NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

cchacker's avatar
cchacker
Aspirant
Dec 17, 2020
Solved

Netgear Nighthawk router log file and port mapping

Netgear Nighthawk AC1900 Modle C7000v2

The log file in my router has the following entry:

Description

Count

Last occurence

Target

source

[LAN access from remote] from 178.62.64.126:37460 to 10.0.0.18:1935

1

Wed Dec 16 19:53:26 2020

10.0.0.18:1935

178.62.64.126:37460

There is no port mapped to local host 10.0.0.18 and port 1935 is not mapped to any host.

How is it possible for to 178.62.64.126 attempt to address a local host which should be invisible to it?

The router should block access because there is no port mapped to that machine, but even further how is it possible for 178.62.64.126 to even attempt to access that host on my local network?

  • antinode's avatar
    antinode
    Dec 17, 2020

    > Any ideas?

     

       UPnP?   (ADVANCED > Advanced Setup > UPnP)

6 Replies

  • cchacker's avatar
    cchacker
    Aspirant
    Dec 17, 2020

    So I've done some testing. Its more and more mysterious to me.

    I used telnet to connect to external (internet) ip address of my router on port 554.

    Low and behold I got a connection and a reply.

    RTSP/1.0 400 Bad Request
    CSeq: 0
    Server: Hipcam RealServer/V1.0

    I examined the log file on my router.

    It showed a connection to its external IP address on port 554 and it showed it routed the connection to host 10.0.0.18 on the local area network. I double, triple checked there is no port map in the router for port 554. Its almost as if somehow the router has been hacked and there is an invisible port map of port 554 to 10.0.0.18:554.

    Host 10.0.0.18 on my LAN is an Anbes floodlight security camera.

    Port 554 is for Real Time Stream Control Protocol. It makes sense that the Camera is using Real Time Stream Control Protocol.

    What doesn't make sense is that connections to port 554 are being routed to 10.0.0.18 without a portmap set.

    Any ideas?

     

    • antinode's avatar
      antinode
      Guru
      Dec 17, 2020

      > Any ideas?

       

         UPnP?   (ADVANCED > Advanced Setup > UPnP)

      • cchacker's avatar
        cchacker
        Aspirant
        Dec 17, 2020

        Thank you antinode.

        I looked where you suggested (UPnP?   (ADVANCED > Advanced Setup > UPnP)) and found that indeed it maps

        TCP 554 to 10.0.0.18

        TCP 1935 to 10.0.0.18

        UDP 6000 to 10.0.0.18

        UDP 6002 to 10.0.0.18

        Didn't know about this. From my perspective this presents a HUGE security hole.

        I use my router and its nat capabilities to secure my network.

        This blows a huge hole in it.

        "UPnP doesn’t require any sort of authentication from the user. Any application running on your computer can ask the router to forward a port over UPnP, which is why the malware above can abuse UPnP."

        Is there a way to disable UPnP on the C7000v2 Nighthawk router?