Mysterious 564/tcp open port 7.0beta5

RouterOS RouterOS beta
1

Hi

I’ve been using RB4011iGS+ with ROS v7.0beta5
after reset and adding single ip address system responds by telnet at 564/tcp
What does it mean?

It preset on every v7 beta firmware (tested at beta3, beta4, beta5)
but do not exist at v6

During the session, it not shown at IP/Firewall/Connection tracking

2

Did you establish a telnet session using TCP 564 ?
Under IP services, what port does it say near the telnet service ?

3

Did you establish a telnet session using TCP 564 ?
Yes
An a black screen with symbols i enter by keyboard
sometimes connection lost after a few symbols
sometimes not

ip - services - all as default

NAME PORT CERT

0 telnet 23
1 ftp 21
2 www 80
3 ssh 22
4 www-ssl 443 none
5 api 8728
6 winbox 8291
7 api-ssl 8729 none

Whole configuration
[admin@MikroTik] > export

jan/01/2002 05:07:05 by RouterOS 7.0beta5

software id = QTQU-UNUY

model = RB4011iGS+

serial number = serial

/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
/interface vlan
add interface=ether1_WAN name=“44 WAN” vlan-id=44
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ipv6 settings
set disable-ipv6=yes
/ip address
add address=realip/27 comment=BeeLine interface=“44 WAN” network=realip
/ip firewall filter
add action=accept chain=input dst-port=564 log=yes log-prefix=564_ protocol=tcp
/ip service
set www-ssl disabled=no
#error exporting /ipv6/route/rule
#error exporting /routing/policy/selection

I can provide You full access
Better to see something once, than to hear about it a thousand times

4

Nothing in your config suggests that a telnet session through TCP 564 is possible…

5

that why the topic starts at “Mysterious”

now I think, may be my ISP mess with it somehow
need few minutes for check that idea

___add later
but no…
system reset-configuration no-defaults=yes
ip address add
and 564/tcp is present and respone

more curious, there is no information in ip firewall connection during the telnet session
but a seen it in torch on eth interface

6

If you execute a packet capture for 564/tcp on either the router, client or middle device in the path. Does the contents for the packets reveal anything?

7

Also it doesnt make sense that you tried to establish a telnet session at port 564 at the first place… where did you see that port in your system ?

8

Wow, suddenly I found an Attachments button on forum
so, my trouble in attace

netravnen
If you execute a packet capture for 564/tcp on either the router, client or middle device in the path. Does the contents for the packets reveal anything?
no, or I can’t enterpretate it

Zacharias
Also it doesnt make sense that you tried to establish a telnet session at port 564 at the first place… where did you see that port in your system ?
I bought fancy new powerful Mikrotik
Installed latest new RouterOS with no default config
add ip and prepared for work
Thereafter scanned WAN address by Nmap (all tcp + all upd)
with result
Nmap scan report for X.X.X.X
Host is up (0.00079s latency).
Not shown: 131063 closed ports
PORT STATE SERVICE
564/tcp open 9pfs
2000/tcp open cisco-sccp
3544/tcp filtered unknown
61917/tcp open unknown
68/udp open|filtered dhcpc
123/udp open|filtered ntp
3544/udp open|filtered teredo
Wireshark_01.png
Wireshark_02.png
Winbox.png

9

Nothing Mysterious after all…
This indicates an attempt to use the 9PFS protocol.
Plan 9 Filesystem Protocol (9PFS) is a protocol developed for Plan 9 from Bell Labs distributed OS to connect to components of a Plan 9 system.
Source: https://fortiguard.com/appcontrol/17045
https://en.wikipedia.org/wiki/9P_(protocol)

And its default port is TCP 564

10

Yes you can find that in less than two seconds on the internet.

What is it doing in the next RouterOS? Or is it something else?

11

Yes, how RouterOS relate with apparently “P9FS”
becouse, theis no information about it (I’ve done a lot of home work googling befor posted it here)
and even… i’m not shure it 9PFS “List of TCP and UDP port numbers” an a very weak argue

12

Send email at Mikrotik support team…

13

On my test device with ROS7.0beta5 these ports are open:

PORT     STATE SERVICE        VERSION
21/tcp   open  ftp            MikroTik router ftpd 7.0beta5
22/tcp   open  ssh            MikroTik RouterOS sshd (protocol 2.0)
23/tcp   open  telnet?
80/tcp   open  http           MikroTik router config httpd
2000/tcp open  bandwidth-test MikroTik bandwidth-test server
8291/tcp open  unknown
2 services unrecognized despite returning data. ...

Port 2000 is a test port that can be disabled in WebFig I think.
But what is port 8291 ?

Update: ah, ok, found it:

[admin2@MikroTik] > /ip/service/print 
Flags: X - DISABLED, I - INVALID
Columns: NAME, PORT, CERTIFICATE
  #     NAME     PORT  CERT
  0     telnet     23      
  1     ftp        21      
  2     www        80      
  3     ssh        22      
  4  X  www-ssl   443  none
  5     api      8728      
  6     winbox   8291      
  7     api-ssl  8729  none
14

That is what you are told and as all things in life that does not have to reflect reality.

15

What do you mean? Are there bugs in these things?

I haven’t checked the UDP ports yet, but the TCP ports seem to be ok.
In the meantime I’ve closed/disabled/shutdown all unneeded services/ports and restricted access from local subnet only:

[admin2@MikroTik] > ip service print 
Flags: X - DISABLED, I - INVALID
Columns: NAME, PORT, ADDRESS, CERTIFICATE
  #     NAME     PORT  ADDRESS         CERT
  0  X  telnet     23  192.168.0.0/17      
  1  X  ftp        21  192.168.0.0/17      
  2     www        80  192.168.0.0/17      
  3     ssh        22  192.168.0.0/17      
  4  X  www-ssl   443  192.168.0.0/17  none
  5  X  api      8728  192.168.0.0/17      
  6  X  winbox   8291  192.168.0.0/17      
  7  X  api-ssl  8729  192.168.0.0/17  none

ssl certs I’ll do soon and then switch to ssl only…

16

What do you think?

Hint: we’re talking about beta release in development branch, not about some LTS ultra-stable version.

I’m not saying you shouldn’t mention weird things, that’s what beta releases are for. But don’t get too surprised if you find some bug …

17

Ah, of course yes, sure I’m aware of the fact that it’s beta software… :slight_smile: Thx for reminding me about the possible dangers.

18

Can confirm that my V7b5 on a vmware do opens a session when I try:

telnet 192.168.88.1 564

from my PC

So there are something on the Router OS listening on port 564.

Testing other random ports, I get message that session could not be opend.
v6.x does not open session.

19

Yes, same here. The port scanner nmap does not find that port as open; very mysterious…

nmap finds it only if one explicitly gives the port in the program params:

$ nmap 192.168.88.1 -p 564

Starting Nmap 6.47 ( http://nmap.org ) at 2020-04-20 17:00 CEST
Nmap scan report for 192.168.88.1
Host is up (0.00043s latency).
PORT    STATE SERVICE
564/tcp open  9pfs

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
20

By default, Nmap scans the most common 1,000 ports for each protocol. I bet 564 is not so common.