[Dshield] netgear rp114 & port 110 open

warpmedia warpmedia at comcast.net
Mon Feb 16 15:14:45 GMT 2004


At 05:38 PM 2/14/2004, Josh Tolley wrote:
>warpmedia wrote:
>>While connected from a clients site, I decided to run a port scan of my 
>>home system's IP and found port 110 open.
>Excellent idea :) Kinda fun, too, I think.
>>The system is protected by an RP114 with a custom set of rules that are 
>>supposed to be block all attempts to connect.
>>Question is does anyone else here have a RP114 and know why this <1024 
>>port is scannable/telnetable? I get a nothing entering POP3 commands.yet 
>>telnet does definitely connect to port 110.
>Wierd... You don't have some port forwarding set up, do you? For example, 
>say you have a rule set up to forward to some internal IP ... and nothing 
>waiting at that IP for that traffic. It is a *really* long shot, but it 
>could be that the router OS sucks enough to let telnet connect despite the 
>lack of a waiting box on the other side.

No forwarding, in fact I was under the impression that my rules blocked all 
protocols destined for ports <1024 as I run no servers or port forwards 
into my LAN.

>>Could this be Comcast's servers doing some sort of intercept of port 110 
>>and not my system at all?
>Possibly; it probably wouldn't be all that difficult... any thoughts as to 
>why they would care, though? My understanding is Comcast (with whom I have 
>no personal experience, I admit) isn't the most responsive when it comes 
>to security. Hijacking their users' ports is an interesting thing to do if 
>you don't particularly care about security.
>>Is there a way I can grab remote MAC & see if it's my RP114?
>Not really. As soon as the packet crosses from your home router into some 
>other collision domain, the source MAC gets changed, and the original is 
>>I know the IP is correct as I have the daily logs sent to me and that is 
>>the IP from last nights log.
>So you have some other options... 1) Go to someone else's network outside 
>of Comcast and try the same scan again -- see if you get the same results 
>(you probably will). 2) I don't know what your router is logging 
>specifically, but you can do some noisy scan or something that will show 
>up in the logs and then check the next email your router sends you to see 
>if it really is in there. 3) If you have the hardware available, pull your 
>router out for a while and put it between two boxen with sniffers, nmap, 
>etc., and hammer on it to see what you can find out.

When I get back in a few days I'll have to check my syslog server to see if 
the scan showed up as I haven't gotten any alerts for the scan I did but 
still am getting the content filter log of URLs browsed by the systems 
there (mostly time updates by the router as I am not there using them).

I've never noticed the port being open when doing any of the scan's from 
sites like GRC.

Joshua MacCraw
warpmedia at comcast.net

More information about the list mailing list