Scans Increase for New Linksys Backdoor (32764/TCP)
We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1]
At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network.
Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 80.82.78.9. ShodanHQ has also been actively probing this port for the last couple of days.
https://isc.sans.edu/portascii.html?port=32764&start=2013-12-03&end=2014-01-02
| Date | Records | Targets | Sources | TCP/UDP*100 |
| Dec 5th | 10 | 2 | 3 | 90 |
| Dec 9th | 11 | 2 | 5 | 100 |
| Dec 10th | 17 | 5 | 6 | 100 |
| Jan 2nd | 15068 | 3833 | 3 | 100 |
We only have 10 different source IP addresses originating more then 10 port 32764 scans per day over the last 30 days:
+------------+-----------------+----------+ | date | source | count(*) | +------------+-----------------+----------+ | 2014-01-02 | 080.082.078.009 | 18392 | | 2014-01-01 | 198.020.069.074 | 768 |<-- interesting... 3 days | 2014-01-02 | 198.020.069.074 | 585 |<-- early hits from ShodanHQ | 2014-01-02 | 178.079.136.162 | 226 | | 2013-12-31 | 198.020.069.074 | 102 |<-- | 2014-01-02 | 072.182.101.054 | 74 | +------------+-----------------+----------+
[1] https://github.com/elvanderb/TCP-32764
-----
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
