Jorge Orchilles | AT&T U-Verse Open Port 3479

Most AT&T U-Verse subscribers receive a 2wire residential gateway for their subscription to Internet, TV, and VoIP phone service. I believe most subscribers get a 3800HGV-B. The user guide for that model does not mention anything about a TCP Port 3479 being opened or used by default. So I found it strange to see TCP port 3479 open when I performed a full TCP port scan from the Internet to my external U-Verse IP:

nmap -sSV -n -P0 -p- “ip”

The results look like this if no other TCP ports are open in the firewall:

135/tcp filtered msrpc

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

3479/tcp open unknown

6881/tcp filtered bittorrent-tracker

An nmap UDP scan also returned two open ports:

nmap -sSV -n -P0 -p- “ip”

50817/udp open unknown

60062/udp open ntp NTP v4

The filtered ports by default make sense as they are used for SMB/CIFS (135-139 & 445). Port 6881 is interesting to see as it is the default port for bittorrent. You can forward any other port to host your torrents, just make sure it matches the client.

What was most interesting of these results is the open TCP port 3479. A little google hacking and I found that port is labeled as 2wire RPC and is registered:

Port 3479 details:

Protocol:TCP & UDP

IAMA status:Official

Range:Registered

Traffic:inbound, outbound, both

Notification:True

Technical description for port 3479:

The 2Wire RPC protocol officially registered to use the communication port 3749 is associated with the Remote Procedure Call (RPC) technology developed by Microsoft. This process allows for the implementation of a communication technique for the efficient exchange of data between a server and client machine. 2Wire is a popular manufacturer of DSL systems and residential gateway provider.
The 2Wire protocol associated with the system port 3749 is described as a modified XML based RPC which allows HomePortal devices to create a communication link with the datacenter. This communication foundation is used for receiving of contents, updates and programming of related devices. This protocol intends to mitigate communication issues that may hamper effective transmission interface.
The products of 2Wire benefiting from this protocol are considered as the first really intelligent, multi-service and customer installable devices of the industry.
The implementation of the protocol related to the port 3749 is widely supported by newer Operating System platforms including communication applications.

Interesting information here. I did a quick scan of other AT&T IPs in the same network and all of them had TCP port 3479 open as well. There is very little information online about this. However I did find someone reporting the following errors on the gateway:

ERR 2004/03/30 07:24:21 CST xmlrpc: error creating connection to ‘rpc.cms.2wire.com:3479′ (216.52.29.106): Connection refused

Although the post is from 2004. I took a look and that IP belongs to 2wire in San Jose.

My next steps will be to attempt to sniff what is coming in to this port. I have a feeling it will be clear text and not use authentication. More to come…

Till next time,

Jorge Orchilles

Tags: 3479, AT&T, nmap, Security, U-Verse

AT&T U-Verse Open Port 3479

Port 3479 details:

Leave a Reply

Categories

Latest Videos

Archives

Search