Random TCP port open on Cisco ASR 9001

Channels · ‎12-05-2023

Hello everyone,
I have a security problem on a set of Cisco ASR 9001 routers with Cisco IOS XR Version 6.9.2.
Our Nessus port scanner detects an open tcp port on the interface ip addresses, for example 46581 or 52861.

It doesn't matter if it's an ethernet interface ip or the loopback.

Example:
root@monito:~$ telnet x.130 46581
Trying x.130...
telnet: Unable to connect to remote host: Connection reset by peer
root@monito:~$ telnet x.131 46581
Trying x.131...
telnet: Unable to connect to remote host: Connection refused
root@monito:~$ telnet x.132 46581
Trying x.132...
telnet: Unable to connect to remote host: Connection refused
root@monito:~$ telnet x.131 52861
Trying x.131...
Connected to x.131.
Escape character is '^]'.
^C

Do you have any idea what is running behind these ports?

Channels · ‎12-06-2023

Hey,

after rebooting the router, port 38478 is now open.

Is this a backdoor from the NSA or the Chinese?

MHM Cisco World · ‎12-06-2023

You have snmp to internet?

If yes

Use

Server-community public ro 10

Ip access list standard 10

Deny any log

Do above and check log

MHM

Channels · ‎12-06-2023

I have :

snmp-server community public RO IPv4 MGMTv4 IPv6 MGMTv6
ntp access-group ipv4 peer MGMTv4
ssh server vrf Mgmt ipv4 access-list MGMTv4 ipv6 access-list MGMTv6
ssh server vrf default ipv4 access-list MGMTv4 ipv6 access-list MGMTv6

ipv6 access-list MGMTv6 10 remark ---- Management ----
ipv6 access-list MGMTv6 11 permit ipv6 xx00::/48 any
ipv4 access-list MGMTv4 10 remark ---- Management ----
ipv4 access-list MGMTv4 11 permit ipv4 xx.0/24 any

balaji.bandi · ‎12-07-2023

that only covers SSH

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎12-06-2023

May be check any vulenbility on that XR verison and apply ACL outside interface.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help