How did they get past my NAT?

[this is a repost, I also sent to]

Sorry I'm new here, not sure this is the right newsgroup to post to - I have a question that is about routers, security, and connectivity all rolled into one.

Yesterday while I was working on my desktop all of a sudden a session kicked in on my VNC server - my desktop background image disappeared and the RealVNC system tray icon turned black to indicate a session in progress. Within a couple of seconds, something hit my start menu, run dialog, "cmd", and typed "TFT" in the new command prompt window. At this point I panicked and shutdown the VNC service ASAP.

This post is not actually about the VNC problem, I found out today that the version I used had a known security flaw that allowed bypassing the password prompt. That is clearly what happened there, and could be easily fixed with upgrading to the newest version.

My question is how the attacker got to my VNC port!

Here's all the background I can muster:

- I am running an ADSL router, "Xavi" brand, "7028r" model, and it seems to run a "GlobespanVirata" chipset. This was provided to me by my previous ADSL provider, Telefonica Spain. - I have a standard NAT lan, with a variety of devices connecting to the internet through the router. - I have certain very specific ports forwarded to my desktop for remote access, peer-to-peer connectivity, etc. \\ - I am NOT forwarding either of the VNC ports (standard ports 5900 and 5800), so to my limited knowledge the VNC service should not be accessible from the internet. I have of course tested this, and found that to be correct. The VNC service is not publically accessible. - I do not have the firewall enabled on the router, because I assumed the NAT basically made it safe. I tried enabling the router firewall today but it also seems to block the services that I need to be able to access from the internet (eg HTTP, I run a small webserver), so that does not work for me. - I WAS running uTorrent at the time of the attack (and had been for a few hours) - I did get the IP address of the attacker from my VNC log, it was "", an address in germany. I have not looked for or found any further information. I guess I could try a port scan but I assume it's a zombie computer so what's the point.

Now my understanding is that "" being an internet address, for the VNC session to work that address would need to be routable - the only way that that address could be routed on my network is through the ADLS router / gateway (I think). In theory I guess there could have been some sort of local tunnel set up, but I assume that would have required a virtual network adapter to have been set up on my computer? (I saw nothing like that, and virus and spyware scans have come up clean).

If it was routed through my router, how could the attacker have convinced the router to initiate the communication to my internal port

5900 on that particular machine??? The safety of a NAT, as I understand it, is that remote hosts cannot access an internal address unless there is explicit port forwarding enabled, or the session is initiated by a host behind the NAT, is that not correct?

I guess I'm only coming to the real point of my post now - assuming that I'm on the right track, and that this communication on port 5900 was happily handled by my router, could it have been initiated my another program on my desktop, specifically the uTorrent client? I've been logging sessions on my router since this morning, and I see that client connections are opened by the uTorrent client (very frequently, thousands per hour) with random local port numbers, that slowly seem to increase / cycle. It is possible that the uTorrent client made a client connection using local port number 5900 (which was also being used by the VNC server), and the computer/remote host that the uTorrent client was connecting to took advantage of this situation to test / probe / attack the VNC server on that port?

I guess the questions are: - it it possible for a client TCP connection to be initiated by a local "client" program from a port that is already being used by a "server" program, like VNC server? - what are the chances, statistically speaking, that this would happen? Would it be worth a hacker's time to set up servers as bittorrent participants / seeds in the hopes that some client computer makes a connection using a special port (eg VNC), which could then allow the computer's VNC server to be probed / tested for the known VNC vulnerability? It's the only explanation that I can think of, but I just can't see how it would be worth a hacker's time!

Final blurb: I set up a syslog server on my desktop and have been logging all incoming and outgoing sessions from my router (generating a nasty amount of log data, but I'll put up with it). This way I'll be able to see how the session gets set up, if I ever become aware of another similar situation. I will upgrade my VNC server of course, so the attack would need to use another vector. My concern of course is that I may NOT be aware of it next time. My desktop is not hardened as a public server with all ports exposed - I'm very much counting on the fact that only specific selected ports should be accessible from outside. In theory, if any port on the desktop can be exposed, then my windows filesharing setup is just one of the things that would be vulnerable to brute-force attack. Is there anything else I can do to investigate this or help prevent future issues? Does anyone have any experience with the Xavi router or GlobespanVirata chipset that could help me get it set up to prevent this from happening again? For now I will probably install a local firewall on the desktop allowing only the servers I need to work, but that of course makes all sorts of things more complicated - file and printer sharing, VPN client software setup, HTTP proxy setup, etc etc. I just wish I could feel safe in my own network again!

Sorry about the monster first post, I would appreciate any and all feedback.

Thanks, Tao

Reply to
Loading thread data ...

NAT doesn't make it safe.

Simply ask for it? Wait until it comes up?

What about implicit forwarding, for example by protocol helper implementations?


No, but using a protocol helper you can do this for a different port.

Assuming that the timeout for the NAT table entries is five minutes, it could be a completely different source.

Then implement this concept.

Or DoS attacks.

Maybe, but unless you know the implementation....

Reply to
Sebastian G.

OK, thanks very much for the reply, although now I feel like I've been made to wear the donkey hat and stand in the corner of the classroom... :)

What do you mean by "Ask for it"? If I do that (from outside the network), I get no response, because there is no "Default host" set up behind my NAT, and no port forwarding for that port - if an explicit port forwarding has not been set up, how can a remote host "Ask for" that server? Is this something that is allowed by the average NAT but requires extra network programming skills?

But why would it ever come up? Why would that port ever be opened to the outside from that machine? The port is bound to the VNC server (so no other program on the desktop should be able to do anything with it, as I understand?), and not forwarded on the router, so there should be no reason for a NAT session entry pointing that port to the outside ever to be opened, right? (I certainly don't open VNC connections to the internet, despite my limited knowledge I am very aware that basic VNC communication is totally unprotected, both authentication and data)

Sounds interesting, what is this? Is this the sort of thing that can sometimes make regular "Active" FTP work from behind a NAT, where the firewall automatically sees the FTP control port communication and opens up/forwards the data port as required? If so, how could the router be convinced to do this for an arbitrary port? Is there some sort of standard for triggering this behaviour?

I have just tested Active FTP from behind my NAT and it did not work (to an FTP server where passive FTP is working without issues) - does that say anything about this possibility?

I've searched online for any information about "protocol helper", it seems to be synonymous with "IP helper" - I see a windows API, but that looks like it would reuire the attacker to be running arbitrary C/ C++ code on the desktop (or other device on the network?). Do you know where I could find any information about what this is, how it works etc?

OK, I'm going to show my complete lack of understanding about how NAT works here (if I haven't already :)), but it's the NAT device keeping track of the ip addresses (and some additional "magic" session information?) at both ends of the communication? What happens if two client machines try to open a connection from the same client-side port at the same time, does the NAT simply refuse one of them? I was under the impression that there could be multiple machines communicating to/from the same port from behind a NAT without problems. For that to be true, the NAT device would need to be looking at each incoming packet and sending it to the correct internal host based on some filtering logic, right (rather than a simple temporary port-to-host mapping table)? Are you saying that some arbitrary third- party IP address can send in a packet and have it be routed to a specific host behind the NAT, as long as the attacker has seen one of the packets of the communication between the legitimate remote host and the local host behind the NAT?

If I understand what you are saying correctly, and a remote attacker can actually direct arbitrary packets into any Existing NAT session by spying on a legitimate packet destined to/from the NAT-ed host, that still doesn't explain how the port session could be opened on the NAT device in the first place - is this where you are saying that the "Protocol Helper" comes in?

So... given that my ADSL connection uses PPPoA (which is non- bridgeable I believe, as opposed to PPPoE), I would need to set up a second router/firewall/NAT device like a linksys wrt54G to sit behind the telecoms-operator-provided Xavi router, forward the appropriate ports through both devices, and make sure that the firewall is turned on on the wrt54g? I can only assume that what was "missing" in my original setup was a firewall (which my adsl router claims to have, but when I turn it on all the port forwarding stops working, which sort of defeats the purpose). Or do you have any other suggestions on how this can be done using home equipment?

Meh, I'm not so concerned. Why would anyone bother? I'm a home user, I'm running a silly little website with 10 pageviews/month, my only concern is that someone gets into my machine / network and installs malicious code, spies on me, enlists my computer into a botnet of some sort, turns me into an infection vector for some or other virus / worm / trojan, etc. That would suck. It is incredibly unpleasant to have your desktop suddenly taken over via VNC, too, although I don't think that can happen again in quite the same way, I did upgrade away from the defective RealVNC version.

Not sure what you meant here - I know exactly how I have everything set up, but I don't know much about the workings / functionality of the router itself. There are no configuration manuals online or anything. In fact, I was able to get it to forward logging info to a syslog server on my desktop by browsing through and editing the "configuration backup" file, but afterwards remembered what I'd read a few months ago on some forum - you have to turn logging off on this router, because otherwise it hangs when it runs out of log space. No cycling, no "forward to syslog server but do not store locally", it simply hangs.

So it looks like at an absolute minimum I'm going to need to set up the second-level linksys wrt54g firewall/router, but I guess I'd like your criticism if you have any thoughts on the sensibleness of this idea, and whether it helps to "implement this concept" as you suggested above :)

Thanks so much for the feedback! Tao

Reply to

A NAT is not a firewall at all, it's basic routing - Most non-technical types call NAT Routers firewalls, they are not.

a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited" inbound traffic, that's all.

No, port forwarding is what your problem is - if you forward ports then you expose your computer/network and that's how people reach your computer to do things you don't want.

You should learn to post in one group or to cross post so that your thread is easy to work with for multiple groups that you've done this in.

Reply to

I have also used a badged GlobespanVirata running in NAT with no firewall but with selected port forwarding. (Behind that runs a linux box that does have a firewall, but that's moot just now.)

Based on what you're saying, I'd concur with you.

NAT will inherently block all externally originated inbound traffic with the exception of those ports that you have selected for port forwarding. On that understanding it makes for an adequate external facing firewall. It is not a good substitude for a proper thought-out policy and implementation, though.

Again, based on my experience with the GV chipset and firmware I'd agree with you there, too.

Or through some other port-forwarded service. (Instant messenger flaw, SOCKS, internal web proxy,...)

Your virus/spyware scans obviously didn't pick up that you were running the flawed VNC service (I wouldn't expect them to do so), so they won't pick up any other software you run that has similar security flaws. I'd check them all out if I were you.

I'd also be inclined to boot cold (if you can) and run a virus checker from outside your installed OS. If you're up to it, then either pop your disk drive into a different Windows box and scan from that known safe system, or else get a Linux-based "live CD" distribution and run something like clam AV (with all its updates, please!) against your installed OS. Otherwise there's no guarantee that your AV software hasn't been modified by some virus/trojan you've accidentally installed.

That's correct. Further, the GV chipset that I have - which /may/ or may not be the same as yours - does NAT such that a rule only allows traffic on the 5-tuple (proto, sport, saddr, dport, daddr) to pass. (Some NAT devices are more liberal than that. I say they're broken. STUN users say they're great.)

I thought that Bit Torrent was essentially built around a UDP based protocol. VNC on the other hand is TCP. So, no, I don't see how one could influence the other. Trojans and flawed software not withstanding.

That's typical behaviour, yes.

This should not be possible.

It is possible for a service to bind to a port using INADDR_ANY ("listen for connections to this port on all local interfaces"), and for another process to bind more tightly to that port ("listen for connections to this port from this specific local interface"), but then that second process would receive the connection request rather than the original.

However, also bear in mind that VNC can be used to initiate a server session (i.e. it pushes your screen out to a remote viewing client). Perhaps you - or some trojan - accidentally triggered this?


Reply to
Chris Davies

hmm, subtle dig? :)

right, but would it show up logged with the public IP address in my event log? That's what I'm surprised by - the VNC client / attacker did not look like it was coming from some local address that was being tunneled by some local proxy or malware - it was logged as a public internet address - does that not mean that it had to go through my regular NIC? Or are you saying that the malware would have set up its own routing rules in windows to forward traffic for that specific IP to itself instead of my regular NIC - to do that, would it not need to show up in some device list in windows? Sorry, my lack of knowledge about OS-level networking in windows is clear here.

Yep, still doing. Next check is Apache, it's been a little while since I upgraded.

In another thread that I inelegantly cross-posted, Leythos (other post above) provided lots of helpful advice on better scanning for malware, I'll have a go at that too:

formatting link

Yep, will do, thanks!

Woah, now there's an interesting bit of news! Based on the diagram at this wikipedia article, it looks like the only types of NAT that would fit my assumptions, and consequently be "as safe as I expected", would be a "Symmetric" NAT and a "Restricted Port" NAT?

formatting link
I'll have to get my hands on a STUN client (and access to a server) to see if I can test this out - if I understand correctly anything other than Symmetric and Restricted Port is "Bad", in that it could allow open windows for remote hosts to contact me on ports that I do not want, or for hosts that I have not reached out to to reach out to me - both of these were things I did not think were allowed by a normal NAT, outside of special "Per-Protocol" exceptions like Active FTP.

ok, thank for confirming. I guess I'll wait to see if Sebastian G gets back to me with any refutations of this "NAT-shielding-against-public- access-of-services" theory.

Right, exactly what IIS does. I did not know that this was inherent to the O/S, thanks for confirming.

Hmm, thanks for that, but no - my VNC server event log entries clearly show the connection coming in from outside, without any authentication step between the connection being accepted and my killing the server after they had successfully reached my desktop session (which is the signature of the VNC vulnerability, I checked it and tried it myself before upgrading to the patched/newer VNC version):

Connections: accepted: Connections: closed: (Server shutdown)

Thanks very much for the help! Tao

Reply to

That I understand, but I'm always a little confused about what the difference Exactly is... a firewall is a device that only allows connections that you want to allow - a NAT is a device that allows outgoing connections arbitrarily, but normally (or only sometimes? see the STUN information Chris mentioned) prevents arbitrary incoming connections. Most home routers additionally claim to have a "firewall" function that you can turn on / off (including the WRT54G) - when do you decide what is and what is not a ffirewall? I really would like to know, it's something that's puzled me for years. Some things are clearly not a firewall at all, like a "Full-cone" NAT router. Some things are clearly a firewall first, and anything else after, like one of those Cisco devices. But aren't most home routers somewhere in- between?

not true. the WRT54G can block outgoing connections based on any number of specified parameters, and then it has all those extra fancy features that I don't understand ;)

Firewall Protection: Enable Disable Additional Filters Filter Proxy Filter Cookies Filter Java Applets Filter ActiveX Block Portscans Filter P2P Applications Block WAN Requests Block Anonymous Internet Requests Filter Multicast Filter Internet NAT Redirection Filter IDENT(Port 113)

Only if they get past the intended security of the service in question, right?

Yep, thanks.


Reply to

it's a NAT device that can block outbound ports - it has no clue what those ports are and doesn't know the difference between HTTP and SMTP except that they use different ports.

Reply to

Really quick update - Michael Ziegler helped me find the issue on a thread I badly cross-posted on alt.comp.networking.connectivity:

formatting link
My router (Xavi 7768r with GlobespanVirata chipset, I think I had it wrong above) has an Active FTP "NAT Helper" which allows any program with TCP-connection-creation priviledges on any of my computers to open an incoming port to this machine from a target site on the internet. Java Applets, by default, have this functionality enabled. You can test for this "feature" or "flaw" at the following site:
formatting link
On the day this happened, I was browsing on at least a couple of sites that could well have had "harmful content", probably including a java applet that opened up my port to the attacking site by using the FTP NAT helper trick. My VNC server was a flawed version which (I tested that) allowed certain well-crafted incoming connections to bypass authentication.

Now - at this point I have no proof that that was the course of events, but "Occam's razor" and all that, it is definitely the simplest explanation that fits all the facts. I will definitely do a more thorough malware check on my machine and I will implement a solution that allows be to forward the ports I want without the NAT Helper flaw, but in the meantime I will sleep much better knowing that chances are 95% that I at least know exactly what the problem was.

Thanks for all your help! Tao

Reply to

Another reason to never trust the ISP/Vendor supplied hardware.

Always get your own NAT/Firewall appliance and then you control everything and manage it.

Reply to

huh ? what doe you mean keep sending SYN packets to a certain port and wait untill the connection is established ?

are you talking about uPNP ?

Reply to

Exactly. Of course, the cause of such a forwarding rule appearing in the NAT state table might be highly unrelated.

No, this would be rather straight-forward. I'm talking about application layer protocol engines that inspect the traffic and setup proper rules. For example, if the implementation sees traffic like "PORT 192,168,0,1,47,11", it might believe that it's part of an Active FTP session setup and might add an appropriate rule for the reply. Or if it sees an TCP connection to some server on port 4661 (eDonkey P2P protocol), it might decide to permanently forward 4662/TCP and 4665/UDP to that client, without even checking for the actual protocol. Even worse, what about connections to 1119/TCP? Very likely that it's a computer game using Online service, so better forward

5000-10000/TCP to that client... oh, and there the VNC server goes.
Reply to
Sebastian G.

NAT/NAPT is a mechanism to provide connectivity. Preventing incoming connections might be a particularly useless side effect, depending on the implementation. It has nothing to do with security.

Yes, but this is not related to NAT.

Reply to
Sebastian G.

just some questions with as goal to learn more

so you call a firewall something with complex heuristics ? really does iptables provide more than filtering between protocol, port and state information, and do people actually use it. Because in essence iirc a nat router does the same it opens up a connection if somebody on the inside requests it and after that allows the connection untill it's broken down (FIN or RST) do i have a point here or not ?

Reply to

i wholeheartly agree with you on this one

the problem is ... some ISP's filter on specific device (MAC), some ISP's lent you the router for personal usage and some ISP's dissallow other so called 'not supported' router and put a clause in little lettres on your contract.

here in belgium it's actually pretty worse in this field. even worse the biggest ISP here belgacom disallows secured pop (ssl/tls) or imap to non business users, which still costs +40 EURO/month.

Reply to

there is your problem you haven't upgraded in a while and you let people into your website ? (port 80 is forwarded at your NAT to your WAMP box )

do you mean i haven't upgraded windows in a while or apache or both ?

formatting link

Reply to

Does the device, in the standard/default mode, block traffic in both directions?

Does the device know the difference between HTTP and SMTP or only TCP 80 and TCP 25?

Does the device understand being attacked and auto-block sources of attacks or unauthorized traffic?

Does the device use NAT or can it be setup with rules without using NAT? If it forces NAT then I don't consider it a firewall unless it can do all the others - since MOST of the devices that force NAT are residential device (yea, not all inclusive, but you should get the idea without us going off the deep end).

Reply to

no ok you got me here, it only does this for INBOUND traffic but i myself don't block outbound traffic on my box (slackware) as well because i consider myself knowledgeable enough to be trusted :D

do you consider netfilter to be a firewall (well in essence it's a statefull packet filter) because iirc there is no smtp or http netfilter module and it does its filtering mostly on the data link and transport protocol's headers like most firewalls do. it would be very costly performance wise to implement application protocol filters into firewalls and i've yet to see one that does also implementing complex heuristics because let's face it the higher you go up in the tcp/ip stack the more complex the headers and payload become, the more bugs you'll get in the code that does the heuristics --> the more flaws there are to be exploited!

Reply to

that would be a shitty NAT router/gateway !

Reply to

On Oct 11, 5:02 pm, "Sebastian G." wrote:

OK, so I guess my source of confusion is with regards to "Intended Purpose" vs "Effect". A completely basic Symmetrical NAT effectively does the same basic thing a basic firewall will often be used to do - prevent unintended inbound traffic, allow outbound traffic, optionally allow inbound traffic on specified ports to a specified server. However, the "Intended Purpose" of a NAT is actually to allow multiple machines behind a network to coexist using one public IP address, besides the most basic symmetric NAT features, any additional features (heuristic detection of traffic intention, protocol helpers, "full- cone" or "restricted cone" functionality, etc) will take you further and further from the "safety" I assumed. By contrast, while the most basic firewall in the most common configuration may basically be doing the same thing as the most basic NAT I described, the more sophisticated the firewall gets, the better it gets at enhancing said "safety", eg allowing the Active FTP Data connection only on the condition that the traffic from the remote server is made up of valid FTP data... does this sound like a reasonable summary of the distinction? This basically means that ANY home router that implements anything other than the most basic symmetric NAT with no extra features, should also contain a firewall, turned on by default, to limit the exposure to the internet, because every additional "helper" feature in the NAT makes the network behind it a little more public / exposed.

Thanks for the clarification - I'm still ridiculously happy to have found the actual (or significantly most likely) cause of the other day's debacle and be able to address it easily :)

Thanks, Tao

Reply to
Maniaque Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.