For ease of writing, I’m going to use 188.8.131.52 through 184.108.40.206 to refer to the IP addresses.
The modem itself is assigned the fifth IP address, (.5).
What this meant was that sometime in March 2012, Qwest / Century Link pushed out an update to the modem that in essence implanted a backdoor into the Action Tec m1000 modem, but it was a backdoor that affected every IP address that it routed for.
Furthermore, the modem that was purchased (not leased) by my client. The client has been working through a lot of PCI compliance requirements and moved their 30 year old non-profit quite a ways into the 21st century through no small efforts over the course of a few years.
As I read the history, my shock was only paralleled by my anger.
There was a time when my client had passed the scan on their office’s WAN IP address.
I know each of the firewall rules almost by heart and you can count what’s allowed through the firewall using the fingers on one hand. Only email, an https user portal, and a VPN end point have rules allowing traffic. I accepted the error, knowing that it was the proper certificate for the little modem, and then saw a login box: Okay so that’s all norm… Waves of confusion and anger swept over me as I stared at the information home page for the modem’s web administration interface. There’s not even a redirect to the https site that’s on port 443. Keep in mind that’s the modem’s IP address but with that strange port I used on the firewall’s IP address that was sending me to the modem’s administration page. I then tried , the IP address that has never had anything assigned to it in the seven years this client has leased the /29 block. If I the entire netblock, every IP address, regardless of if there’s a device assigned to it or not, even the network and broadcast addresses, will show a response on port 4567.
Nmap likes to say that it’s the TRAM service purely based on the IANA’s Service Name and Transport Protocol Port Number Registry document.
This happened entirely without my client’s action or knowledge.When looking into this trouble, I did not find any documentation within the organization that made reference to those ports as being opened or forwarded to an internal device. Here is an example of the remarks on a failing scan of port 4567: Description: Web Server Uses Basic Authentication Without HTTPS Synopsis: The remote web server seems to transmit credentials in clear text.Impact: The remote web server contains web pages that are protected by ‘Basic’ authentication over plain text. When telnetting to the socket, I would get the following error: Escape character is '^]'. Or more accurately, the dim recesses of a distant corner of my memory began to glow.Let me be the first to say that TRAM is not what’s running on port 4567 of this Century Link modem. At this point, I began to wonder just how long this had been going on.So let me get this straight: I can turn on the remote management page for the modem, which does a few things for me: Even if I turn off the “official” remote administration option within the modem, port 4567 is still open, still accepting only HTTP traffic, and I can still log in with full administrator privileges with the exact same account that the official administration page requires. What is the other port that the PCI compliance scans would occasionally flag as having vulnerable services running? After briefly considering a new career as an alcoholic, I decided to delve into this client’s past and check the company that performs the PCI compliance scans for a detailed history. My client’s dashboard of information at the PCI scanning company came complete with a detailed history of each scan.