Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scans Increase for New Linksys Backdoor (32764/TCP)

Published: 2014-01-02
Last Updated: 2014-01-02 22:13:53 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

We do see a lot of probes for port 32764/TCP . According to a post to github from 2 days ago, some Linksys devices may be listening on this port enabling full unauthenticated admin access. [1]

At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network. 

Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 80.82.78.9. ShodanHQ has also been actively probing this port for the last couple of days.

https://isc.sans.edu/portascii.html?port=32764&start=2013-12-03&end=2014-01-02

Date Records Targets Sources TCP/UDP*100
Dec 5th 10 2 3 90
Dec 9th 11 2 5 100
Dec 10th 17 5 6 100
Jan 2nd 15068 3833 3 100

We only have 10 different source IP addresses originating more then 10 port 32764 scans per day over the last 30 days:

+------------+-----------------+----------+
| date       | source          | count(*) |
+------------+-----------------+----------+
| 2014-01-02 | 080.082.078.009 |    18392 |
| 2014-01-01 | 198.020.069.074 |      768 |<-- interesting... 3 days
| 2014-01-02 | 198.020.069.074 |      585 |<--    early hits from ShodanHQ
| 2014-01-02 | 178.079.136.162 |      226 |
| 2013-12-31 | 198.020.069.074 |      102 |<--    
| 2014-01-02 | 072.182.101.054 |       74 |
+------------+-----------------+----------+

 

[1] https://github.com/elvanderb/TCP-32764

-----
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: backdoor linksys port
5 comment(s)
Diary Archives