Does this botnet affect RMerlin firmware?

[ColinTaylor]

I just tried it against my 3004 router, and you're right. SSH shows as exposed on the WAN.

Where are you nmap'ing from, the router itself or a LAN PC? As I said above, just because you're nmap'ing the WAN IP address doesn't necessarily mean those ports are exposed to the internet. The only way to test internet exposure is to test from the internet.

 

[NoLight]

This what nmap shows for the WAN from the Internet on my AX86U-PRO running the latest stock 3.0.0.6 with UPnP disabled. I assume these are because of the NAT-Passthrough defaults.
Discovered open port 554/tcp
Discovered open port 443/tcp
Discovered open port 80/tcp
Discovered open port 1723/tcp
Discovered open port 21/tcp

 

[CornfieldWin]

That's not a problem with the router, it's a problem interpreting the results of the test. Testing from the router itself or LAN is not valid because there are firewall rules that allow all traffic from the LAN/router. Just because you're using the WAN address doesn't mean you're testing from the internet side. The same is true for 3004.

"Testing against the WAN address" is ambiguous. From a scanning host on the LAN, the WAN address and all other hosts on the extranet are visible via the LAN gateway (done that more than once) enforced by the firewall rules governing the LAN side.

To be a meaningful scan, the scanner must be on extranet side. The scanning host must either plug into into the WAN port or be on a switch/network which can connect to the WAN port(s) (and as applicable be on the same VLAN or default VLAN 1).

 

[ColinTaylor]

This what nmap shows for the WAN from the Internet on my AX86U-PRO running the latest stock 3.0.0.6 with UPnP disabled. I assume these are because of the NAT-Passthrough defaults.
Discovered open port 554/tcp
Discovered open port 443/tcp
Discovered open port 80/tcp
Discovered open port 1723/tcp
Discovered open port 21/tcp

I would be concerned if those are really accessible from the internet. That means that you have services on your network actively listening on those ports (HTTP, HTTPS, RTSP, PPTP and FTP).

Check System Log - Port Forwarding.

 

[Ripshod]

Just run nmap on my WAN port from an externally connected android phone - and it's a s*** show.
I just can't count the number of ports that are open. I just have to be doing something wrong.
Is my firewall even doing anything - upnp is disabled.

 

[degrub]

Is your phone also wifi enabled ?

 

[Ripshod]

Is your phone also wifi enabled ?

Wifi is off.

*edit* see the attached list - I may as well be connected on the LAN.

 

[Tech9]

it's a s*** show

Use it for a good reason to upgrade something.

 

[NoLight]

I would be concerned if those are really accessible from the internet. That means that you have services on your network actively listening on those ports (HTTP, HTTPS, RTSP, PPTP and FTP).

Check System Log - Port Forwarding.

Nothing there except the Nintendo Switch 2 in the DMZ.

 

[ColinTaylor]

Wifi is off.

*edit* see the attached list - I may as well be connected on the LAN.

I suspect you're getting false positives from your ISP's edge device.

 

[ColinTaylor]

Nothing there except the Nintendo Switch 2 in the DMZ.

I suggest you turn off the DMZ temporarily and do the scan again.

 

[Ripshod]

I suspect you're getting false positives from your ISP's edge device.

Quite possible. I get the same results using my ddns domain.
Sheild's up gives me a full stealth result so I'm not too worried. I also verified the accuracy of this result by opening a few ports.

 

[NoLight]

I suggest you turn off the DMZ temporarily and do the scan again.

With DMZ on or off I get the same result for either IPv4 or IPv6 WAN.
Discovered open port 554/tcp
Discovered open port 443/tcp
Discovered open port 80/tcp
Discovered open port 1723/tcp
Discovered open port 21/tcp
Discovered open port 8443/tcp

 

[ColinTaylor]

With DMZ on or off I get the same result for either IPv4 or IPv6 WAN.
Discovered open port 554/tcp
Discovered open port 443/tcp
Discovered open port 80/tcp
Discovered open port 1723/tcp
Discovered open port 21/tcp
Discovered open port 8443/tcp

Then I suspect it's the same false positives that @Ripshod is seeing. If you SSH into the router and run the following command you can check if any of those services are running, and if so what interfaces they're listening on.

netstat -nlp | grep -E ":554 |:443 |:80 |:1723 |:21 |:8443 "

As per @Ripshod's post you can also try running a Shields Up scan.

GRC | ShieldsUP! — Internet Vulnerability Profiling

GRC Internet Security Detection System

www.grc.com

 

[NoLight]

Then I suspect it's the same false positives that @Ripshod is seeing. If you SSH into the router and run the following command you can check if any of those services are running, and if so what interfaces they're listening on.

netstat -nlp | grep -E ":554 |:443 |:80 |:1723 |:21 |:8443 "

As per @Ripshod's post you can also try running a Shields Up scan.

Shields UP!! System Error

tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 19963/httpd
tcp 0 0 192.168.1.1:80 0.0.0.0:* LISTEN 19963/httpd
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN 19962/httpds
tcp 0 0 192.168.1.1:8443 0.0.0.0:* LISTEN 19962/httpds
tcp 0 0 :::80 :::* LISTEN 19963/httpd
tcp 0 0 :::8443 :::* LISTEN 19962/httpds

 

[ColinTaylor]

tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 19963/httpd
tcp 0 0 192.168.1.1:80 0.0.0.0:* LISTEN 19963/httpd
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN 19962/httpds
tcp 0 0 192.168.1.1:8443 0.0.0.0:* LISTEN 19962/httpds
tcp 0 0 :::80 :::* LISTEN 19963/httpd
tcp 0 0 :::8443 :::* LISTEN 19962/httpds

Looks normal. Pretty much confirms the other scan results were invalid.