FTP server hidden in router?
Hey, I need some serious tech help, this issue has got me scratching my head bigtime. I have a LAN at home, like most, and the terminal equipment is a Zyxel C1100Z; all in one DSL modem, router, wi...
Forum Discussion
Interesting situation. I don't know if I have a definitive answer, but I do have some suggestions. First of all, high marks for monitoring your network ports, etc. That takes you to the front of the class, ahead of most people!
- Have you updated the firmware on the modem recently? There have been a lot of compromises lately on these types of devices, including re-writing the firmware by attackers. When they do, they conveniently change the built-in 'update now' function to point to their modified firmware. Go do the manufacturer's website and download known good firmware to apply, don't use the built-in update function.
- This looks like the type of modem/router that can have an external USB drive plugged in to it which can be used for a simplified NAS storage. It doesn't look like this is a feature of this particular Centurytel revised model, but that doesn't mean it isn't capable of doing so - especially if the firmware was modified. Maybe that was somehow activated and that is the FTP service you see on the router's internal IP address??
- FTP is a clear-text protocol. So while not having a password on the WD NAS FTP service seems weak, it is only slightly worse than a visible password. Any attacker that wants access to an FTP server can easily sniff out the credentials.
- I am not sure how you are hitting the FTP on the router. Are you hitting the internal private IP, or the external public IP? And if you are testing from inside the network, is the router doing something funky to redirect you since it sees you as being internal?
- Check out Steve Gibson's Shields UP! to see what you have externally open. https://www.grc.com/shieldsup
- You may not want to hear this.... But consider doing a 'Double NAT' network design with your own personal device running your network. Your connection would be ISP --> ISP's modem/router --> Your firewall/router --> Your network. There have been stories all over the tech news about crappy ISP provided devices with vulnerabilities which lead to network compromise. If you double NAT, then the only thing a bad actor can get to is the external WAN port of the firewall/router that YOU maintain. (Note, your ISP has access to this modem - and therefore your network. I don't trust them to be responsible with that access.)
- You sound like a technically able person who is more advanced than a typical home user. Check out Ubiquiti's UniFi network gear. I went all in with them at home - five switches, nine wireless access points, security gateway, cloud management, etc. But I also have a bit over 75 devices on my home network too....a consequence of being a techie in real life.
Good luck!
-Eric
- Have you updated the firmware on the modem recently? There have been a lot of compromises lately on these types of devices, including re-writing the firmware by attackers. When they do, they conveniently change the built-in 'update now' function to point to their modified firmware. Go do the manufacturer's website and download known good firmware to apply, don't use the built-in update function.
- This looks like the type of modem/router that can have an external USB drive plugged in to it which can be used for a simplified NAS storage. It doesn't look like this is a feature of this particular Centurytel revised model, but that doesn't mean it isn't capable of doing so - especially if the firmware was modified. Maybe that was somehow activated and that is the FTP service you see on the router's internal IP address??
- FTP is a clear-text protocol. So while not having a password on the WD NAS FTP service seems weak, it is only slightly worse than a visible password. Any attacker that wants access to an FTP server can easily sniff out the credentials.
- I am not sure how you are hitting the FTP on the router. Are you hitting the internal private IP, or the external public IP? And if you are testing from inside the network, is the router doing something funky to redirect you since it sees you as being internal?
- Check out Steve Gibson's Shields UP! to see what you have externally open. https://www.grc.com/shieldsup
- You may not want to hear this.... But consider doing a 'Double NAT' network design with your own personal device running your network. Your connection would be ISP --> ISP's modem/router --> Your firewall/router --> Your network. There have been stories all over the tech news about crappy ISP provided devices with vulnerabilities which lead to network compromise. If you double NAT, then the only thing a bad actor can get to is the external WAN port of the firewall/router that YOU maintain. (Note, your ISP has access to this modem - and therefore your network. I don't trust them to be responsible with that access.)
- You sound like a technically able person who is more advanced than a typical home user. Check out Ubiquiti's UniFi network gear. I went all in with them at home - five switches, nine wireless access points, security gateway, cloud management, etc. But I also have a bit over 75 devices on my home network too....a consequence of being a techie in real life.
Good luck!
-Eric
