Superhub : Superhub Telnet

[ccarmock]

Just spotted an interesting entry in the event log on my Superhub:-

Thu Dec 29 11:43:00 2011 Critical (3) Telnet login failed from 210.61.240.52.


I find that indeed the superhub is running a telnet server, which appears to be accessible via the WAN IP address. the normal admin login doesn't work though. Hopefully there isn't a standard login as this woudl seem to be a security risk.

[Peter_]

The ip resolves to

CHUNGHWA-TELECOM-TP-TW

[ccarmock]

Yup I suspect a portscan found it. Is there a way to disable telnet from the WAN port?

[Chrysalis]

it should already be off so looks like a bug, VM went to great effort to lockout ssh/telnet access.

[kwikbreaks]

From what I remember of it you could access it from the standard port 23 on the LAN side - I don't recall ever trying or seeing it mentioned that WAN access was possible at all. IMO any WAN access using any protocol is a potential security breach - didn't O2 suffer some stick for an open port on their Thomson router?

[ccarmock]

It is definitely accessible from both the LAN and WAN side of the Superhub. This is running the business service firmware though. Version 5.5.2R04-BU

I am not sure if this is based on te R04 build of the residential firmware or is a totally new build stream. It does not have modem mode, but does have oter features like L2TP tunnel config options under Basic Settings. SSH is disabled which implies it is more aligned to a later version, however does respond to a port 23 connection with:-

Netgear Embedded Telnet Server (c) 2000-2007

WARNING: Access allowed by authorized users only.

Login:

[kwikbreaks]

If it uses the standard port then simply running Gibson's "Shields up" will expose it. I've even got a smartphone app that scans ports on the LAN but don't have a Superhub to check what the current firmware does.

[ccarmock]

Well it exposes itself with that login banner....

[Kymmy]

If you wish to PM the IP address of the hub I'll check to see if the port is open

[Milambar]

Technically, I've broken VM's ToS with this, which specifically prohibits portscanning, but..

Code:

username@fileserver:~$ sudo nmap -sS -P0 -p -1024 <myownip>

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-30 10:26 GMT
Interesting ports on <myhost> (<myip>):
Not shown: 1023 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds

No telnet port open here, and Im on a superhub, firmware V5.5.2R30.

Yes, I know port 22 is open, I specifically opened it.

[Kymmy]

Quote:

Originally Posted by Milambar

No telnet port open here, and Im on a superhub, firmware V5.5.2R30.

Yes, I know port 22 is open, I specifically opened it.

He's on a business hub not a residential hub so different firmware

[Milambar]

Ah, okay, I missed that bit.

[Kymmy]

On the two IP's sent to me I get no response on SSH or Telnet

[kwikbreaks]

Quote:

Originally Posted by ccarmock

Well it exposes itself with that login banner....

That was the business hub - I was interested to know if they'd made yet another error with the standard hub which is in half a million homes...

[ccarmock]

Thanks for testing Kymmy. I do get a login from the first of the two IP addresses I sent out and also the internal one.

I wonder if some filtering is going on somewhere as the event log has now two rejected Telnet logins from different external IP addresses.