Scans Increase for New Linksys Backdoor (32764/TCP)

Published: 2014-01-02
Last Updated: 2014-01-02 22:13:53 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1]

At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. 

Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 80.82.78.9. ShodanHQ has also been actively probing this port for the last couple of days.

https://isc.sans.edu/portascii.html?port=32764&start=2013-12-03&end=2014-01-02

Date Records Targets Sources TCP/UDP*100
Dec 5th 10 2 3 90
Dec 9th 11 2 5 100
Dec 10th 17 5 6 100
Jan 2nd 15068 3833 3 100

We only have 10 different source IP addresses originating more then 10 port 32764 scans per day over the last 30 days:

+------------+-----------------+----------+
| date       | source          | count(*) |
+------------+-----------------+----------+
| 2014-01-02 | 080.082.078.009 |    18392 |
| 2014-01-01 | 198.020.069.074 |      768 |<-- interesting... 3 days
| 2014-01-02 | 198.020.069.074 |      585 |<--    early hits from ShodanHQ
| 2014-01-02 | 178.079.136.162 |      226 |
| 2013-12-31 | 198.020.069.074 |      102 |<--    
| 2014-01-02 | 072.182.101.054 |       74 |
+------------+-----------------+----------+

 

[1] https://github.com/elvanderb/TCP-32764

-----
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: backdoor linksys port
5 comment(s)

Comments

As I read the articles regarding this, the attacker needs to be on the local network to exploit this vulnerability, so the scans don't seem to have a point. Did I miss something, or is this just "research" to see how many devices are actually in use?
While many may dismiss local access needed as not a problem, is it really that hard to compromise a Windows (or even Mac) computer? How many exploits are available for Android and, to a lesser extent, Iphone? From there, an external attacker *IS* inside and "local".
[quote=comment#28997]While many may dismiss local access needed as not a problem, is it really that hard to compromise a Windows (or even Mac) computer? How many exploits are available for Android and, to a lesser extent, Iphone? From there, an external attacker *IS* inside and "local".[/quote]

I agree. Stick with Assumption of Breach.
The purpose of your Firewall, or your NAT boundary is _not_ to let the admin relax and not worry about exploits that require crossing said boundary and being local, to complete the exploit.

The purpose of the Firewall or NAT boundary is to mitigate risk, and if you're ignoring a security vulnerability because it's local-only, then you increase risk, and the potential impact.

In some cases, the totality of the risk might be higher, than if you had no Firewall, and were instead highly vigilant :)


Local backdoors are a critical problem, and should be repaired with urgency.
Remote code execution on a firewalled port is also a critical problem, and should be repaired with urgency.

Locally exploitable Priv esc vulnerabilities are also a critical problem, and should be repaired with urgency.
There are now indications, that the back door can be accessed remotely. See, for example, https://twitter.com/elvanderb, http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/.
[quote=comment#29006]There are now indications, that the back door can be accessed remotely. See, for example, https://twitter.com/elvanderb, http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/.[/quote]

Thank you John, that was what I was looking for!

Diary Archives