[Dshield] netgear rp114 & port 110 open

warpmedia warpmedia at comcast.net
Mon Feb 16 15:14:45 GMT 2004


inline:

At 05:38 PM 2/14/2004, Josh Tolley wrote:
>warpmedia wrote:
>>While connected from a clients site, I decided to run a port scan of my 
>>home system's IP and found port 110 open.
>
>Excellent idea :) Kinda fun, too, I think.
>
>>The system is protected by an RP114 with a custom set of rules that are 
>>supposed to be block all attempts to connect.
>>Question is does anyone else here have a RP114 and know why this <1024 
>>port is scannable/telnetable? I get a nothing entering POP3 commands.yet 
>>telnet does definitely connect to port 110.
>
>Wierd... You don't have some port forwarding set up, do you? For example, 
>say you have a rule set up to forward to some internal IP ... and nothing 
>waiting at that IP for that traffic. It is a *really* long shot, but it 
>could be that the router OS sucks enough to let telnet connect despite the 
>lack of a waiting box on the other side.

No forwarding, in fact I was under the impression that my rules blocked all 
protocols destined for ports <1024 as I run no servers or port forwards 
into my LAN.




>>Could this be Comcast's servers doing some sort of intercept of port 110 
>>and not my system at all?
>
>Possibly; it probably wouldn't be all that difficult... any thoughts as to 
>why they would care, though? My understanding is Comcast (with whom I have 
>no personal experience, I admit) isn't the most responsive when it comes 
>to security. Hijacking their users' ports is an interesting thing to do if 
>you don't particularly care about security.
>
>>Is there a way I can grab remote MAC & see if it's my RP114?
>
>Not really. As soon as the packet crosses from your home router into some 
>other collision domain, the source MAC gets changed, and the original is 
>forgotten.
>
>>I know the IP is correct as I have the daily logs sent to me and that is 
>>the IP from last nights log.
>
>So you have some other options... 1) Go to someone else's network outside 
>of Comcast and try the same scan again -- see if you get the same results 
>(you probably will). 2) I don't know what your router is logging 
>specifically, but you can do some noisy scan or something that will show 
>up in the logs and then check the next email your router sends you to see 
>if it really is in there. 3) If you have the hardware available, pull your 
>router out for a while and put it between two boxen with sniffers, nmap, 
>etc., and hammer on it to see what you can find out.

When I get back in a few days I'll have to check my syslog server to see if 
the scan showed up as I haven't gotten any alerts for the scan I did but 
still am getting the content filter log of URLs browsed by the systems 
there (mostly time updates by the router as I am not there using them).

I've never noticed the port being open when doing any of the scan's from 
sites like GRC.



Joshua MacCraw
warpmedia at comcast.net
http://mywebpages.comcast.net/jmaccraw 




More information about the list mailing list