LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-08-2009, 04:30 AM   #1
mbostwick
Member
 
Registered: Feb 2009
Location: Where ever life takes me
Distribution: gentoo,opensuse,ubuntu, arch
Posts: 110

Rep: Reputation: 18
Exclamation Huge issue with belkin router security


I have a belken wireless router(F5D8231-4 v5000) and i recently discovered very troubling problem. It is running upnp. I noticed a very huge lag in my network and was wondering why, I have herd of the bot nets getting into the ram of linux routers, through upnp but in the web interface I disabled it so I was not concerned. I have been busy with finals so I didnt worry about the lag and just kept working with the slow response. However tonight the network went totally down and I had to restart the router. Out of curiosity I decided to scan my router after I restarted it and found: 49152/tcp open upnp Portable SDK for UPnP devices 1.3.1 (kernel 2.4.30; UPnP 1.0). This is very troubling because it is open to the public network and there is very little I can do to keep people from attacking it. I emailed belkin and they said they will try to get back to me but it may be 72 hours. Is there anything I can do to protect my router?
 
Old 05-09-2009, 06:05 PM   #2
OnlyPeroxide
LQ Newbie
 
Registered: May 2009
Posts: 4

Rep: Reputation: 0
Try disabling upnp again via the web interface and then scan it and see if it is still running a service, the restart may have restarted the upnp service. If the upnp service is still running you will need to flash or unplug your router. You can usually flash your router from the web interface and then you can disable vulnerable services before connecting to the wan/lan hf.

Last edited by OnlyPeroxide; 05-09-2009 at 07:10 PM.
 
Old 05-14-2009, 12:29 AM   #3
mbostwick
Member
 
Registered: Feb 2009
Location: Where ever life takes me
Distribution: gentoo,opensuse,ubuntu, arch
Posts: 110

Original Poster
Rep: Reputation: 18
I tried disabling it again, also I have upgraded to the latest firmware but still I face the issue!:
mbostwick ~ # nmap 192.168.2.1

Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-13 20:50 CDT
Interesting ports on 192.168.2.1:
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
49152/tcp open unknown
MAC Address: 00:1CF:XX:XX:XX(Belkin International)

Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

I understand 53 and 80 being opened. They are also closed externally, however if I scan with my external ip i still show :
bostwick ~ # nmap X.X.X.X

Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-13 20:52 CDT
Interesting ports on static.unknown.X.com (X.X.X.X):
Not shown: 999 closed ports
PORT STATE SERVICE
49152/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

worse yet when I scan for the service upnp i show:
mbostwick ~ # upnpscan -t X.X.X.X(PUBLIC IP)
UPnP Discovery Tool v0.4 by patrik@cqure.net
--------------------------------------------

[192.168.2.1]

HTTP/1.1 200 OK
CACHE-CONTROL: max-age=100
DATE: Wed, 13 May 2009 18:56:06 GMT
EXT:
LOCATION: http://192.168.2.1:49152/description.xml
SERVER: Linux/2.4.30, UPnP/1.0, Portable SDK for UPnP devices/1.3.1
X-User-Agent: redsonic
ST: upnp:rootdevice
USN: uuid:X::upnp:rootdevice
 
Old 05-14-2009, 12:33 AM   #4
mbostwick
Member
 
Registered: Feb 2009
Location: Where ever life takes me
Distribution: gentoo,opensuse,ubuntu, arch
Posts: 110

Original Poster
Rep: Reputation: 18
Screenshots

Here is the screen shot showing upnp is shut down
Attached Images
File Type: jpg screen.jpg (164.3 KB, 7 views)
 
Old 05-14-2009, 01:30 AM   #5
rofe
LQ Newbie
 
Registered: May 2009
Posts: 4

Rep: Reputation: 0
Does the Belkin router have a CLI?
If so you can try: netstat -natple to see what connections is active.

nmap does not show active connections like netstat, only open ports where there might be services/applications listening.

If you only have a webinterface on your Belkin, take a look at your firewall rules, and close any ports not in use.
If you have any kind of logging feature try to enable it, and see if it tells you anything.
 
Old 05-14-2009, 11:28 PM   #6
mbostwick
Member
 
Registered: Feb 2009
Location: Where ever life takes me
Distribution: gentoo,opensuse,ubuntu, arch
Posts: 110

Original Poster
Rep: Reputation: 18
I have done both. The firewall wont block the port, there is no cli, so I am not able to do much. Belkin has asked me to send in the router. It seems unwise to send it in if the problem is an application level issue.

Last edited by mbostwick; 05-15-2009 at 02:45 AM.
 
  


Reply

Tags
belkin, bot, kernel, linux, net, networking, nmap, routers, security, upnp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WPA works with D-Link Router, but not Belkin Router Bladesonfire Linux - Wireless Networking 0 10-07-2006 04:15 PM
Huge file issue of NFS PhillipHuang Linux - Networking 1 08-16-2006 03:36 PM
Router issue (Belkin non wireless) sabbathpriest Linux - Wireless Networking 6 05-08-2006 04:42 PM
Belkin Wireless Card Connecting To Belkin Router Skippy06 Suse/Novell 1 02-02-2005 02:51 AM
router of a huge network... need a little help here. Ciccio Linux - Networking 21 01-05-2003 01:41 PM


All times are GMT -5. The time now is 01:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration