X3000: Strange Nginx listening port 2000 on latest firmware

Routers 4G LTE, 5G NR, USB modems
1

I have been playing with all firmware versions since I got this modem. Recently with the latest firmware something weird I’ve noticed! The port 2000 is listening by Nginx web server on 0.0.0.0!

root@GL-X3000:~# netstat  -tuplna | grep nginx
tcp        0      0 0.0.0.0:2000            0.0.0.0:*               LISTEN      5745/nginx.conf -g 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5745/nginx.conf -g 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5745/nginx.conf -g 
tcp        0      0 :::2000                 :::*                    LISTEN      5745/nginx.conf -g 
tcp        0      0 :::80                   :::*                    LISTEN      5745/nginx.conf -g 
tcp        0      0 :::443                  :::*                    LISTEN      5745/nginx.conf -g 
udp        0      0 127.0.0.1:50735         127.0.0.1:53            ESTABLISHED 5852/nginx: worker 
udp        0      0 127.0.0.1:41302         127.0.0.1:53            ESTABLISHED 5853/nginx: worker

And when I grep for this port number (2000) in the Nginx config file, nothing in there!

root@GL-X3000:~# grep -rn '2000\|443\|80' /etc/nginx/
/etc/nginx/conf.d/gl.conf:11:    listen 80;
/etc/nginx/conf.d/gl.conf:12:    listen [::]:80;
/etc/nginx/conf.d/gl.conf:14:    listen 443 ssl;
/etc/nginx/conf.d/gl.conf:15:    listen [::]:443 ssl;
/etc/nginx/nginx.conf_old:36:        listen       80;
/etc/nginx/nginx.conf_old:57:        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
/etc/nginx/nginx.conf_old:85:    #    listen       8000;
/etc/nginx/nginx.conf_old:86:    #    listen       somename:8080;
/etc/nginx/nginx.conf_old:99:    #    listen       443 ssl;

Further investigating it, let’s check first the normal Nginx ports:

root@GL-X3000:~# curl -k https://127.0.0.1:443
<!DOCTYPE html><html lang=""><head><meta charset="utf-8"><meta http-equiv="Cache-Control" content="no-cache,no-store,must-revalidate" ?>............ truncated

root@GL-X3000:~# curl http://127.0.0.1:80
<!DOCTYPE html><html lang=""><head><meta charset="utf-8"><meta http-equiv="Cache-Control" content="no-cache,no-store,must-revalidate" ?>............ truncated

Now, Checking Nginx port 2000:

root@GL-X3000:~# curl http://127.0.0.1:2000
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.17.7</center>
</body>
</html>

root@GL-X3000:~# curl -k https://127.0.0.1:2000
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.17.7</center>
</body>
</html>

Can GL engineers comment on this behavior? Hopefully not a backdoor hahah

1 Like
2

On what router model?

3

look at the commands, can you spot the model :wink:

4

Hi, this is indeed an issue. Port 2000 is redirecting certain website inputs to 192.168.8.1 (router’s web interface) before you set a login password. After setting a login password, port 2000 should disappear, but it doesn’t. However, if you restart nginx(/etc/init.d/nginx restart), you will find that it disappears. We are currently working to resolve this problem. Additionally, please note that it should not affect your usage. Thank you for your discovery.

5

Thanks for the replay.

My question is: where is this port configured ? It does not have any traces in Ngnix config files ! It looks like a backdoor because it starts by the Nginx binary regardless of its configurations! In other words, it is embedded in the Nginx source code.

Can you please explain what do you mean by certain ?

6

Are you sure? Did you check all the conf files and even the default config one?

I don’t think that it’s included within the binary.

7

Did you see my output for the above command?

8

Hi, before you set a login password, you can directly use SSH to log in to the router and you will be able to see the port configuration file: etc/nginx/conf.d/portal.conf. After you set a login password, this file will be deleted. Additionally, I apologize for any confusion in my previous statement. Before setting a login password, all URLs will be redirected to the router’s welcome page.

9

Thanks for the clarification! So it is not certain, but all web traffic prior to setting a password will be redirected to the welcome page.

Remain unclear: why I am still seeing the port 2000 although I set the password and the portal.conf got deleted ?!

Sometimes when I reboot Nginx it does disappear. But when I restart the modem reboot the port is listening again?

10

Hi,

  1. After deleting an nginx server configuration file, the listening port defined in the configuration file still exists.Because the nginx process is still running and still using the previously loaded configuration. At this point, nginx will continue to listen to the port until the nginx service is restarted.
    When you restart the nginx service, the entire nginx process is terminated and then restarted. During the restart, nginx reloads the main configuration file and all server configuration files. As a result, the port number defined in the deleted server configuration file is also removed from memory and is no longer used by the nginx process. This is because restarting the nginx service is equivalent to starting the entire process again, and all previously loaded configurations are re-read and applied. Therefore, after restarting the nginx service, the port number defined in the deleted configuration file will disappear.
  2. When I restarted nginx on my end, port 2000 disappeared and did not listen again after restarting.What specific actions did you perform?
11

When I restart it using service command it does disappear. But when I reboot the modem I find the same port is listening again.

12

Do you perform a hard reboot by cutting off power, or do you restart directly from the web interface?

13

From the interface. I will try hard reboot and report back.