Home
 » ISP News » 
Sponsored

ISP Virgin Media UK Restricting Port 7547 After Leaving it Open

Sunday, November 1st, 2020 (12:01 am) - Score 57,696
virgin media superhub 3 router

Nothing to worry about, move along please. Cable broadband ISP Virgin Media has “taken steps to ensure [port 7547] is no longer discoverable” online after they left it open on some routers. The good news is that this “posed no security risk” to customers, but it remains unclear why it occurred.

For the uninitiated, port 7547 is commonly used by the TR-069 remote management service, which is what enables ISPs to access, manage and update your broadband router (e.g. this is necessary for use as part of customer support tasks). Most ISPs with their own bundled router will make some use of this and a few still leave the port open to the internet (this is rarely a concern as only your ISP will be able to use the service).

However, in the past there have been cases where leaving port 7547 open has caused problems. For example, back in 2016 a number of ISPs and router brands, including those used by TalkTalk, KCOM and the Post Office, were hit by malware that exploited weaknesses in TR-069 (here). Since then ISPs often prefer to err on the side of caution by restricting access to port 7547 (e.g. limiting access to only a specific range of IP addresses).

The impact of the aforementioned restriction is that for normal internet users the port will appear as closed when scanned, unless you happen to be using the specific IP range. We had assumed that Virgin Media were doing this too, although recently a number of Virgin Media’s routers (e.g. HUB 3.0) have started showing up on Shodan (a search engine for all internet connected devices) as having TCP port 7547 open.

For example, on the 21st October 2020 the total results that Shodan tracked were around 235,000 Virgin Media IPs with port 7547 open, which then increased to 412,000 on 22nd and 787,000 on 24th. By Friday 30th October this had jumped to 1.7 million. We must stress that there is currently no known security exploit that could abuse VM’s routers through this, but it was a little odd and so we raised it with the ISP.

A Spokesperson for Virgin Media said:

“We opened port 7547 for remote management using TR-069 and this was discoverable to internet users searching for it. This posed no security risk to our customers.

We have taken steps to ensure the port is no longer discoverable to provide an additional layer of security over and above the measures we already have in place.”

Credits to Virgin Media for acting on that so quickly, even if there wasn’t a known risk at the time – good network security often benefits from being a little bit paranoid. But at the last check on Friday the port was still discoverable via Shodan and the open IPs count continues to increase (some changes may not show up instantly).

Leave a Comment
34 Responses
  1. Paul M says:

    You should basically assume that any open port on a network device will become exploitable at some point due either to a bug in the firmware, a misconfiguration, or a leaked or back door password.

  2. Paul Grice says:

    I am with virgin and I was scammed on Thursday with some Asian caller saying they were from virgin and that I had a problem with my router. Basically they took over control of my laptop was this enabled because of this port.
    I don’t know I am not that PC literate but it was very concerning at the time.
    I don’t think they got what they were after as everything seems ok and I informed virgin and my bank over my stupidity falling into their trap.

    1. James White says:

      There’s been a recent increase in this classic scam in recent months, work home home will have some bearing on this. I had about 5 calls in one day all pretending to be Virgin Media, but in reality they are just scammers and will pretend to be any ISP or company to try and hook you. Usually they claim, there are “errors” coming from your router or something, to then connect via remote desktop and try create some fake scenario or show you something not working, when in fact it’s either Windows error log, Command Prompt or similar.

      Whenever you get these calls hang up, if you aren’t sure, always make them tell you something only a company that has your personal data could, nothing available via public sources either. If there’s any doubt, hang up and call the company through the number or channels you know are legit.

    2. Billy Nomates says:

      I don’t think that has anything to do with that port having been open on your vm router.
      You can’t take control of someone’s computer just because a router port is open. Sorry you got scammed, but this doesn’t sound like a VM problem to me.

    3. Mark Jackson says:

      As Billy says, that’s nothing to do with this port. I’m guessing the scammer tricked you into downloading something or clicking a malware link, thus giving them access.

    4. Mike says:

      Might want to run some anti virus scans and uninstall whatever they put on there.

    5. ParanoidAndroid says:

      Or better still a complete clean down and rebuild of the computer.

    6. Arron says:

      There are many programmes that allow you to take control of other ppls computers and android devices. It not always to do with the ports. Google it you’ll find many ways and also many apps for it aswell. But you did right informing the bank and your service provider. Thanks.

    7. Leex says:

      I had one customer who had this, typing norton enroll website in the search bar resulted in him been taken to a fake Norton my account website witch asks for your number and they call you then

      What I don’t understand is why would someone pay £700 to fix a pc (and why the scammers would expect the bank not to flag it witch luckily the bank was blocking it as his bank was blocking the payment processor)

      once they moved over to PayPal he got suspicious after about an hour and decided to just hang up the call and switch off the power to the computer so the wasn’t able to lock the computer down, as their was only about 30 seconds between him saying it so they didn’t have chance to lock down the pc (as they tend to get destructive once they workout they are not going to get any money but they have remote access still)

      talktalk about 6-12 months ago they turned on remote access server block for everyone and websites that are setup for remote access scams, so this stops all most 99% of remote access software even if they have a website to install the remote access software as it won’t be able to contact the server to get an ID

      it throw me for a loop The first time it happened as team viewer couldn’t connect to Team Viewer server and forced me to do a call out (I thought it was just a host file block)

      It be nice if talktalk was redirecting to a the website like

      “” you just went to can be used to scam your computer or steal money, if you’re currently talking to somebody on the phone who’s trying to do stuff on your computer please hang up the phone and and disconnect your computer from The Internet
      TalkTalk/ISP, Microsoft, antivirus company’s will never contact you when you have problems with your pc

  3. Steve says:

    Err on the side of caution

    1. Bob Jack says:

      Glad you gave air to that, :-).
      It annoyed me also.

    2. pgn says:

      To err is human, to air, well, for laundry I guess

    3. Mark Jackson says:

      I have corrected that most grave of err..ors :).

  4. James White says:

    From Shodan, some of the indexed 7547 results from Virgin Media IPs now seem to be returning 401 Unauthorized on probes according to Shodan data now, before an HTTP get request was returning a 404 Not Found response on the port, maybe this the change Virgin Media are referring to?

    The port is still open for any IP though, it seems however and the number of indexed results is still going up in Shodan, but it does seems to have slowed down now.

    Why they don’t just restrict it to the their management servers is beyond me. I really doubt they need TR-069 open to any IP in the world, given it’s connecting to specific ACS or management systems.

  5. M says:

    You do not air on the side of caution.
    You err on the side of caution

  6. Paul Watson says:

    I wouldn’t bother ringing them. When it comes to anything technical you get more help less attitude & rudeness from a loaf of bread!

  7. Dr S Kicker says:

    Go to Windows Systems, Control panel, System and Security, System. Then click Remote Settings. From the System Properties window, go to Remote and click on (Don’t allow remote connections to this computer) Problem solved.

    1. Dr S Kicker says:

      Also uncheck to disable (Allow Remote Assistance connections to this computer)

    2. James White says:

      TR-069 != Windows Remote Desktop.

      I think you’ve misunderstood what TR-069 is, it’s not remote access to a desktop PC, it’s remote access to CPEs to push firmware and configuration updates.

  8. Kitti Mackie says:

    Ive been having problems since lockdown where i get banned on cloudshare websites. I cant access playstation or usps because my ip gets flagged for malicious behaviour. Ive been flagging it since march and its pissing me off. I get about a week of use when it refreshes before its down again.

    Could this be whats causing it?

    1. Spurple says:

      Unlikely. The source could well be malware within your home network. Hard to say with limited info. Talk to your ISP support.

  9. Christopher says:

    “For the uninitiated…..” Some of us don’t know the in’s and out’s of routers. We don’t need to. I wouldn’t go round insulting people’s intelligence, especially as you are a professional writer.

    1. Mike says:

      How do you know you don’t need to?

    2. Gary333 says:

      How is the word uninitiated in any way an insult? God, the Internet really does bring out all the loonies. Read the meaning within a book called a dictionary.

    3. Qex says:

      uninitiated
      /ʌnɪˈnɪʃɪeɪtɪd/
      Learn to pronounce
      adjective
      without special knowledge or experience.
      How is he insulting? I, myself, don’t know anything about fixing cars & as such in uninitiated. It’s just another word for uneducated, which you are if you don’t know something, you’re uninitiated in the subject of that port being used.
      Grow up, quit finding things to complain about because ISP newsman used big word :((((((((((

    4. Mark Jackson says:

      Well I wasn’t ever expecting the word “uninitiated” to be considered an insult by somebody 🙂 , but we certainly live in strange times.

  10. Uligàn says:

    This is why we can’t have nice things.

    Thanks God I’ve isolated that piece of useless plastic into its own subnet filled with darkness and despair

  11. AK says:

    Hi all,
    My VM phone is connected to the router and at the exactly same time I lost International incoming calls.
    Could that be a result of that fault?

    1. Qwe says:

      no, most likely not been provisioned properly or it was removed from the package. Call up & check

  12. Buggerlugz says:

    Mark, was you’re “Nothing to worry about, move along please.” opening line, sarcasm?

  13. Peter H says:

    Why would anyone trust their water company to supply all the taps in the house?

    ..

    Exactly. They wouldn’t.

    Own router. Tr-069 (et al) disabled.

    Time to take responsibility people.

  14. Mr blank says:

    I had exactly the same scam done on me a few months ago they kept ringing and told me that my broadband had been running slow and that they asked a few things about my router and numbers etc. On my ports and I don’t know anything about computers or numbers but he seemed to know exactly what was happening on my phone and he was even installing a program onto my phone and then he was in control of all my passwords and so on then he said there was going to be an engineer out in the morning and asked me what was the best time for me and then this is where I was stupid he said that they owed money to me for paying for the fastest speeds and getting basically the cheapest package speed so that was when he asked me for a way to put the money into my account and he suggested that the quickest way would be if I had internet banking and I said yes like a doughnut and luckily it was my account with know money in because he tried 3 times to take funds out of my account and not give me any refunds and I found all of this out later when I was put through to the fraud office at my bank and virgin told me that they hadn’t been in contact with me and there was know engineer booked to come out and at the end of it all I had to change all my bank accounts and cards but it sounds exactly like what has happened to the other man at the top of this chat room?I was so naive when I look back I can’t believe it but obviously it is the same people doing that same scam you think that virgin would have caught up with the bas****s by now

  15. Buggerlugz says:

    Its a huge business in India, running scamming call centres. Check out the you-tube videos of “Ethical hacker” types who go after them. One guy even got into their security camera system and could see the guys in the call centre talking to him. A lot of the time they get hold of “customer data” and inform those scammed themselves. A few get shut down, but overall the Indian authorities are easily swayed into looking the other way. That’s why its such a big business over there.

  16. Andrew Clayton says:

    > I am with virgin and I was scammed on Thursday with some Asian caller
    > saying they were from virgin and that I had a problem with my router.

    Heh, was I the only one that immediately thought of Jim Browning?!
    https://www.youtube.com/channel/UCBNG0osIBAprVcZZ3ic84vw

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £15.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: None
  • Vodafone £19.50 (*22.50)
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £65 Reward Card
Large Availability | View All
Cheapest Ultrafast ISPs
  • Hyperoptic £20.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*29.50)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Gigaclear £26.00 (*54.00)
    Speed: 400Mbps, Unlimited
    Gift: None
  • Virgin Media £27.00 (*51.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3498)
  2. BT (3008)
  3. Politics (1923)
  4. Building Digital UK (1917)
  5. FTTC (1882)
  6. Openreach (1821)
  7. Business (1675)
  8. Mobile Broadband (1468)
  9. Statistics (1405)
  10. FTTH (1364)
  11. 4G (1270)
  12. Fibre Optic (1165)
  13. Virgin Media (1159)
  14. Wireless Internet (1151)
  15. Ofcom Regulation (1139)
  16. Vodafone (836)
  17. EE (830)
  18. TalkTalk (760)
  19. 5G (760)
  20. Sky Broadband (744)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact