TCP 32764 Backdoor

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TCP 32764 Backdoor
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
by Jason
Jan. 24, 2014
AKA Rooting Routers for Fun
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Firstly, I apologize, this is a little dated, but I think it is extremely interesting and worth sharing about. Unlike most other security related articles that just document an attack and tell the story in the past tense -this is an active, vulnerable, exploitiable backdoor.

About a month ago, a backdoor was discovered[1] on a Linksys WAG200G router. There is a process that listens in on port 32764, and it allows free access to many hosts on the internet. No patches are available, as this is an older router that is out of maintainence. The backdoor doesn’t have any kind of authentication and allows some very dangerous commands[2], like giving access to a remote root shell, dump wifi, PPPoE creditials, and file copy! It’s unclear as to what caused this backdoor, only that the program is in thefirmware itself. This vulerability is interesting because it’s currently active and people are just figuring out how to systematically attack it[4].
Continue reading TCP 32764 Backdoor