One cisco router and the case of the phantom ports

Ok, an apology first, yes I know it’s been nearly a month since my last one but I’ve been busy, and secondly i did have some more asterisk goodies but that will have to wait until next time.

So let’s begin…

Some of you may have heard of the excellent tool for mapping your networks called "look@lan" (Recentley renamed to ‘Fing’), I’ve used it off and on here and there for some time now, and was just doing some routine lan scanning and mapping to make sure everything was as it should be.

As the scan encountered my router I noticed in the port list that it was being reported that I had several well known ports open on my router that shouldn’t have been, this of course was quite alarming and made me stop and check just to make sure that it had not been compromised in any way.

After seeing the port list, which included 8080/3125/80/25/110 (in human form, http-proxy/user/WWW/SMTP/POP3) the tool was basically saying to me hey look your router is running a web server + proxy, and an inbound/outbound email service.

Now most routers have some kind of web control panel on these days, so it’s not unusual to see port 80 being opened, however in my case I know the only port that should be open is a console port.

Like any sensible test method, the first thing to do was to break out putty, putty is a terminal emulator that will do SSH/telnet/raw and serial connections to ANY network service you desire, you can download it from the putty website and I strongly advise this to be one tool EVERY I.T person should have in their computer tool kit.

Testing the connections with putty showed them all to be live, and more alarmingly trying to send an email to the SMTP service apparently on my router succeeded, to test an email send using putty, you should run putty, then put the ip address of the server in the address box, followed by 25 in the port and set the socket type to raw, once you click open you should then type the following:

mail from: <>
rcpt to: <>
<type message here>

Between each line you’ll get a response from the mail server, and the senders/recivers address can be any address you like (Just remember if the email fails then it’ll get sent back to the senders address with an error report)

For several hours I observed somthing on my PC trying to connect to my router over and over again to send the email, but it wasn’t until sometime later I actually relised what was going on!!!

The clue was in the fact that my Email inbox recieved email non delivery reports from……   my anti virus software!!!!   In this case AVG

All of a sudden, it all made sense.

AVG has an in/outbound email scanner, and so intercepts ports 25/110 so that any communication from my local machine to the mail server is intercepted and scanned in real time, whats not obvious however is that the software caches then attempts to send the data.

This in turn lead me to believe that the actual destination port was open on the router, when in actual fact it wasn’t.  It was AVG that was accepting the email to be sent, which it then for the next several hours attempted to deliver to my router thinking it was a real destination mail server.  Seeing this in my packet scanner, I was under the impression that some other application was trying to send email to my router and that AVG was intercepting it as it was supposed to, when it actual fact it was AVG that was trying to send it!!!

After a little more digging, the other ports that appeared to be open where a similar thing, the only difference was that these where being handled by my anti-spyware and webfiltering software.

The Moral of the story.

Transparent filtering and invisible protection is a great thing for peace of mind, but DO check your anti virus and/or firewall/anti-spyware settings.  Too many times have I’ve come accross people who have had bad things to say about thier choice of protection, but it’s not beacuse thier choice or the software was bad, it was simply beacuse they didn’t go in and check everything, they made the worst mistake they could and assumed beacuse they installed anti-virus everything was then it was ok.

You absolutley MUST check default settings and passwords, just to make sure that nothing is overlooked.

In my case it was the opposite way round, I thought I had a security breach, and so wasted a good few hours chasing a red herring, if I’d taken my own advice I would have realised sooner, and not spent the time I did trying to trace somthing that was never there in the first place.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s