ISP Virgin Media UK Restricting Port 7547 After Leaving it Open
Nothing to worry about, move along please. Cable broadband ISP Virgin Media has “taken steps to ensure [port 7547] is no longer discoverable” online after they left it open on some routers. The good news is that this “posed no security risk” to customers, but it remains unclear why it occurred.
For the uninitiated, port 7547 is commonly used by the TR-069 remote management service, which is what enables ISPs to access, manage and update your broadband router (e.g. this is necessary for use as part of customer support tasks). Most ISPs with their own bundled router will make some use of this and a few still leave the port open to the internet (this is rarely a concern as only your ISP will be able to use the service).
However, in the past there have been cases where leaving port 7547 open has caused problems. For example, back in 2016 a number of ISPs and router brands, including those used by TalkTalk, KCOM and the Post Office, were hit by malware that exploited weaknesses in TR-069 (here). Since then ISPs often prefer to err on the side of caution by restricting access to port 7547 (e.g. limiting access to only a specific range of IP addresses).
The impact of the aforementioned restriction is that for normal internet users the port will appear as closed when scanned, unless you happen to be using the specific IP range. We had assumed that Virgin Media were doing this too, although recently a number of Virgin Media’s routers (e.g. HUB 3.0) have started showing up on Shodan (a search engine for all internet connected devices) as having TCP port 7547 open.
For example, on the 21st October 2020 the total results that Shodan tracked were around 235,000 Virgin Media IPs with port 7547 open, which then increased to 412,000 on 22nd and 787,000 on 24th. By Friday 30th October this had jumped to 1.7 million. We must stress that there is currently no known security exploit that could abuse VM’s routers through this, but it was a little odd and so we raised it with the ISP.
A Spokesperson for Virgin Media said:
“We opened port 7547 for remote management using TR-069 and this was discoverable to internet users searching for it. This posed no security risk to our customers.
We have taken steps to ensure the port is no longer discoverable to provide an additional layer of security over and above the measures we already have in place.”
Credits to Virgin Media for acting on that so quickly, even if there wasn’t a known risk at the time – good network security often benefits from being a little bit paranoid. But at the last check on Friday the port was still discoverable via Shodan and the open IPs count continues to increase (some changes may not show up instantly).
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« New Full Fibre UK ISP Gigaloch Surfaces to Connect Rural Areas
You should basically assume that any open port on a network device will become exploitable at some point due either to a bug in the firmware, a misconfiguration, or a leaked or back door password.
I am with virgin and I was scammed on Thursday with some Asian caller saying they were from virgin and that I had a problem with my router. Basically they took over control of my laptop was this enabled because of this port.
I don’t know I am not that PC literate but it was very concerning at the time.
I don’t think they got what they were after as everything seems ok and I informed virgin and my bank over my stupidity falling into their trap.
There’s been a recent increase in this classic scam in recent months, work home home will have some bearing on this. I had about 5 calls in one day all pretending to be Virgin Media, but in reality they are just scammers and will pretend to be any ISP or company to try and hook you. Usually they claim, there are “errors” coming from your router or something, to then connect via remote desktop and try create some fake scenario or show you something not working, when in fact it’s either Windows error log, Command Prompt or similar.
Whenever you get these calls hang up, if you aren’t sure, always make them tell you something only a company that has your personal data could, nothing available via public sources either. If there’s any doubt, hang up and call the company through the number or channels you know are legit.
I don’t think that has anything to do with that port having been open on your vm router.
You can’t take control of someone’s computer just because a router port is open. Sorry you got scammed, but this doesn’t sound like a VM problem to me.
As Billy says, that’s nothing to do with this port. I’m guessing the scammer tricked you into downloading something or clicking a malware link, thus giving them access.
Might want to run some anti virus scans and uninstall whatever they put on there.
Or better still a complete clean down and rebuild of the computer.
There are many programmes that allow you to take control of other ppls computers and android devices. It not always to do with the ports. Google it you’ll find many ways and also many apps for it aswell. But you did right informing the bank and your service provider. Thanks.
I had one customer who had this, typing norton enroll website in the search bar resulted in him been taken to a fake Norton my account website witch asks for your number and they call you then
What I don’t understand is why would someone pay £700 to fix a pc (and why the scammers would expect the bank not to flag it witch luckily the bank was blocking it as his bank was blocking the payment processor)
once they moved over to PayPal he got suspicious after about an hour and decided to just hang up the call and switch off the power to the computer so the wasn’t able to lock the computer down, as their was only about 30 seconds between him saying it so they didn’t have chance to lock down the pc (as they tend to get destructive once they workout they are not going to get any money but they have remote access still)
talktalk about 6-12 months ago they turned on remote access server block for everyone and websites that are setup for remote access scams, so this stops all most 99% of remote access software even if they have a website to install the remote access software as it won’t be able to contact the server to get an ID
it throw me for a loop The first time it happened as team viewer couldn’t connect to Team Viewer server and forced me to do a call out (I thought it was just a host file block)
It be nice if talktalk was redirecting to a the website like
“” you just went to can be used to scam your computer or steal money, if you’re currently talking to somebody on the phone who’s trying to do stuff on your computer please hang up the phone and and disconnect your computer from The Internet
TalkTalk/ISP, Microsoft, antivirus company’s will never contact you when you have problems with your pc
Err on the side of caution
Glad you gave air to that, :-).
It annoyed me also.
To err is human, to air, well, for laundry I guess
I have corrected that most grave of err..ors :).
From Shodan, some of the indexed 7547 results from Virgin Media IPs now seem to be returning 401 Unauthorized on probes according to Shodan data now, before an HTTP get request was returning a 404 Not Found response on the port, maybe this the change Virgin Media are referring to?
The port is still open for any IP though, it seems however and the number of indexed results is still going up in Shodan, but it does seems to have slowed down now.
Why they don’t just restrict it to the their management servers is beyond me. I really doubt they need TR-069 open to any IP in the world, given it’s connecting to specific ACS or management systems.
You do not air on the side of caution.
You err on the side of caution
I wouldn’t bother ringing them. When it comes to anything technical you get more help less attitude & rudeness from a loaf of bread!
Go to Windows Systems, Control panel, System and Security, System. Then click Remote Settings. From the System Properties window, go to Remote and click on (Don’t allow remote connections to this computer) Problem solved.
Also uncheck to disable (Allow Remote Assistance connections to this computer)
TR-069 != Windows Remote Desktop.
I think you’ve misunderstood what TR-069 is, it’s not remote access to a desktop PC, it’s remote access to CPEs to push firmware and configuration updates.
Ive been having problems since lockdown where i get banned on cloudshare websites. I cant access playstation or usps because my ip gets flagged for malicious behaviour. Ive been flagging it since march and its pissing me off. I get about a week of use when it refreshes before its down again.
Could this be whats causing it?
Unlikely. The source could well be malware within your home network. Hard to say with limited info. Talk to your ISP support.
“For the uninitiated…..” Some of us don’t know the in’s and out’s of routers. We don’t need to. I wouldn’t go round insulting people’s intelligence, especially as you are a professional writer.
How do you know you don’t need to?
How is the word uninitiated in any way an insult? God, the Internet really does bring out all the loonies. Read the meaning within a book called a dictionary.
uninitiated
/ʌnɪˈnɪʃɪeɪtɪd/
Learn to pronounce
adjective
without special knowledge or experience.
How is he insulting? I, myself, don’t know anything about fixing cars & as such in uninitiated. It’s just another word for uneducated, which you are if you don’t know something, you’re uninitiated in the subject of that port being used.
Grow up, quit finding things to complain about because ISP newsman used big word :((((((((((
Well I wasn’t ever expecting the word “uninitiated” to be considered an insult by somebody 🙂 , but we certainly live in strange times.
This is why we can’t have nice things.
Thanks God I’ve isolated that piece of useless plastic into its own subnet filled with darkness and despair
Hi all,
My VM phone is connected to the router and at the exactly same time I lost International incoming calls.
Could that be a result of that fault?
no, most likely not been provisioned properly or it was removed from the package. Call up & check
Mark, was you’re “Nothing to worry about, move along please.” opening line, sarcasm?
Why would anyone trust their water company to supply all the taps in the house?
..
Exactly. They wouldn’t.
Own router. Tr-069 (et al) disabled.
Time to take responsibility people.
I had exactly the same scam done on me a few months ago they kept ringing and told me that my broadband had been running slow and that they asked a few things about my router and numbers etc. On my ports and I don’t know anything about computers or numbers but he seemed to know exactly what was happening on my phone and he was even installing a program onto my phone and then he was in control of all my passwords and so on then he said there was going to be an engineer out in the morning and asked me what was the best time for me and then this is where I was stupid he said that they owed money to me for paying for the fastest speeds and getting basically the cheapest package speed so that was when he asked me for a way to put the money into my account and he suggested that the quickest way would be if I had internet banking and I said yes like a doughnut and luckily it was my account with know money in because he tried 3 times to take funds out of my account and not give me any refunds and I found all of this out later when I was put through to the fraud office at my bank and virgin told me that they hadn’t been in contact with me and there was know engineer booked to come out and at the end of it all I had to change all my bank accounts and cards but it sounds exactly like what has happened to the other man at the top of this chat room?I was so naive when I look back I can’t believe it but obviously it is the same people doing that same scam you think that virgin would have caught up with the bas****s by now
Its a huge business in India, running scamming call centres. Check out the you-tube videos of “Ethical hacker” types who go after them. One guy even got into their security camera system and could see the guys in the call centre talking to him. A lot of the time they get hold of “customer data” and inform those scammed themselves. A few get shut down, but overall the Indian authorities are easily swayed into looking the other way. That’s why its such a big business over there.
> I am with virgin and I was scammed on Thursday with some Asian caller
> saying they were from virgin and that I had a problem with my router.
Heh, was I the only one that immediately thought of Jim Browning?!
https://www.youtube.com/channel/UCBNG0osIBAprVcZZ3ic84vw