Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

FTP server hidden in router?

Ductape
Explorer
Explorer

โ€ŽMar-17-2019 07:09 PM

Hey, I need some serious tech help, this issue has got me scratching my head bigtime.

I have a LAN at home, like most, and the terminal equipment is a Zyxel C1100Z; all in one DSL modem, router, wireless AP. I have in the past operated an FTP server on the LAN, for storing security video, no problems. Set up port forwarding (21) in the router and all was well. I recently changed hardware and got a nice little Western Digital NAS which incorporates FTP support, which is where this saga began. I soon discovered the NAS only supported anonymous login, which was a problem, as it was vulnerable to having hackers plant stuff on the FTP site.

So, I shut down that FTP function for the time being... and while ensuring all the vulnerabilities are closed, I've come across something I can't figure out. When I scan my network for open ports, 21 keeps showing up as open. And it seems to be internal to the router. I have scanned every device individually on the network, and 21 only shows up on the router, and it shows up there whether scanned from the LAN side or if I scan it from the public (WAN) side.
Port forwarding for 21 is definitely removed from the forwarding table.
UPNP is turned off in the router, I read that could expose port 21 if enabled.

Making it even more interesting is when I try to connect to the FTP site, it's giving me a response.

When I try to connect from the WAN side I've used an FTP client on my phone (which is not on the LAN WiFi). I get responses such as:
"220 Ftp firmware update utility"
I get a login dialog; (don't have valid credentials of course)
Then I get "421 Login incorrect"

I've used my windows 10 laptop on the LAN side, and again I get a login prompt, indicating the client has found a server at the router's address on port 21. I've tried login here using the default login for router admin, and it seems to open, but there are not contents, and if I try to create a folder or make a change it pops up an error dialog with "200 transfer type changed to ascii" and then "227 Entering Passive Mode".

So.... it appears to me that possibly Zyxel plants an FTP server inside their modem, perhaps as a platform for rolling out updates to firmware? But if that's true, then how does it coexist with FTP servers behind the router using port 21 (which it has successfully done)?

Any help from network or router Gurus who can help me figure out what's going on is much appreciated!
49 States, 6 Provinces, 2 Territories...
0 Likes
3 REPLIES 3

garry1p
Explorer
Explorer

โ€ŽMar-19-2019 11:02 AM

I am not a network knowledgeable person but do get in trouble playing around with this stuff,
Using a WII finder app that also showed security I did find that a second router (double nat) increased my security from 2 stars to 5 stars max is 5.

Also port scanner found no open ports and I have a cameras/DVR system I access everyday.

For some reason our cell phones only work on the primary router that I suspect is due to the double nat but that is not a problem.
Garry1p


1990 Holiday Rambler Aluma Lite XL
454 on P-30 Chassis
1999 Jeep Cherokee sport
0 Likes

Ductape
Explorer
Explorer

โ€ŽMar-18-2019 06:08 PM

Eric, thank you for your thoughts on this curious situation. Good suggestions, all.

It's odd, the router responds to login requests from both the WAN and LAN side. For the time being I have enabled the firewall on the router and blocked FTP. Then I enabled FTP on the NAS again, and verified the NAS can't be reached from the outside, but it's accessible to the LAN. Which suits my basic need. It would be "nice" to access the FTP from afar when we're on the road, but not necessary. The WD NAS is actually just a hidden backup for the video on the main NVR.

I like your suggestion to insert another router to act as a real firewall. Nobody's going to dig through two consecutive devices to get at my stuff. We're certainly not a high value target by any means.

We do like to have access to the camera systems from the road, it brings a lot of peace of mind to see everything is OK, and sometimes I see things needing attention before the house watchers do. But having your network remotely accessible sure brings along some security flaws.

Thanks again for your ideas on plugging the leaks!
49 States, 6 Provinces, 2 Territories...
0 Likes

Eric_Lisa
Explorer II
Explorer II

โ€ŽMar-18-2019 12:40 PM

Interesting situation. I don't know if I have a definitive answer, but I do have some suggestions. First of all, high marks for monitoring your network ports, etc. That takes you to the front of the class, ahead of most people!

- Have you updated the firmware on the modem recently? There have been a lot of compromises lately on these types of devices, including re-writing the firmware by attackers. When they do, they conveniently change the built-in 'update now' function to point to their modified firmware. Go do the manufacturer's website and download known good firmware to apply, don't use the built-in update function.

- This looks like the type of modem/router that can have an external USB drive plugged in to it which can be used for a simplified NAS storage. It doesn't look like this is a feature of this particular Centurytel revised model, but that doesn't mean it isn't capable of doing so - especially if the firmware was modified. Maybe that was somehow activated and that is the FTP service you see on the router's internal IP address??

- FTP is a clear-text protocol. So while not having a password on the WD NAS FTP service seems weak, it is only slightly worse than a visible password. Any attacker that wants access to an FTP server can easily sniff out the credentials.

- I am not sure how you are hitting the FTP on the router. Are you hitting the internal private IP, or the external public IP? And if you are testing from inside the network, is the router doing something funky to redirect you since it sees you as being internal?

- Check out Steve Gibson's Shields UP! to see what you have externally open. https://www.grc.com/shieldsup

- You may not want to hear this.... But consider doing a 'Double NAT' network design with your own personal device running your network. Your connection would be ISP --> ISP's modem/router --> Your firewall/router --> Your network. There have been stories all over the tech news about crappy ISP provided devices with vulnerabilities which lead to network compromise. If you double NAT, then the only thing a bad actor can get to is the external WAN port of the firewall/router that YOU maintain. (Note, your ISP has access to this modem - and therefore your network. I don't trust them to be responsible with that access.)

- You sound like a technically able person who is more advanced than a typical home user. Check out Ubiquiti's UniFi network gear. I went all in with them at home - five switches, nine wireless access points, security gateway, cloud management, etc. But I also have a bit over 75 devices on my home network too....a consequence of being a techie in real life.

Good luck!
-Eric
Eric & Lisa - Oregon
'97 Silverado K2500, New HT383 motor!, Airbags, anti-sway bar
'03 Lance model 1030, generator, solar,
0 Likes
  • Facebook
  • Twitter
  • YouTube
  • Instagram
  • Pinterest