Orbi WiFi 7 RBE973
Reply

Netgear Nighthawk router log file and port mapping

cchacker
Aspirant

Netgear Nighthawk router log file and port mapping

Netgear Nighthawk AC1900 Modle C7000v2

The log file in my router has the following entry:

Description

Count

Last occurence

Target

source

[LAN access from remote] from 178.62.64.126:37460 to 10.0.0.18:1935

1

Wed Dec 16 19:53:26 2020

10.0.0.18:1935

178.62.64.126:37460

There is no port mapped to local host 10.0.0.18 and port 1935 is not mapped to any host.

How is it possible for to 178.62.64.126 attempt to address a local host which should be invisible to it?

The router should block access because there is no port mapped to that machine, but even further how is it possible for 178.62.64.126 to even attempt to access that host on my local network?

Model: C7000|Nighthawk - AC1900 WiFi Cable Modem Router
Message 1 of 7

Accepted Solutions
antinode
Guru

Re: Netgear Nighthawk router log file and port mapping

> Any ideas?

 

   UPnP?   (ADVANCED > Advanced Setup > UPnP)

View solution in original post

Message 3 of 7

All Replies
cchacker
Aspirant

Re: Netgear Nighthawk router log file and port mapping

So I've done some testing. Its more and more mysterious to me.

I used telnet to connect to external (internet) ip address of my router on port 554.

Low and behold I got a connection and a reply.

RTSP/1.0 400 Bad Request
CSeq: 0
Server: Hipcam RealServer/V1.0

I examined the log file on my router.

It showed a connection to its external IP address on port 554 and it showed it routed the connection to host 10.0.0.18 on the local area network. I double, triple checked there is no port map in the router for port 554. Its almost as if somehow the router has been hacked and there is an invisible port map of port 554 to 10.0.0.18:554.

Host 10.0.0.18 on my LAN is an Anbes floodlight security camera.

Port 554 is for Real Time Stream Control Protocol. It makes sense that the Camera is using Real Time Stream Control Protocol.

What doesn't make sense is that connections to port 554 are being routed to 10.0.0.18 without a portmap set.

Any ideas?

 

Model: C7000|Nighthawk - AC1900 WiFi Cable Modem Router
Message 2 of 7
antinode
Guru

Re: Netgear Nighthawk router log file and port mapping

> Any ideas?

 

   UPnP?   (ADVANCED > Advanced Setup > UPnP)

Message 3 of 7
cchacker
Aspirant

Re: Netgear Nighthawk router log file and port mapping

Thank you antinode.

I looked where you suggested (UPnP?   (ADVANCED > Advanced Setup > UPnP)) and found that indeed it maps

TCP 554 to 10.0.0.18

TCP 1935 to 10.0.0.18

UDP 6000 to 10.0.0.18

UDP 6002 to 10.0.0.18

Didn't know about this. From my perspective this presents a HUGE security hole.

I use my router and its nat capabilities to secure my network.

This blows a huge hole in it.

"UPnP doesn’t require any sort of authentication from the user. Any application running on your computer can ask the router to forward a port over UPnP, which is why the malware above can abuse UPnP."

Is there a way to disable UPnP on the C7000v2 Nighthawk router?

Model: C7000-1AZNAS|Nighthawk AC1900 WiFi Cable Modem Router
Message 4 of 7
cchacker
Aspirant

Re: Netgear Nighthawk router log file and port mapping

antinode please ignore my request for instructions on how to disable UPnP. I found it Advanced setup->UPnP and one click disables it.

Feeling more secure in my little network.

Don't you think this is a serious issue? Shouldn't this be disabled by default?

With this enabled it would be very easy for malware to set up a remote bot network.

Model: C7000-1AZNAS|Nighthawk AC1900 WiFi Cable Modem Router
Message 5 of 7
antinode
Guru

Re: Netgear Nighthawk router log file and port mapping

> Don't you think this is a serious issue? [...]


   What I think matters little.

 

   It's a convenience feature for users who expect everything to just,
uh, "plug 'n' play".  I'm sure that it's widely liked (and
little-noticed).  It does allow an application (rogue or friendly) to
enable incoming connections without your explicit permission.

 

> [...] Shouldn't this be disabled by default?

 

   I always ensure that it's disabled on my stuff.

 

   I don't see it listed among the "Factory default settings" in the
User Manual (yours or mine (D7000)), which I'd call an oversight, at
best.

 

   The usual threats are explicit port forwarding/triggering, DMZ
server, and UPnP.  Only UPnP could be enabled by default (because only
it is automatic enough).

Message 6 of 7
cchacker
Aspirant

Re: Netgear Nighthawk router log file and port mapping

Me, I'm old fashion. I don't like things happening auto-magically. I like to explicitly make them happen or not.

Thanks to you. I turned off UPnP and I'm investigating the server my camera was talking to.

The camera, like almost everything else, is made in China. I'm going to really check out this supposed streaming video server.

I personally have done a lot of business with China. The Chinese are great people, but their ethics in business are very much "if you can do it, do it". If you get caught you can always apologize after the fact.

 

Model: C7000-1AZNAS|Nighthawk AC1900 WiFi Cable Modem Router
Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 2357 views
  • 2 kudos
  • 2 in conversation
Announcements

Orbi 770 Series