[Dshield] netgear rp114 & port 110 open

Josh Tolley josh at raintreeinc.com
Sat Feb 14 23:38:19 GMT 2004

warpmedia wrote:
> While connected from a clients site, I decided to run a port scan of my 
> home system's IP and found port 110 open.

Excellent idea :) Kinda fun, too, I think.

> The system is protected by an 
> RP114 with a custom set of rules that are supposed to be block all 
> attempts to connect.
> Question is does anyone else here have a RP114 and know why this <1024 
> port is scannable/telnetable? I get a nothing entering POP3 commands.yet 
> telnet does definitely connect to port 110.

Wierd... You don't have some port forwarding set up, do you? For 
example, say you have a rule set up to forward to some internal IP ... 
and nothing waiting at that IP for that traffic. It is a *really* long 
shot, but it could be that the router OS sucks enough to let telnet 
connect despite the lack of a waiting box on the other side.

> Could this be Comcast's servers doing some sort of intercept of port 110 
> and not my system at all? 

Possibly; it probably wouldn't be all that difficult... any thoughts as 
to why they would care, though? My understanding is Comcast (with whom I 
have no personal experience, I admit) isn't the most responsive when it 
comes to security. Hijacking their users' ports is an interesting thing 
to do if you don't particularly care about security.

> Is there a way I can grab remote MAC & see if 
> it's my RP114?

Not really. As soon as the packet crosses from your home router into 
some other collision domain, the source MAC gets changed, and the 
original is forgotten.

> I know the IP is correct as I have the daily logs sent to 
> me and that is the IP from last nights log.

So you have some other options... 1) Go to someone else's network 
outside of Comcast and try the same scan again -- see if you get the 
same results (you probably will). 2) I don't know what your router is 
logging specifically, but you can do some noisy scan or something that 
will show up in the logs and then check the next email your router sends 
you to see if it really is in there. 3) If you have the hardware 
available, pull your router out for a while and put it between two boxen 
with sniffers, nmap, etc., and hammer on it to see what you can find out.

> Joshua MacCraw
> warpmedia at comcast.net
> http://mywebpages.comcast.net/jmaccraw  

Good luck...

Josh Tolley

More information about the list mailing list