Huge issue with belkin router security
I have a belken wireless router(F5D8231-4 v5000) and i recently discovered very troubling problem. It is running upnp. I noticed a very huge lag in my network and was wondering why, I have herd of the bot nets getting into the ram of linux routers, through upnp but in the web interface I disabled it so I was not concerned. I have been busy with finals so I didnt worry about the lag and just kept working with the slow response. However tonight the network went totally down and I had to restart the router. Out of curiosity I decided to scan my router after I restarted it and found: 49152/tcp open upnp Portable SDK for UPnP devices 1.3.1 (kernel 2.4.30; UPnP 1.0). This is very troubling because it is open to the public network and there is very little I can do to keep people from attacking it. I emailed belkin and they said they will try to get back to me but it may be 72 hours. Is there anything I can do to protect my router?
|
Try disabling upnp again via the web interface and then scan it and see if it is still running a service, the restart may have restarted the upnp service. If the upnp service is still running you will need to flash or unplug your router. You can usually flash your router from the web interface and then you can disable vulnerable services before connecting to the wan/lan hf.
|
I tried disabling it again, also I have upgraded to the latest firmware but still I face the issue!:
mbostwick ~ # nmap 192.168.2.1 Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-13 20:50 CDT Interesting ports on 192.168.2.1: Not shown: 997 closed ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 49152/tcp open unknown MAC Address: 00:1C:DF:XX:XX:XX(Belkin International) Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds I understand 53 and 80 being opened. They are also closed externally, however if I scan with my external ip i still show : bostwick ~ # nmap X.X.X.X Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-13 20:52 CDT Interesting ports on static.unknown.X.com (X.X.X.X): Not shown: 999 closed ports PORT STATE SERVICE 49152/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds worse yet when I scan for the service upnp i show: mbostwick ~ # upnpscan -t X.X.X.X(PUBLIC IP) UPnP Discovery Tool v0.4 by patrik@cqure.net -------------------------------------------- [192.168.2.1] HTTP/1.1 200 OK CACHE-CONTROL: max-age=100 DATE: Wed, 13 May 2009 18:56:06 GMT EXT: LOCATION: http://192.168.2.1:49152/description.xml SERVER: Linux/2.4.30, UPnP/1.0, Portable SDK for UPnP devices/1.3.1 X-User-Agent: redsonic ST: upnp:rootdevice USN: uuid:X::upnp:rootdevice |
Screenshots
1 Attachment(s)
Here is the screen shot showing upnp is shut down
|
Does the Belkin router have a CLI?
If so you can try: netstat -natple to see what connections is active. nmap does not show active connections like netstat, only open ports where there might be services/applications listening. If you only have a webinterface on your Belkin, take a look at your firewall rules, and close any ports not in use. If you have any kind of logging feature try to enable it, and see if it tells you anything. |
I have done both. The firewall wont block the port, there is no cli, so I am not able to do much. Belkin has asked me to send in the router. It seems unwise to send it in if the problem is an application level issue.
|
All times are GMT -5. The time now is 02:05 AM. |