Netgear router listening on port 32764?
I've got a Netgear DG834G running firmware V5.01.01. From the LAN side, if I port scan it, it's listening on tcp port 32764. Trying to telnet into this port gives me the response MMcS\xff\xff\xff\xff\0\0\0\0
(in hex, obviously).
I've got UPnP disabled, it's not a remote management port, and it's not open on the WAN side. I can't find anything in Netgear's documentation, and searching online doesn't find anything either. A few people seem to have noticed, but no one actually has an answer. I've also created a firewall rule blocking outbound access to that port, and it's still open, so it's actually the router that's listening on it.
Does anyone know what this could be?
Hmm, weird.
Hex ff = Decimal 255, so logically the response you are receiving is equivalent to
MMcS 255.255.255.255 0.0.0.0 (dots added for networking clarity) which to me is basically a broadcast address on your network. It could be stating that any ip on your network can use the MMCS service, i.e. 255.255.255.255 net mask 0.0.0.0.
There are a number of things that MMCS could be, such as the MultiMedia Class Scheduler that Vista is able to use to get priority for multimedia traffic over the network. It would explain why the port is only open on your local network too.
Also a bit of info on point 5 of the first post of this page
I doubt it would be something to do with MIP-MANET Cell Switching which appears to be something to do with mobile phone networks. Wow there is some weird stuff that gets returned when you Google for MMCS 255.255.255.255. Like this.
So I'd say it's most likely a port that allows the Windows MultiMedia Class Scheduler to talk to the router to prioritize traffic, but it could be some weird funky mobile phone network stuff.
Actually, this appears to be a software back-door included by the manufacturer as described here and exploitable using this script.
So far non-vendor related persons have reported there are back-doors in the following routers: Linksys WAG200G, Linksys WAG320N (Firmware V1.00.12) and Netgear DM111P. But it seems the following devices (yours included) may also be present, Netgear DG834, DG834G WPNT834 DG934, WG602, WGR614 router, Linksys WAG160N and DGN2000, WAG120N wireless-WRVS4400N. It seems likely this back-door is present in other devices as well.