4

I was port scanning my own isp-issued modem-router and stumbled upon something unsettling: looks like it is listening on ports 554, 7070 & 1863 on (almost) every ip of this interval: 192.168.0-255.1

I posted the full port scan on pastebin: here.

While most of those ip have port 554,7070 & 1863 there are some other ports that are being listened to only on specific subnets:

192.168.27.1 | 81/tcp open hosts2-ns | 7070/tcp open realserver 192.168.28.1 | 554/tcp open rtsp | 7070/tcp open realserver | 8888/tcp open sun-answerbook 192.168.42.1 | 81/tcp open hosts2-ns | 554/tcp open rtsp | 7070/tcp open realserver 192.168.44.1 | 81/tcp open hosts2-ns | 554/tcp open rtsp | 7070/tcp open realserver 192.168.183.1 | 554/tcp open rtsp | 7070/tcp open realserver | 8000/tcp open http-alt 192.168.230.1 | 110/tcp filtered pop3 | 554/tcp filtered rtsp | 1863/tcp filtered msnp | 7070/tcp filtered realserver 192.168.234.1 | 554/tcp filtered rtsp | 1863/tcp filtered msnp | 3306/tcp filtered mysql | 7070/tcp filtered realserver

Here is what I know about this modem:

  • It is a CPE by vodafone for use in europe (italy, germany) and NZ marketed as Vodafone Station Revolution or EasyBox 804 (altough this has a different fw from mine).
  • Extremely dumbed down web interface implemented as a plugin to Jungo (now Cisco) OpenRG 5.4 (Side question: the linux binaries look like they are from 2005. Is there any known exploit i should be aware of for this version of OpenRG?).

Can the community help me investigate the purpose of these open ports? I think it may be a possible security issue.

Improve this question
7
  • A quick Google search for vodafone and those ports shows 554 = RTSP, 7070 = DVR, 1863 = possibly Xbox. Commented Sep 11, 2016 at 20:35
  • @schroeder It may be those ports, but I have never seen a device use all the addresses 192.168.X.1 - why is it using almost 250 subnets? Would those be other user's routers possibly on the ISPs LAN Commented Sep 12, 2016 at 3:25
  • 1
    No, they cannot be on the ISP (private IP range). My guess is that they forward those ports to make it easier if you subnet your own network. It would reduce troubleshooting calls. Commented Sep 12, 2016 at 6:34
  • This modem has some streaming capability provided by dlna/twonky, but i explicitly disabled the feature in the control panel before scanning to be sure to have only the essential services. I will try enabling it and check if new ports show up. Commented Sep 12, 2016 at 12:26
  • Looks like they are somehow intercepting those port on wan hosts too. For example if I port scan the "example.com" domain i get port 7070 and 554 open. I don't think those are open on that server. I port scanned again using an online tool this time and those ports are reported as close. Commented Sep 12, 2016 at 12:30

1 Answer 1

Reset to default
1

Those are ports used in "media" servers- RTSP and realserver are streaming protocols, 1863 is a Microsoft notification protocol. Napster was for file sharing, etc.

Having the router listening on these ports on all internal networks isn't necessarily problematic, though the presence of ancient protocols like realserver and napster is certainly suggestive of age and therefore by implication of security issues.

The two things to look further into are:

  • what ports if any are open on the external interface?
  • can services listening on internal and external ports be disabled in configuration?

Going through configuration and disabling everything possible to disable should result in there being no listening ports on the external interface and no listening ports except for http (or https) on the internal interface.

There may still be security issues with the internal http port, of greater or lesser difficulty to find. It should be much faster to determine if the minimal level of assurance that unnecessary ports are closed can be achieved. If that level of assurance cannot be achieved then it goes without saying that there will be vulnerabilities on those unnecessarily open ports.

Improve this answer
2
  • Those ports are closed on the external interface if scanned with an online tool. I disabled everything but those ports still show up. See my comments to the question for more detail. Commented Sep 12, 2016 at 12:50
  • 1
    There is another possibility, alluded to in another comment, that those other networks are for other customers of the isp. You might try visiting the gateway IP on one or two other networks and seeing if your personal credentials work. Commented Sep 12, 2016 at 15:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.