Loading...
[get complete service list]
Top of page
Top of page
Port Information
Protocol Service Name
tcp --- ---
Top IPs Scanning
Today Yesterday
User Comments
Submitted By Date
Comment
2010-07-30 00:59:05
Recently a very popular home wireless router (purchased recently in 2009 - 802.11N) in a network I operate, came under attack by IP address traced back to China. Now, whether or not the IP address is actually a "spoof" IP address intended to make someone look guilty or not, the target port was consistently port 12200. I'd see in the firewall log, several thousand entries like: [INFO] Fri Jul 23 21:21:20 2010 Blocked incoming TCP connection request from 58.218.204.110:12200 to xxx.xxx.xxx.xxx [INFO] Fri Jul 23 23:49:43 2010 Blocked incoming TCP connection request from 221.195.73.68:12200 to xxx.xxx.xxx.xxx I was running the OEM providers firmware version 1.20. What I noticed was that the firmware refused to "toggle" certain options and the firmware update tool did indicate an update was available, however would spoof the download, provide all visual responses that an update was in progress and then had occurred and then did a clean reset, however, the actual firmware was not flashed. Things like NTP updating could not be turned off...was that the bot net phone home mechanism...dunno/don't care...The interesting thing is that the most recent version the updater tool, the router had, was version 1.22 and nothing higher. So like many folks, I used the routers updater tool but that was also a "spoof firmware update". Upon further investigation, and by going directly to equipment manufacturers website, was that there are higher versions 1.24 available. It seams like the hackers managed to hack the appliance box and provide a tool firmware updater mechanism to themselves, to self update the system with their own payload. I was able to put an end to the attempted attacks by manually downloading the firmware directly from the equipment provider and do an update with version 1.24. Now, in all fairness, was it a true problem with the firmware or a true backdoor left open by the OEM by accident...right now, I don't really care, but I do have my router fully operational again, cleaned up and the hacking attempts have fully stopped. My boxes on my network also have firewalls, and they to would get dinged but no more. I find attempts like this to be quite alarming and sophisticated in nature and will pay greater attention to updates from my router equipment manufacturer in the future. I checked around on the net, and folks are talking about repeated 12200 blocked hack attempts, but no one is picking up on this hot item. If you have an attempt on your home router, I highly suggest you directly download from the manufacturer's website, the binary firmware update, and reflash your box. If that doesn't work, borrow a friends router and try his out to see if it makes a difference. By updating my boxes firmware, this is what caused the attacks to immediately stop. Pure cause and effect approach solution. I stress, again, the attacks immediately stopped after the firmware update. Gripe Comment...If all the spam, bot nets, and internet garbage didn't exist, think of how many electrons would be saved, how much energy could be saved if this stuff just "didn't exist", think how much electricity could be conserved and re-deployed to things where it matters more in society. Instead, we have to power boxes and back haul pipes, to push this crap around amidst the honest data. Shame on hackers...
Jeff Singleton 2010-03-11 22:21:08
Looks like the culprit is http://www.tenebril.com/products/ghostsurf anonymous web software. Its default connection port is 12200 per http://www.speedguide.net/port.php?port=12200 and confirmed with more precise searches tying in the port # and the program name.
Top of page
CVE Links
CVE # Description
Top of page