Menu
Reply
Melissa_F
  • 2.81K
  • 161
  • 225
Moderator
Moderator
862 Views
Message 31 of 79
Flag for a moderator
Helpful Answer

Re: UPDATERe: TR-069 PROTOCOL

Hi ALF28,

 

I've had an update from the team for you.

 

They have advised that this is a standard port that is seen open by the team. It is used for communications to the Modem for updates and Virgin media back office diagnostics.

 

I hope that helps to clear things up.

 

Thanks

 

Melissa

用心棒
  • 5.87K
  • 658
  • 2.04K
Very Insightful Person
Very Insightful Person
846 Views
Message 32 of 79
Flag for a moderator

Re: UPDATERe: TR-069 PROTOCOL


@Melissa_F wrote:

They have advised that this is a standard port that is seen open by the team. It is used for communications to the Modem for updates and Virgin media back office diagnostics.


Seen open by the team and anyone else who cares to probe; let us hope any vulnerabilities that exist are not exploitable.

Anonymous
Not applicable
825 Views
Message 33 of 79
Flag for a moderator

Re: UPDATERe: TR-069 PROTOCOL

i might have to research that. i wanna throe some command at it. How many connections can i open it the port before the modem gives up. ddos? maybe.

This needs some security "research" 😛
ALF28
  • 882
  • 16
  • 96
Well-informed
805 Views
Message 34 of 79
Flag for a moderator

Re: UPDATERe: TR-069 PROTOCOL

Thanks for feedback on open port 7547

Do not use hub default passwords always change them for both settings page and wifi makes hacking more difficult.

Tried my old tp-link router today and and it had so many vulnerabilities -9 that the virgin hub 3 is more secure and updated regularly with firmware.

I looked at ports on my laptops using the netstat command and was amazed at how many ports were connected so have reset the windows firewall to default settings, many connections were unknown and strange.

Regarding open port 7547 I would hope virgin would themselves monitor/test the port for security implications and some members do have concerns.

All other ports connecting from the hub to the internet are filtered by virgin so secure.

A hacker can try to connect to every computer connection in the uk in one day, and other equipment that is connected like printers, tv's  etc

Security is easily compromised , had some malware today but got rid of it with windows defender.

alf28

 

 

0 Kudos
Reply
ALF28
  • 882
  • 16
  • 96
Well-informed
789 Views
Message 35 of 79
Flag for a moderator

Re: UPDATERe: TR-069 PROTOCOL

open ports- can they be hacked?- just wondered.

to take advantage of open ports hackers need to find a vulnerability in a programme, not sure if this would apply to the virgin open port 7547, depends what it is doing and software used and if is not up to date/having a vulnerability

How the hacker can make use of an open port relies completely on there being an insecure program on your computer. For example if a packet arrives destined for port 99, and there is an application listening for communication on port 99 and that application can be taken over by sending it certain information - then a hacker that knows about this vulnerability (or using a tool that knows about it) can take over that program.

for full article see    https://www.quora.com/What-is-the-use-of-open-ports-for-a-hacker.

firewalls can normally be setup to block any chosen port but hub firewalls depends if the router is isp or own router and is the first line of defence but not as good as expensive hardware firewalls that companies use which can cost £1000's

alf28

 

0 Kudos
Reply
legacy1
  • 16.04K
  • 697
  • 1.57K
Alessandro Volta
779 Views
Message 36 of 79
Flag for a moderator

Re: UPDATERe: TR-069 PROTOCOL

Just port forward 7547 to some IP see if that port is open when thats done.

 

---------------------------------------------------------------
0 Kudos
Reply
ALF28
  • 882
  • 16
  • 96
Well-informed
734 Views
Message 37 of 79
Flag for a moderator

Re: UPDATERe: TR-069 PROTOCOL

not sure how to do that -forward port-and what ip could it be sent to, would this then protect computers connected to hub

would forwarding port 7547 prevent updates of hub/firmware and normal operation.

the port  7547 remains open for operational reason (same as bt hubs) and is not filtered or closed after updates but is listening 24/7

my port 7547 may have been "closed", if infected hackers "close" the port 7547 to stop listening  hackers can then open port 80, rebooting opens port 7547 clearing the infection until it is re-infected. That is why I detected port 7547 recently after re-boots, not noticed it before on router checks, but it is not a common port so most port scanners do not test his port, I found it using a router check app on android which displayed a vulnerability.

attacks on port 7547 in the past include botnets   see https://www.liquidvpn.com/new-router-hack-discovered-targets-port-7547/

also interesting    https://www.virginmedia.com/help/mirai-malware-alert

alf28

 

 

 

 

0 Kudos
Reply
jamesmacwhite
  • 100
  • 5
  • 41
Up to speed
701 Views
Message 38 of 79
Flag for a moderator
Helpful Answer

Re: UPDATERe: TR-069 PROTOCOL

I came across this today, not because I'm directly affected but a previous Virgin Media IP address I had was being monitored by shodan.io, my IP changed recently, in what looks like some recent network segmentation changes. My old IP that was still being monitored as I hadn't changed it, is now showing 7547 TCP as open now, which I know is CWMP/TR-069. I've never seen it directly open before, but I've not used router mode for years on any Virgin Media router/modem device, so it could be the fact I've been modem mode for many years I could have never noticed.

Is this something that's been common with router mode?

OP mentioned their area reference was 30, I'm the same, so I found that interesting.

You certainly aren't alone. Shodan.io is tracking over 200k other VM IPs with TR-069 open: https://beta.shodan.io/search?query=org%3A%22Virgin+Media%22+port%3A%227547%22

ALF28
  • 882
  • 16
  • 96
Well-informed
666 Views
Message 39 of 79
Flag for a moderator

Re: UPDATERe: TR-069 PROTOCOL

James

my ip address switched a week ago, the old ip address is still active and with same location.

following the switch I had strange behaviour on saturday with my wifi connection reading open (no password for a few minutes)

I also lost access to the hub settings page and had to reboot, all these event happened after my ip address changed.

I then did some checks and found the open port 7547, not seen this before on my old ip address

Regarding modem mode I am unsure if port 7547 still functions but  may be used when switching back to router mode.

shodan - not used this before but requites registration so have not tried this, it can be used to search for internet connections and equipment and is  very useful for hackers.

I am using router mode at the moment, my own tp-link router is outdated so stopped using modem mode and rely on the hub3 now.

If a do  port 7547 check, it is now open on both my new and old ip address both in same location.

Even more interesting-

old ip addresses I have had via virgin-checked all to see status of port 7547  (router or modem mode used both) all tested 21/10/2020 Yougetsignal

(note that I kept a record of my old ip addreses)

my town-  new ip address 17/10/2020                port  7547     open  (new)   me

my town-  old ip address     re-allocated             port  7547     now open  (was closed)  17/10/2020 another customer given my old ip

my town-  old ip address       re-allocated             port  7547     closed     another customer

my town-  old ip address       re-allocated             port  7547     closed     another customer

my old ip address  walthamstow      re-allocated         port  7547     closed    another customer

my old ip address  rotherham      re-allocated               port  7547     open    another customer

my old ip address  shrewsbury     re-allocated               port  7547     closed   another customer

my old ip address  portsmouth      re-allocated               port  7547     open    another customer

Conclusions-

The port 7547 used for CWMP/TR-069 can be either closed or open depending on the virgin ip address

Virgin have mentioned this is standard port used for their updates, diagnostics and back office. (listening port)

That been the case why do some customers have a closed port 7547 and some have an open port 7547  ??????

Is this because some are in modem mode so port 7547 not used, or could the port 7547 be open for some customers and closed for others.

I only notice the port was open on Saturday, I do a router check which I have been doing for a year, but it did not show as an open port but as a vulnerability a  port used for TR-069 protocol which and  commonly found (usual), I then tested the port and found it open to the internet which means it could be hacked if someone had the skill to do that, any open port is a target.

I presume James that your new IP address port 7547 is closed, does it still show in modem mode as a closed/open or filtered port in a port scan.

Normal port scans ignore this port 7547, a scan require an individual port scan, I used Yougetsignal

Alf28

 

 

 

 

0 Kudos
Reply
jamesmacwhite
  • 100
  • 5
  • 41
Up to speed
626 Views
Message 40 of 79
Flag for a moderator
Helpful Answer

Re: UPDATERe: TR-069 PROTOCOL

I have never seen TCP 7547 open before, but my long time use of modem mode may be why. Under modem mode TCP 7547 isn't open on LAN side or WAN but as the Hub3 isn't handling NAT and such, that would be why. I find it strange though, because I know VM can log into the modem in modem mode as I've seen it done, so they can access the management side when it's under the 10.0.0.0/8 subnet. It seems odd to have 7547 exposed to all on the WAN. Of course, it looks like there are restrictions in place when you try and query the port, but if there is a vulnerability found, good luck. You'd think perhaps the port being open would be restricted to Virgin Media's management systems under a select set of IP ranges, rather than all, but the port being open, doesn't necessarily mean you can do anything.

However the random nature of some being open and some not is interesting. My parent has a VM connection in the same area as me, they are using the Hub3 in router mode, port 7547 is not open on their IP. I use shodan to monitor IPs and it has never pinged any listening service for CWMP, so it's not consistent.

Shodan basically probes anything that's on the internet and maps it, sure it's useful for hackers but it's also a useful project for security researchers and other non criminal purposes too. I didn't realise you couldn't see the data as I do have a registered account and paid plan, for my work, but I can tell you as of right now, the count of TCP 7547 being open found by Shodan is now 421,932 (at the time of querying), yesterday this was around 235,000 and was increasing every few minutes. If this was happening before, you'd expect the number to be significantly higher given the amount of VM customers.

Shodan search result for Port 7547Shodan search result for Port 7547