Scans Increase for New Linksys Backdoor (32764/TCP)
We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1]
At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network.
Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 80.82.78.9. ShodanHQ has also been actively probing this port for the last couple of days.
https://isc.sans.edu/portascii.html?port=32764&start=2013-12-03&end=2014-01-02
Date | Records | Targets | Sources | TCP/UDP*100 |
Dec 5th | 10 | 2 | 3 | 90 |
Dec 9th | 11 | 2 | 5 | 100 |
Dec 10th | 17 | 5 | 6 | 100 |
Jan 2nd | 15068 | 3833 | 3 | 100 |
We only have 10 different source IP addresses originating more then 10 port 32764 scans per day over the last 30 days:
+------------+-----------------+----------+ | date | source | count(*) | +------------+-----------------+----------+ | 2014-01-02 | 080.082.078.009 | 18392 | | 2014-01-01 | 198.020.069.074 | 768 |<-- interesting... 3 days | 2014-01-02 | 198.020.069.074 | 585 |<-- early hits from ShodanHQ | 2014-01-02 | 178.079.136.162 | 226 | | 2013-12-31 | 198.020.069.074 | 102 |<-- | 2014-01-02 | 072.182.101.054 | 74 | +------------+-----------------+----------+
[1] https://github.com/elvanderb/TCP-32764
-----
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Anonymous
Jan 3rd 2014
1 decade ago
Anonymous
Jan 3rd 2014
1 decade ago
I agree. Stick with Assumption of Breach.
The purpose of your Firewall, or your NAT boundary is _not_ to let the admin relax and not worry about exploits that require crossing said boundary and being local, to complete the exploit.
The purpose of the Firewall or NAT boundary is to mitigate risk, and if you're ignoring a security vulnerability because it's local-only, then you increase risk, and the potential impact.
In some cases, the totality of the risk might be higher, than if you had no Firewall, and were instead highly vigilant :)
Local backdoors are a critical problem, and should be repaired with urgency.
Remote code execution on a firewalled port is also a critical problem, and should be repaired with urgency.
Locally exploitable Priv esc vulnerabilities are also a critical problem, and should be repaired with urgency.
Anonymous
Jan 3rd 2014
1 decade ago
Anonymous
Jan 4th 2014
1 decade ago
Thank you John, that was what I was looking for!
Anonymous
Jan 5th 2014
1 decade ago