSanctum

nozero to pasko

MVM,

to pasko
Per »www.iana.org/assignments ··· -numbers

ezmeeting-2 10101/tcp eZmeeting
ezmeeting-2 10101/udp eZmeeting
ezproxy-2 10102/tcp eZproxy
ezproxy-2 10102/udp eZproxy
ezrelay 10103/tcp eZrelay
ezrelay 10103/udp eZrelay

Do you have ezmeeting software installed?

pasko
@Red-80-35-210.pooles

pasko to pasko

Anon

to pasko
No, I don't have this exotic eZmeeting software nor I think it should be infected, since it doesn't have a hard disk, and the port remains opened after reboot.

Can anyone please test this on his router? i.e:
telnet router_ip_addres 10101

Thanx in advance.

jonazen
Be Like Water My Friend
Premium Member
join:2004-02-18
Princeton Junction, NJ

jonazen

Premium Member

Probably only makes sense to do the test / scan from outside your privately addressed LAN.

That's why scanning in general should be done with a 3rd party site, like this one or Steve Gibson's "Shields Up" test.

For example - I just used the "Port Authority" test in Shields Up (at Steve Gibson's site at www.grc.com) to probe port 10101 at my router, and the text summary of scan is as follows:

GRC Port Authority Report created on UTC: 2005-03-15 at 00:39:57

Results from probe of port: 10101

0 Ports Open
0 Ports Closed
1 Ports Stealth
---------------------
1 Ports Tested

THE PORT tested was found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.
hpkuo
join:2001-04-29
Cupertino, CA

hpkuo to pasko

Member

to pasko
said by pasko:

nor I think it should be infected, since it doesn't have a hard disk, and the port remains opened after reboot.
The router cannot get infected. The computer that is connected to the router can and does though. Are you saying that your computer does not have hard drives?
sokhapkin
Premium Member
join:2003-05-08
North Fort Myers, FL

1 recommendation

sokhapkin

Premium Member

bkserver process listens to port 10101, the process is used for router quick setup procedure from Belkin's installation CD. Here is a session to my F5D7230-4 (4.05.5 firmware with some hacks to enable telnet access to router):


$ telnet 192.168.1.253
Trying 192.168.1.253...
Connected to 192.168.1.253.
Escape character is '^]'.
belkin login: root
Password:

BusyBox v1.00 (2005.02.26-18:45+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:80 *:* LISTEN
tcp 0 0 192.168.1.253:10101 *:* LISTEN
tcp 0 0 *:23 *:* LISTEN
tcp 0 0 192.168.1.253:23 192.168.1.2:37834 ESTABLISHED
udp 0 0 *:798 *:*
udp 0 0 *:799 *:*
udp 0 0 *:800 *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 302 /tmp/log_websock
unix 4 [ ] DGRAM 315 /dev/log
unix 2 [ ] DGRAM 1341
unix 2 [ ] DGRAM 317
~ # ps
PID Uid VmSize Stat Command
1 root 152 S init noinitrd
2 root SW [keventd]
3 root SWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
7 root SW [mtdblockd]
34 root 20 S bkserver
40 root 288 S httpd.real
44 root 68 S [netfilter_log]
51 root 172 S syslogd
53 root 156 S klogd
60 root 136 S telnetd
74 root SW [rpciod]
142 root 308 S -sh
145 root 184 R ps
~ # kill -9 34
~ # netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:80 *:* LISTEN
tcp 0 0 *:23 *:* LISTEN
tcp 0 0 192.168.1.253:23 192.168.1.2:37834 ESTABLISHED
udp 0 0 *:798 *:*
udp 0 0 *:799 *:*
udp 0 0 *:800 *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 302 /tmp/log_websock
unix 4 [ ] DGRAM 315 /dev/log
unix 2 [ ] DGRAM 1341
unix 2 [ ] DGRAM 317
~ #

jlv
Cantankerous - Can't take errors
join:2001-11-02
Southborough, MA

jlv to pasko

Member

to pasko
Which telnetd did you use?
sokhapkin
Premium Member
join:2003-05-08
North Fort Myers, FL

sokhapkin

Premium Member

Busybox 1.0 (compiled as static binary) built-in telnetd. The other changes I made:
1. Linux kernel recompiled to support squashfs and jffs2 (using Belkin's MIMO GPL sources and some OpenWrt patches).
2. Filesystem image is compressed with squashfs instead of cramfs for better complression ratio.
3. Changed start-up script to allow customization of linux boot process using external tftp server.
preacherphil
join:2004-07-20
Willshire, OH

preacherphil

Member

to sokhapkin
Is there room to add USB support? All the Ver 144X routers only need a few things to get usb working. I would like both flash memory support as well as printer support if podssible.

Or am I dreaming.

Phil
sokhapkin
Premium Member
join:2003-05-08
North Fort Myers, FL

sokhapkin

Premium Member

To get printer support you'll need samba. 2M ROM is too small... The only way is to load usb drivers and samba from external tftp or www server on boot. 8M RAM should be enough.
GTFan
join:2004-12-03
Austell, GA

GTFan

Member

sokhapkin, have you thought about sharing info on how to load this firmware at the SeattleWireless Belkin page?

»www.seattlewireless.net/ ··· 7230_2d4
preacherphil
join:2004-07-20
Willshire, OH

preacherphil

Member

sokhapkin
I was thinking more of the lines of a linux build that had usb usb memory support and boot from the usb memory. Use the USB flash memory drives as a ram disk. USB memory cards are really cheap and with a serial interface one could get these little boxes to do about anthing one could want, within reason.

What would one need to do to get this to work?

Phil

pasko
@Red-80-35-210.pooles

pasko to pasko

Anon

to pasko
sokhapkin:

Thank you for the info. I can rest better knowing that this process only listens in the LAN "side" of the router.

On the other hand: Are there any chances to get that image you were talkin' about or to download some similar from somewhere? I've been reading a lot about the possibility of using a telnet (or ssh) daemon in the router.(seattlewireless, openwrt, etc., but no success) :-(

Actually, I would like to power on/off the radio via command line, since it is not possible from the web interface, (and I leave the router powered on 24h/day).

Thanx in advance.

sokhapkin
Premium Member
join:2003-05-08
North Fort Myers, FL

sokhapkin

Premium Member

»www.sokhapkin.com/belkin-sq.trx

The image is in trx format, you have to use tftp firmware upload method. Tested on v2000 router only, use the firmware on you own risk. Always have a copy of your current firmware.

The only known issue - power led do not lit after router boot.

Here is a code showing how the firmware attempts to download from tftp server and to execute start up script:

#!/bin/sh
httpd.real&
door&
cd /tmp
tftp -g -r /belkin/rcscript -l rcscript `nvram get remote_config_ip`
sh rcscript 2>&1 >rcscript.log &

And start up script (rcscript) I'm using:
#!/bin/sh
FIRMWARESERVER=`nvram get remote_config_ip`
FIRMWAREPATH=/belkin
MODULESPATH=modules
NFSROOT=/home/belkin
# NFS mount options, the following options work best for me, YMMV.
NFSOPTS="nolock,soft"

syslogd
klogd

cd /tmp
tftp -g -r $FIRMWAREPATH/passwd -l passwd $FIRMWARESERVER
tftp -g -r $FIRMWAREPATH/group -l group $FIRMWARESERVER
tftp -g -r $FIRMWAREPATH/.profile -l .profile $FIRMWARESERVER
# wait for initialisation to complete
sleep 5
# close the door if telnetd started successfully
telnetd && killall door

NFSMODULES="sunrpc.o lockd.o nfs.o nfsswap.o"
for i in $NFSMODULES ; do
tftp -g -r $FIRMWAREPATH/$MODULESPATH/$i -l $i $FIRMWARESERVER
insmod ./$i
rm ./$i
done

mount -t nfs $FIRMWARESERVER:$NFSROOT /mnt -o $NFSOPTS
swapon /mnt/swap

[ -d /mnt/lib ] && mount -t nfs $FIRMWARESERVER:$NFSROOT/lib /lib -o $NFSOPTS
[ -d /mnt/usr ] && mount -t nfs $FIRMWARESERVER:$NFSROOT/usr /usr -o $NFSOPTS
[ -d /mnt/usr/src ] && mount -t nfs $FIRMWARESERVER:/mnt/sda/usr/portage/distfil
es/src /usr/src -o $NFSOPTS

#local settings
rmmod led
insmod led ActLED=1 PowerLED=1 ConnectedLED=1
ifconfig br0:1 192.168.3.1
hostname belkin
echo "nameserver $FIRMWARESERVER" >>/etc/resolv.conf
echo "search `nvram get wan_domain`" >>/etc/resolv.conf
rdate $FIRMWARESERVER
route add default gw $FIRMWARESERVER
Happy hacking:-)

pasko
@Red-80-35-210.pooles

pasko to pasko

Anon

to pasko
Thank you. Will test it ASAP.

Regards.
pasko

pasko to pasko

Anon

to pasko
Hey! Didn't notice that portage directory. You're a gentoo maniac as well!!!!!!!

Happy compilations.

I'll be back as soon as I get some results.

Thanx a lot again.