A Tale of Two Modems: Can you explain this Open Port Mystery?
I switch from Comcast to Qwest High Speed Internet because it's a better price at the moment for a higher bandwidth. I return the Comcast modem and purchase a new ActionTec M1000 (the wireless config) from my local BestBuy ($70). It has a nice Qwest logo on it that lights up. I connect it and use an online installation disc (V7.3) that Qwest sent to me to activate my account. The disc runs smoothly, the modem is detected, and I connect to the Internet with no problem. I can now go online to http://192.168.0.1
and see my status or make adjustments. The first thing I find out is the modem's firewall is set to "off" by default. I turn it on and create a custom configuration removing all inbound ports and only leaving http and https for outbound.
After installing the free ZoneAlarm personal firewall (set for "high" on Internet Zone Security), I go to the online scan for Symantec to check for vulnerabilities. After the scan results tell me a port is apparently not "stealth" but is open and vulnerable to the "Filenail" Trojan virus. I go to ShieldsUp!! port scan and find indeed this port is open. I check with TCPView to see port activity on my computer, and nothing is listening at 4567. That means it must be my modem. After doing more research I find that others have found this port is left open at the modem supposedly so that firmware updates can be pushed. Plus, another port, 51080 is also routinely found to be open at this modem for some reason. Indeed, to my surprise I find that a port scan of my system reveals port 51080 is open with no application listening there.
I don't like when I know there are vulnerabilities on my system, even if there's only a remote chance of a hack. Plus, the idea that the people at Qwest or ActionTec might be listening in whenever they please because of a built-in vulnerability to the modem just doesn't sit right with me. I realize that running the ZoneAlarm firewall would probably stop an intrusion into my computer (at least an attempt at an outbound connection by an unknown application), but STILL I know I can't configure the modem itself to block a port unless I get into port forwarding to a fictitious IP address using the online configuration for the M1000 modem, and I shouldn't have to screw with it!
So, now that I've had my first experience with a DSL modem I decide to do an experiment. My local BestBuy sells another ActionTec modem, the GT701D. It's $20 cheaper than the M1000, says it's compatible with Qwest but doesn't say "Qwest" on it anywhere. In fact, as a side note, I was told by Qwest customer reps that the only modem I can use in my area for ADSL2 and a bandwidth above 7Mbps is the ActionTec PK5000 ($99 at BestBuy), but I knew this wasn't right because even the M1000 can be used for ADSL2 type connections, too. I decide I'm going to try the GT701D and if my hunch is right I will A) save $20 on a DSL modem and
have a modem without certain ports being vulnerable to intrusions.
I must admit the setup of the GT701D was anything but smooth, but that was partly because (blushing) the phone cable for the DSL line in wasn't sitting quite right in the modem jack. Here's where it gets interesting. I couldn't auto-configure this modem with the Qwest CD that was sent to me for activation of my account (it couldn't "detect" my modem), and I'm almost glad I didn't. I had to manually change the DSL settings online at the modem setup page and change two things with some help from a Qwest tech on the phone: The VCI (32-65535) had to be changed to 32 and the mode had to be set to ADSL2. Once that was done I connected with the new modem.
After customizing the modem firewall, just as I did with the M1000, I again did the online scan with Symantec. What does it tell me? No vulnerable ports.
I go to ShieldsUp!! and check the two ports I know were being scanned as open. Results:
Port 4567: STEALTH
Port 51080: STEALTH
BOTH ports were open with the M1000 Modem. Both ports are now closed. I saved $20 and got a more secure modem?
I read on the Huffington Post website that for all any of us know the government is requiring modem makers to leave certain ports available to make it easier to listen in on someone's computer activity. I don't know if I'd go that far, but I'm wondering how many users have no clue that their modems have ports open to the whole web? The Filenail trojan may not be too malicious, but who knows what could happen if experienced attackers find out about these ports being vulnerable. I just wanted to share my experience so that others who might know more about this might get a chuckle out of it. This is the kind of headache it's taking now to secure your own system.