Huge issue with belkin router security

mbostwick · 05-08-2009, 05:30 AM

I have a belken wireless router(F5D8231-4 v5000) and i recently discovered very troubling problem. It is running upnp. I noticed a very huge lag in my network and was wondering why, I have herd of the bot nets getting into the ram of linux routers, through upnp but in the web interface I disabled it so I was not concerned. I have been busy with finals so I didnt worry about the lag and just kept working with the slow response. However tonight the network went totally down and I had to restart the router. Out of curiosity I decided to scan my router after I restarted it and found: 49152/tcp open upnp Portable SDK for UPnP devices 1.3.1 (kernel 2.4.30; UPnP 1.0). This is very troubling because it is open to the public network and there is very little I can do to keep people from attacking it. I emailed belkin and they said they will try to get back to me but it may be 72 hours. Is there anything I can do to protect my router?

OnlyPeroxide · 05-09-2009, 07:05 PM

Try disabling upnp again via the web interface and then scan it and see if it is still running a service, the restart may have restarted the upnp service. If the upnp service is still running you will need to flash or unplug your router. You can usually flash your router from the web interface and then you can disable vulnerable services before connecting to the wan/lan hf.

mbostwick · 05-14-2009, 01:29 AM

I tried disabling it again, also I have upgraded to the latest firmware but still I face the issue!:
mbostwick ~ # nmap 192.168.2.1

Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-13 20:50 CDT
Interesting ports on 192.168.2.1:
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
49152/tcp open unknown
MAC Address: 00:1C

F:XX:XX:XX(Belkin International)

Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

I understand 53 and 80 being opened. They are also closed externally, however if I scan with my external ip i still show :
bostwick ~ # nmap X.X.X.X

Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-05-13 20:52 CDT
Interesting ports on static.unknown.X.com (X.X.X.X):
Not shown: 999 closed ports
PORT STATE SERVICE
49152/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

worse yet when I scan for the service upnp i show:
mbostwick ~ # upnpscan -t X.X.X.X(PUBLIC IP)
UPnP Discovery Tool v0.4 by patrik@cqure.net
--------------------------------------------

[192.168.2.1]

HTTP/1.1 200 OK
CACHE-CONTROL: max-age=100
DATE: Wed, 13 May 2009 18:56:06 GMT
EXT:
LOCATION: http://192.168.2.1:49152/description.xml
SERVER: Linux/2.4.30, UPnP/1.0, Portable SDK for UPnP devices/1.3.1
X-User-Agent: redsonic
ST: upnp:rootdevice
USN: uuid:X::upnp:rootdevice

mbostwick · 05-14-2009, 01:33 AM

Here is the screen shot showing upnp is shut down

rofe · 05-14-2009, 02:30 AM

Does the Belkin router have a CLI?
If so you can try: netstat -natple to see what connections is active.

nmap does not show active connections like netstat, only open ports where there might be services/applications listening.

If you only have a webinterface on your Belkin, take a look at your firewall rules, and close any ports not in use.
If you have any kind of logging feature try to enable it, and see if it tells you anything.

mbostwick · 05-15-2009, 12:28 AM

I have done both. The firewall wont block the port, there is no cli, so I am not able to do much. Belkin has asked me to send in the router. It seems unwise to send it in if the problem is an application level issue.