Unknown UPnP port

Hi,

I have 2 PC's setup with windows 7 x64 7600, one is my main PC and the other is my HTPC.

My HTPC is opening up UDP port 54838 via UPnP on startup, with out any applications starting.
This is a fresh install with no software other than iMon which is for the remote and VFD.
I have run tcpview and currport to see what is doing this, but they only show that the port is open and not what is associated with it. Have also run Sysinternals Autoruns, which lists everything that is running as a service or as a program, and I can see nothing suspicious !

I also have downloaded a free version of UPnP Explorer, but this only displays info on the physical router side of things.

I have searched the net and can find no mention of UDP port 54838 anywhere whatsoever, and have checked all of the port listing sites and none of them have any details of this port number, other than it is in the dynamic private range ... so it could be anything

I have tried to create a firewall rule to block it, but UPnP just creates another rule to enable it !

I know that the simple answer is to turn off UPnP, but I do actually use it for quite a few applications and devices so it would be a pain to do so as UPnP works really well with multiple devices that switch from wired to wireless mode and with dynamic IP's.

Has anyone got any ideas on a) what this port might be and b) if not, what else I can do to track it down ?

I don't want to get paranoid about it but I am security conscious enough to want to know what is making connections outside of my network with out my permission

Any thoughts would be gratefully received.

Cheers

Damob

Damob9k said:

Hi,

I have 2 PC's setup with windows 7 x64 7600, one is my main PC and the other is my HTPC.

My HTPC is opening up UDP port 54838 via UPnP on startup, with out any applications starting.
This is a fresh install with no software other than iMon which is for the remote and VFD.
I have run tcpview and currport to see what is doing this, but they only show that the port is open and not what is associated with it. Have also run Sysinternals Autoruns, which lists everything that is running as a service or as a program, and I can see nothing suspicious !

I also have downloaded a free version of UPnP Explorer, but this only displays info on the physical router side of things.

I have searched the net and can find no mention of UDP port 54838 anywhere whatsoever, and have checked all of the port listing sites and none of them have any details of this port number, other than it is in the dynamic private range ... so it could be anything

I have tried to create a firewall rule to block it, but UPnP just creates another rule to enable it !

I know that the simple answer is to turn off UPnP, but I do actually use it for quite a few applications and devices so it would be a pain to do so as UPnP works really well with multiple devices that switch from wired to wireless mode and with dynamic IP's.

Has anyone got any ideas on a) what this port might be and b) if not, what else I can do to track it down ?

I don't want to get paranoid about it but I am security conscious enough to want to know what is making connections outside of my network with out my permission

Any thoughts would be gratefully received.

Cheers

Damob

Hi and welcome

You can read about UDP 54838 here Port 54838 (tcp/udp) : SpeedGuide.net

Hope this helps

There is essentially no information about that port in the link provided, except that it is used for TCP or UDP like most other ports.

Thanks Zigzag,

but as dj99 mentioned, that page doesn't actually give any details.
And Gibson Research has nothing on it, and that's a bad sign, as Gibson is the authority on these sorts of things as far as I'm concerned.

The fact that this is a dynamic private port range is of concern as any legitimate program would be using common know ranges.

I have run windows defender and malwarebytes and come up with nothing nasty.

I have grabbed some other network sniffer apps and will give them a go, as soon as the HTPC is not in use :)

Ta

Damob

@logicearth

I am sorry to have to disagree with you , on all of your points. For the following reasons:

port 54838 is just a random dynamic port, these types of ports are common for none registered services or temporary connections (this would be UPnP).

port 54838 is not being opened by random, it is being opened by something that is using UPnP and is not being opened by the UPnP service itself.

UPnP uses a random port for data transfers, and a set port for control and communications with UPnP devices.

The UPnP framework uses tpc port 2869 and udp port 1900 as it's own service ports, it does not use random ports for data transfer, that is handled by the application or device that then request a port to be opened for that purpose.

Is this open port causing you problems? I think not. My advice is to leave it alone. As long as you have a firewall between you and the internet (aka., a router) then there is no threat.

I just don't see the logic in this statement, for starters the whole point of UPnP is to automate port forwarding and allow traffic to pass freely to the port opened. i.e UPnP automatically creates a firewall rule within the router, assuming it is an all in one unit.

So yes there is potentially a threat, which is what I am trying to establish.

This might not be malicious but A) it has not been instigated by me or any application that I have installed ,B) it is not doing this on my other PC with the identical version of 7 and C) just because I can't say that it is causing a problem or is indeed something malicious doesn't mean that I leave it alone as you suggested.

I am not trying to disrespect or flame you as the saying goes, but the advise you have given is at best risky, and if I was an IT novice I would be taking bad advise.

As it is I work in IT as a 2nd/3rd line analyst in a large public sector environment, and have seen the result,(and had to sort them out) of people that are not security aware and do not know how to spot something that could be a risk. After all this is how millions upon millions of viral and mail splurging bots and malware propagate through the web... by people that know no better (can't blame them) or people that just say "ahh don't worry, I'm sure it's supposed to do that!" ... I am neither.

Like I said please don't take any of that personally, but this is one of the reasons I don't tend to spend a lot of time in forums... too much bad info and advise.

Best regards

Damo

No No No No No......
You are just not getting it.

Browsing the web does not open any UPnP ports period! all ports relating to web browsing be it non secure http or https and ssl use port 80 and 443 and these ports are almost always open by default depending on the router in question.

Port 1900 does not talk to port 2869. When opening a port there is always two. One for the server the other for the client, in most cases in the 49152 & 65535 range for the client. You can see this relationship by using "netstat -an".

That is not what I said. I never suggested that port 1900 talks to port 2869.

The UPnP framework uses tpc port 2869 and udp port 1900 as it's own service ports, it does not use random ports for data transfer, that is handled by the application or device that then request a port to be opened for that purpose.

These are the control ports that all PC's ,Servers and UPnP devices use to communicate with the UPnP service, when you start or stop the UPnP service via the services mmc these are the ports that are activated for UPnP to work.

Just by browsing the web there is several ports opened, you may talk to the server on port 80 but the server talks back on one of the dynamic/random ports.

????? How ? ....
If you open up your browser and type a HTTP address in you will connect to the end point via port 80, if you type HTTPS you will connect via 443.
The only and quite common occurrence of port switching is if you go to a web page via http, and that page requires you to use https/ssl your browser will start to communicate on that port.
To the best of my knowledge I do not know of any UPnP enabled web browsers, and for a good reason ... they would be a security disaster.

I just don't see the logic in this statement, for starters the whole point of UPnP is to automate port forwarding and allow traffic to pass freely to the port opened. i.e UPnP automatically creates a firewall rule within the router, assuming it is an all in one unit.

So you configured the router to accept outside network communications for UPnP?

NOOOO .... UPnP configures the router to allow the application that is asking to connect to an external server.
You do not configure UPnP, rather it is UPnP that does the configuring for you (or more correctly for the application or device)
This is the fundamental point of UPnP.
And no, I have not configured UPnP to accept out side connections, why on earth would I do that ? I have no wish to allow my UPnP service to configure someone's bittorrent application 5000 miles away !

I don't think you really understand the principles of UPnP and port forwarding that well. Or we are just having some major case of misunderstanding / misinterpretation , I don't know.

But either way this is not really getting anybody any closer to a resolution.

I will just do what I would normally do anyway, and that is to keep bashing at it until I find the answer.

Best regards

Damob