pasko @Red-80-35-210.pooles |
pasko
Anon
2005-Mar-14 4:18 pm
Scanning ports of F5D7230-4Hi, guys:
I'm a bit intrigued about my Belkin: it shows tcp port 10101 as opened!. Anybody knows something about this stuff?. Has it been discussed before?.
Regards. PAsko. |
actions · 2005-Mar-14 4:18 pm · (locked) |
hpkuo join:2001-04-29 Cupertino, CA |
hpkuo
Member
2005-Mar-14 4:28 pm
A search of PCFlank's Port database » www.pcflank.com/ports_se ··· arch.htm shows: Port/Protocol: 10101/TCP Trojans using this port: Brain Spy, New Silencer Your system(s) might be infected. |
actions · 2005-Mar-14 4:28 pm · (locked) |
nozeroEschew Obfuscation MVM, join:1999-12-29 InnerSanctum |
to pasko
Per » www.iana.org/assignments ··· -numbersezmeeting-2 10101/tcp eZmeeting ezmeeting-2 10101/udp eZmeeting ezproxy-2 10102/tcp eZproxy ezproxy-2 10102/udp eZproxy ezrelay 10103/tcp eZrelay ezrelay 10103/udp eZrelay Do you have ezmeeting software installed? |
actions · 2005-Mar-14 4:29 pm · (locked) |
pasko @Red-80-35-210.pooles |
pasko to pasko
Anon
2005-Mar-14 4:34 pm
to pasko
No, I don't have this exotic eZmeeting software nor I think it should be infected, since it doesn't have a hard disk, and the port remains opened after reboot.
Can anyone please test this on his router? i.e: telnet router_ip_addres 10101
Thanx in advance. |
actions · 2005-Mar-14 4:34 pm · (locked) |
|
jonazenBe Like Water My Friend Premium Member join:2004-02-18 Princeton Junction, NJ |
jonazen
Premium Member
2005-Mar-14 7:41 pm
Probably only makes sense to do the test / scan from outside your privately addressed LAN.
That's why scanning in general should be done with a 3rd party site, like this one or Steve Gibson's "Shields Up" test.
For example - I just used the "Port Authority" test in Shields Up (at Steve Gibson's site at www.grc.com) to probe port 10101 at my router, and the text summary of scan is as follows:
GRC Port Authority Report created on UTC: 2005-03-15 at 00:39:57
Results from probe of port: 10101
0 Ports Open 0 Ports Closed 1 Ports Stealth --------------------- 1 Ports Tested
THE PORT tested was found to be: STEALTH.
TruStealth: PASSED - ALL tested ports were STEALTH, - NO unsolicited packets were received, - NO Ping reply (ICMP Echo) was received. |
actions · 2005-Mar-14 7:41 pm · (locked) |
hpkuo join:2001-04-29 Cupertino, CA |
to pasko
said by pasko:
nor I think it should be infected, since it doesn't have a hard disk, and the port remains opened after reboot. The router cannot get infected. The computer that is connected to the router can and does though. Are you saying that your computer does not have hard drives? |
actions · 2005-Mar-14 8:30 pm · (locked) |
sokhapkin Premium Member join:2003-05-08 North Fort Myers, FL
1 recommendation |
bkserver process listens to port 10101, the process is used for router quick setup procedure from Belkin's installation CD. Here is a session to my F5D7230-4 (4.05.5 firmware with some hacks to enable telnet access to router): $ telnet 192.168.1.253 Trying 192.168.1.253... Connected to 192.168.1.253. Escape character is '^]'. belkin login: root Password:
BusyBox v1.00 (2005.02.26-18:45+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands.
~ # netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:80 *:* LISTEN tcp 0 0 192.168.1.253:10101 *:* LISTEN tcp 0 0 *:23 *:* LISTEN tcp 0 0 192.168.1.253:23 192.168.1.2:37834 ESTABLISHED udp 0 0 *:798 *:* udp 0 0 *:799 *:* udp 0 0 *:800 *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 302 /tmp/log_websock unix 4 [ ] DGRAM 315 /dev/log unix 2 [ ] DGRAM 1341 unix 2 [ ] DGRAM 317 ~ # ps PID Uid VmSize Stat Command 1 root 152 S init noinitrd 2 root SW [keventd] 3 root SWN [ksoftirqd_CPU0] 4 root SW [kswapd] 5 root SW [bdflush] 6 root SW [kupdated] 7 root SW [mtdblockd] 34 root 20 S bkserver 40 root 288 S httpd.real 44 root 68 S [netfilter_log] 51 root 172 S syslogd 53 root 156 S klogd 60 root 136 S telnetd 74 root SW [rpciod] 142 root 308 S -sh 145 root 184 R ps ~ # kill -9 34 ~ # netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:80 *:* LISTEN tcp 0 0 *:23 *:* LISTEN tcp 0 0 192.168.1.253:23 192.168.1.2:37834 ESTABLISHED udp 0 0 *:798 *:* udp 0 0 *:799 *:* udp 0 0 *:800 *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 302 /tmp/log_websock unix 4 [ ] DGRAM 315 /dev/log unix 2 [ ] DGRAM 1341 unix 2 [ ] DGRAM 317 ~ #
|
actions · 2005-Mar-15 8:46 pm · (locked) |
jlvCantankerous - Can't take errors join:2001-11-02 Southborough, MA |
to pasko
Which telnetd did you use? |
actions · 2005-Mar-16 9:37 am · (locked) |
sokhapkin Premium Member join:2003-05-08 North Fort Myers, FL |
sokhapkin
Premium Member
2005-Mar-16 10:00 am
Busybox 1.0 (compiled as static binary) built-in telnetd. The other changes I made: 1. Linux kernel recompiled to support squashfs and jffs2 (using Belkin's MIMO GPL sources and some OpenWrt patches). 2. Filesystem image is compressed with squashfs instead of cramfs for better complression ratio. 3. Changed start-up script to allow customization of linux boot process using external tftp server. |
actions · 2005-Mar-16 10:00 am · (locked) |
|
to sokhapkin Is there room to add USB support? All the Ver 144X routers only need a few things to get usb working. I would like both flash memory support as well as printer support if podssible.
Or am I dreaming.
Phil |
actions · 2005-Mar-16 12:45 pm · (locked) |
sokhapkin Premium Member join:2003-05-08 North Fort Myers, FL |
To get printer support you'll need samba. 2M ROM is too small... The only way is to load usb drivers and samba from external tftp or www server on boot. 8M RAM should be enough. |
actions · 2005-Mar-16 1:02 pm · (locked) |
GTFan join:2004-12-03 Austell, GA |
GTFan
Member
2005-Mar-16 9:13 pm
sokhapkin, have you thought about sharing info on how to load this firmware at the SeattleWireless Belkin page? » www.seattlewireless.net/ ··· 7230_2d4 |
actions · 2005-Mar-16 9:13 pm · (locked) |
|
sokhapkin I was thinking more of the lines of a linux build that had usb usb memory support and boot from the usb memory. Use the USB flash memory drives as a ram disk. USB memory cards are really cheap and with a serial interface one could get these little boxes to do about anthing one could want, within reason.
What would one need to do to get this to work?
Phil |
actions · 2005-Mar-17 6:42 am · (locked) |
pasko @Red-80-35-210.pooles |
pasko to pasko
Anon
2005-Mar-17 3:32 pm
to pasko
sokhapkin: Thank you for the info. I can rest better knowing that this process only listens in the LAN "side" of the router. On the other hand: Are there any chances to get that image you were talkin' about or to download some similar from somewhere? I've been reading a lot about the possibility of using a telnet (or ssh) daemon in the router.(seattlewireless, openwrt, etc., but no success) :-( Actually, I would like to power on/off the radio via command line, since it is not possible from the web interface, (and I leave the router powered on 24h/day). Thanx in advance. |
actions · 2005-Mar-17 3:32 pm · (locked) |
sokhapkin Premium Member join:2003-05-08 North Fort Myers, FL |
» www.sokhapkin.com/belkin-sq.trxThe image is in trx format, you have to use tftp firmware upload method. Tested on v2000 router only, use the firmware on you own risk. Always have a copy of your current firmware. The only known issue - power led do not lit after router boot. Here is a code showing how the firmware attempts to download from tftp server and to execute start up script: #!/bin/sh httpd.real& door& cd /tmp tftp -g -r /belkin/rcscript -l rcscript `nvram get remote_config_ip` sh rcscript 2>&1 >rcscript.log & And start up script (rcscript) I'm using: #!/bin/sh FIRMWARESERVER=`nvram get remote_config_ip` FIRMWAREPATH=/belkin MODULESPATH=modules NFSROOT=/home/belkin # NFS mount options, the following options work best for me, YMMV. NFSOPTS="nolock,soft"
syslogd klogd
cd /tmp tftp -g -r $FIRMWAREPATH/passwd -l passwd $FIRMWARESERVER tftp -g -r $FIRMWAREPATH/group -l group $FIRMWARESERVER tftp -g -r $FIRMWAREPATH/.profile -l .profile $FIRMWARESERVER # wait for initialisation to complete sleep 5 # close the door if telnetd started successfully telnetd && killall door
NFSMODULES="sunrpc.o lockd.o nfs.o nfsswap.o" for i in $NFSMODULES ; do tftp -g -r $FIRMWAREPATH/$MODULESPATH/$i -l $i $FIRMWARESERVER insmod ./$i rm ./$i done
mount -t nfs $FIRMWARESERVER:$NFSROOT /mnt -o $NFSOPTS swapon /mnt/swap
[ -d /mnt/lib ] && mount -t nfs $FIRMWARESERVER:$NFSROOT/lib /lib -o $NFSOPTS [ -d /mnt/usr ] && mount -t nfs $FIRMWARESERVER:$NFSROOT/usr /usr -o $NFSOPTS [ -d /mnt/usr/src ] && mount -t nfs $FIRMWARESERVER:/mnt/sda/usr/portage/distfil es/src /usr/src -o $NFSOPTS
#local settings rmmod led insmod led ActLED=1 PowerLED=1 ConnectedLED=1 ifconfig br0:1 192.168.3.1 hostname belkin echo "nameserver $FIRMWARESERVER" >>/etc/resolv.conf echo "search `nvram get wan_domain`" >>/etc/resolv.conf rdate $FIRMWARESERVER route add default gw $FIRMWARESERVER Happy hacking:-) |
actions · 2005-Mar-17 5:58 pm · (locked) |
pasko @Red-80-35-210.pooles |
pasko to pasko
Anon
2005-Mar-19 6:50 am
to pasko
Thank you. Will test it ASAP. Regards. |
actions · 2005-Mar-19 6:50 am · (locked) |
pasko |
pasko to pasko
Anon
2005-Mar-19 6:57 am
to pasko
Hey! Didn't notice that portage directory. You're a gentoo maniac as well!!!!!!!
Happy compilations.
I'll be back as soon as I get some results.
Thanx a lot again. |
actions · 2005-Mar-19 6:57 am · (locked) |