Find out if your router is listening on backdoor port 32764

Some days ago it became public knowledge that some routers, that's devices used for establishing Internet connections among other things, are listening on the undocumented port 32764.

First, it was only discovered in one device, the Linksys WAG200G, but it was soon discovered that many routers were also listening on that port. Among the devices are the Cisco WAP4410N-E, the Netgear DGN2000, the OpenWAG200, or the LevelOne WBR3460B.

The list on the Github website is large, and it is likely that here are other routers affected not listed there yet. It seems to be predominantly Cisco, Linksys and Netgear which listen on the port, even though not all routers by the mentioned companies are affected by it. The Linksys WRT160Nv2 for example is not listening.

It is currently not known why the routers are listening on that port. Many have suggested that this is yet another way for the NSA to spy on people around the world, and while that is a possibility, it is not the only one.

Find out if your router is listening on port 32764

router-backdoor

If your router is not on the positive or negative list, you may want to find out if it is listening on port 32764, and if it is, stop the process to protect your systems.

There are several options to find that out. Here are several ones:

  1. Load http://yourRouterIP:32764/ in your web browser of choice. If affected, you should see ScMM or MMcS on the screen. I cannot confirm that this works for all set ups though. You can check your IP address here.
  2. Run the Python script poc.py on your system. You do need Python installed on it for that to work though. Run the script in the following way: python poc.py --ip yourRouterIP. For instance python poc.py --ip 192.168.1.1
  3. If telnet is running, you can also use the command telnet yourRouterIP 32764 to find out if the router is vulnerable. You see ScMM or MMcS in that case on the command prompt.
  4. Alternatively, try running router backdoor scanner, a script that attempts to establish a connection on the port.

Fixes if your router is leaking information

If your router is listening on port 32764, you may want to block this from happening. You have quite a few possibilities to cope with the situation and secure your system.

  1. Add a rule to the router's firewall to block the port 32764. How that is done depends on the model you are using. Usually, it involves loading the router's web interface on its local address, e.g. http://192.168.1.1/, typing in the password (on the back of the router usually if default), and finding the firewall or network options there.
  2. Install an Open Source firmware like Tomato or OpenWRT. Note that some have been reported to be vulnerable as well, so make sure you test again after you install.
  3. Get a router that is not affected by the vulnerability.

Testing

Once you have made changes, it is highly recommended to test for the vulnerability again to make sure that you have successfully blocked the port on your system.

facebooktwittergoogle_plusredditlinkedinmail


Filed under:

Responses to Find out if your router is listening on backdoor port 32764

  1. Richard Steven Hack January 6, 2014 at 1:00 pm #

    My Netgear N300 WNR2000v4 isn't. :-)

  2. Maou January 6, 2014 at 1:27 pm #

    Tp-link wdr-4300 is clean!

  3. imu January 6, 2014 at 1:48 pm #

    TP-LINK users may want to try this:
    "If you want to know whether your router is affected by this
    vulnerability, you can find it out by performing the following steps:
    1. Open a browser and log in to your router
    2. Navigate to the DHCP settings and note the DNS servers (it may be
    0.0.0.0, which means that it uses the DNS server from your router's
    upstream internet connection)
    3. Open a new browser tab and visit the following URL (you may have to
    adjust the IP addresses if your router isn't using 192.168.1.1):

    192.168.1.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&a
    mp;gateway=0.0.0.0&domain=&dnsserver=8.8.4.4&dnsserver2=8.8.8.8&Save=%B1%A3+%B4%E6

    If your router is vulnerable, this changes the DNS servers to 8.8.4.4
    and 8.8.8.8 (the two IP addresses from Google Public DNS). Please note
    that the request also reverts the DHCP IP range and lease time to the
    default value.
    4. Go back to the first tab and reload the DHCP settings in the router
    web interface
    5. If you see the servers 8.8.4.4 and 8.8.8.8 for primary and secondary
    DNS, your router is vulnerable.
    6. Revert the DNS settings to the previous settings from step 2
    7. If your router is vulnerable, you may also upgrade it to the latest
    firmware and check whether it is still vulnerable."
    src: http://cxsecurity.com/issue/WLB-2013100223
    or this :
    192.168.0.1/userRpmNatDebugRpm26525557/linux_cmdline.html
    src: http://www.websec.ca/advisories/view/root-shell-tplink-wdr740

  4. imu January 6, 2014 at 1:52 pm #

    Help my helpful comment landed in your spam Martin

  5. InterestedBystander January 6, 2014 at 2:07 pm #

    Very useful info. Thanks. I use a CenturyLink combined router/modem, Zyxel PK5001z, and it appears to be OK.

  6. Ron January 6, 2014 at 4:21 pm #

    So if you load http://yourRouterIP:32764/ in your web browser and nothing happens does that mean the router is clean?

    • Martin Brinkmann January 6, 2014 at 4:34 pm #

      It depends on your setup, I would at least run a port scan (of that port) to make sure.

  7. GodHatesFigs January 6, 2014 at 5:29 pm #

    My D-Link is ok but those Chicago Jesus worshipping NSA scum sure are nosey bastards.

  8. Anony Mouse January 6, 2014 at 8:30 pm #

    You can use ShieldsUp! [https://www.grc.com/x/ne.dll?bh0bkyd2] to scan any port(s)/range you want.

    You can also set your system as a DMZ host on the router and handle all firewalling on your system instead of the router.

  9. P January 7, 2014 at 1:35 am #

    Netgear DGN1000 only allows you to firewall known services so you first add a service for port 32764 and then a firewall rule. The port becomes enabled again after power cycle.

  10. TheRube January 7, 2014 at 1:46 am #

    Hello Mr. Brinkmann and all:

    I don't know if this is helpful but I did a Port Check at Gibson's http://www.grc.com website and it indicated that my 32764 port is in "Stealthed" mode.
    (I guess this is OK?)

    TR

  11. Neil Ren January 7, 2014 at 3:39 am #

    I am wondering whether setting a firewall rule in the router really helps blocking port 32764, if Sercomm has decided to cooperate with security agencies for data monitoring?
    The situation could be more tricky for corporate and institute networks in which users cannot get control over the routers but only IT departments who are not always that responsive.
    Sercomm is a Taiwan chip manufacturer, does that suggest any possible explanation for this port listening? Just think about this: linksys , cisco, netgear routers are everywhere in mainland China, and security agents can just drop in to these devices using this "secret port".

  12. Tom January 7, 2014 at 4:30 am #

    I remember years ago opening this port for one of my media apps. I'm thinking it was something like MythTV or Snapstream. The software used this one to stream media.
    I'm definitely sure I used 32764 for something of the sort back in the day. Heck, it could have even been for torrents or kazaa/bearshare/etc.

  13. Anony mouse is a troll January 7, 2014 at 7:05 am #

    Dont heed anything this guy is saying. Putting your host in the dmz is hanging your ass out in the breeze. Betting that port scan info is getting trapped by the server as well. Really, really bad advice

  14. Cygnis Media January 7, 2014 at 9:35 am #

    Why do you care about backdoor ports? When the ISP captures all traffic encrypted/decrypted.

  15. Don January 7, 2014 at 4:45 pm #

    Would this port be visible on TCPView?

  16. Nicole Miller January 7, 2014 at 5:49 pm #

    I think the free, online Open Port Check Tool may work as well: http://www.yougetsignal.com/tools/open-ports/

  17. Daniel January 7, 2014 at 5:51 pm #

    WRV-4400N is compromised, and adding rules in the firewall doesn't seem to block it. The only thing that seems to work is to do a single port forward and forward it to something that doesn't exist.

  18. Mike January 7, 2014 at 6:30 pm #

    My Cisco RVS4000 is compromised.

    I set up single port forwarding on TCP port 32764 to IP 1.1.1.1

    It seems to have done the trick from the WAN side.

  19. Oz January 7, 2014 at 10:13 pm #

    Cisco WRVS4400N is vulnerable. Setting up a firewall rule to completely block and log all attempts does NOT prevent telnet connection.

  20. Prowse! January 8, 2014 at 11:26 am #

    OK< come clean, and credit Steve Gibson from the reporting of this YESTERDAY, and ESET (NOD32 people) for doing the research LAST MONTH.

    And test the port WITHOUT using a dodgy Python script, test it at grc.com

    WOW.

  21. Ant January 11, 2014 at 9:02 am #

    $ python poc.py --ip 192.168.1.1
    probably not vulnerable (error: [Errno 111] Connection refused)

    Yay for my old Linksys WRT54GL v1.1 router!

  22. Marc January 29, 2014 at 6:39 pm #

    This article has more on this subject including another way to test a router from outside the LAN

    http://blogs.computerworld.com/network-security/23443/how-and-why-check-port-32764-your-router

  23. Smith February 4, 2014 at 11:52 pm #

    Nothing On My Box.. Router Sonicwall Tz215

Leave a Reply

Subscribe without commenting