Port 3394, 5473 and 18017 open on WAN (Asuswrt-Merlin 380.63_2)

[stian.s]

Hi, I just installed Asuswrt-Merlin (thanks for making it, by the way), and wanted to check whether any ports were exposed to WAN, assuming everything would be blocked. I scanned all ports with a separate internet connection, and got the following results (this command just verifies the three ports I found in the first scan).

# nmap (WAN IP) -p 3394,5473,18017 -T4

Starting Nmap 6.40-2 ( http://nmap.org ) at 2016-12-13 10:44 CET
Nmap scan report for (WAN IP)
Host is up (0.19s latency).
PORT      STATE SERVICE
3394/tcp  open  unknown
5473/tcp  open  unknown
18017/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

By some googling, I could find out that port 3394 and 5473 are used by u2ec, and port 18017 by wanduck.

I assume this is not intended, and pose a security threat.

Furthermore, I tried to block every incoming packet, with the same result (ports still open):

admin@RT-AC87U:/tmp/home/root# iptables -I INPUT -i eth0 -j DROP
admin@RT-AC87U:/tmp/home/root# iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

 

[martinr]

You installed Merlin's firmware, and it sounds like this was your first installation of Merlin. I'm assuming you reset the router to factory default settings after flashing as per the instructions and then put in the minimum amount of settings to get you connected to your ISP, correct?

Have you tried scanning those 3 ports via something like ShieldsUp at https://www.grc.com/x/ne.dll?rh1dkyd2 ?


Which router, by the way?

 

[RMerlin]

None of these ports should be exposed to the Internet by default. It means you either did not test from outside your LAN, or you disabled the router's firewall.

In the default configuration, there are zero ports open to the Internet.

 

[stian.s]

You installed Merlin's firmware, and it sounds like this was your first installation of Merlin.

Yup.

I'm assuming you reset the router to factory default settings after flashing as per the instructions and then put in the minimum amount of settings to get you connected to your ISP, correct?

Almost - I added some settings I noted down from before, customized DHCP setup, and added my hosts to dnsmasq using the custom user configuration option. After discovering the open ports, I made a script adding cron jobs to kill the offending processes.

Have you tried scanning those 3 ports via something like ShieldsUp at https://www.grc.com/x/ne.dll?rh1dkyd2 ?

Nope, I'll do that to be sure. I did the scans by connecting via my mobile... and I just realized that the phone must have been connected to the WiFi, haha. I could verify via GRC and nmap that the ports are not available from WAN.

However, when scanning the external IP address from LAN, it is interesting to see that ports such as ssh and web are not available, while these three are. Maybe the sshd and webserver only binds to local IPs, while the remaining are filtered by the firewall, and routed to the external IP internally?

Which router, by the way?

RT-AC87U, sorry for forgetting to include that information!

None of these ports should be exposed to the Internet by default.
It means you either did not test from outside your LAN, or you disabled the router's firewall.

In the default configuration, there are zero ports open to the Internet.

Good to know, I agree. Thanks for the replies to both of you!

 

[martinr]

I did the scans by connecting via my mobile... and I just realized that the phone must have been connected to the WiFi, haha.

Done that, only to be put right by Merlin!

I could verify via GRC and nmap that the ports are not available from WAN.

I wouldn't waste your time!

 

[stian.s]

Sorry, I was unclear. I meant that I was able to verify that the ports are not available

 

[anarchymachines]

Forgive me for having a seance and resurrecting this prehistoric thread, but I just wanted to mention that I'm currently running Merlin on a RT-5300 and doing a port scan from the lan side shows those exact two same ports open (5473 and 3394). Just thought I'd mention that in case it's useful to anyone. I haven't done anything configuration wise except enable SSH (local lan only) and disabled pretty much everything I could.

 

[deckard]

My apologies for resurrecting this thread yet again, but since the recent ASD/firmware debacle, I decided to do a port scan of my WAN IP/domain for giggles, and am also seeing these ports open on my RT-AC66U, as well as 41837. However I am running the latest stock ASUS firmware 9.0.0.4.382_52503-gf8d6575.

This is with port forwarding disabled in the router, but I do have the native OpenVPN server enabled.
Is there anything to be concerned about here?

 

[ColinTaylor]

My apologies for resurrecting this thread yet again, but since the recent ASD/firmware debacle, I decided to do a port scan of my WAN IP/domain for giggles, and am also seeing these ports open on my RT-AC66U, as well as 41837. However I am running the latest stock ASUS firmware 9.0.0.4.382_52503-gf8d6575.
View attachment 51182
This is with port forwarding disabled in the router, but I do have the native OpenVPN server enabled.
Is there anything to be concerned about here?

It looks like you're scanning from inside your LAN rather than from the internet.

 

[deckard]

Ah, I was. Forgot that even when using the WAN IP, the router still does a reverse NAT thing, where it's as if I'm on my LAN.
Will check again using a mobile app off WiFi. Thank you!

EDIT: All good!