Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Unknown UPnP port


08 Dec 2009   #1

Windows Seven 64bit build 7600
 
 
Unknown UPnP port

Hi,

I have 2 PC's setup with windows 7 x64 7600, one is my main PC and the other is my HTPC.

My HTPC is opening up UDP port 54838 via UPnP on startup, with out any applications starting.
This is a fresh install with no software other than iMon which is for the remote and VFD.
I have run tcpview and currport to see what is doing this, but they only show that the port is open and not what is associated with it. Have also run Sysinternals Autoruns, which lists everything that is running as a service or as a program, and I can see nothing suspicious !

I also have downloaded a free version of UPnP Explorer, but this only displays info on the physical router side of things.

I have searched the net and can find no mention of UDP port 54838 anywhere whatsoever, and have checked all of the port listing sites and none of them have any details of this port number, other than it is in the dynamic private range ... so it could be anything

I have tried to create a firewall rule to block it, but UPnP just creates another rule to enable it !

I know that the simple answer is to turn off UPnP, but I do actually use it for quite a few applications and devices so it would be a pain to do so as UPnP works really well with multiple devices that switch from wired to wireless mode and with dynamic IP's.

Has anyone got any ideas on a) what this port might be and b) if not, what else I can do to track it down ?

I don't want to get paranoid about it but I am security conscious enough to want to know what is making connections outside of my network with out my permission

Any thoughts would be gratefully received.

Cheers

Damob

My System SpecsSystem Spec
.

08 Dec 2009   #2

Win 8 Release candidate 8400
 
 

Quote   Quote: Originally Posted by Damob9k View Post
Hi,

I have 2 PC's setup with windows 7 x64 7600, one is my main PC and the other is my HTPC.

My HTPC is opening up UDP port 54838 via UPnP on startup, with out any applications starting.
This is a fresh install with no software other than iMon which is for the remote and VFD.
I have run tcpview and currport to see what is doing this, but they only show that the port is open and not what is associated with it. Have also run Sysinternals Autoruns, which lists everything that is running as a service or as a program, and I can see nothing suspicious !

I also have downloaded a free version of UPnP Explorer, but this only displays info on the physical router side of things.

I have searched the net and can find no mention of UDP port 54838 anywhere whatsoever, and have checked all of the port listing sites and none of them have any details of this port number, other than it is in the dynamic private range ... so it could be anything

I have tried to create a firewall rule to block it, but UPnP just creates another rule to enable it !

I know that the simple answer is to turn off UPnP, but I do actually use it for quite a few applications and devices so it would be a pain to do so as UPnP works really well with multiple devices that switch from wired to wireless mode and with dynamic IP's.

Has anyone got any ideas on a) what this port might be and b) if not, what else I can do to track it down ?

I don't want to get paranoid about it but I am security conscious enough to want to know what is making connections outside of my network with out my permission

Any thoughts would be gratefully received.

Cheers

Damob
Hi and welcome

You can read about UDP 54838 here Port 54838 (tcp/udp) : SpeedGuide.net

Hope this helps
My System SpecsSystem Spec
08 Dec 2009   #3

Windows Vista Home Premium -> Windows 7 Home Premium
 
 

There is essentially no information about that port in the link provided, except that it is used for TCP or UDP like most other ports.
My System SpecsSystem Spec
.


08 Dec 2009   #4

Windows Seven 64bit build 7600
 
 

Thanks Zigzag,

but as dj99 mentioned, that page doesn't actually give any details.
And Gibson Research has nothing on it, and that's a bad sign, as Gibson is the authority on these sorts of things as far as I'm concerned.

The fact that this is a dynamic private port range is of concern as any legitimate program would be using common know ranges.

I have run windows defender and malwarebytes and come up with nothing nasty.

I have grabbed some other network sniffer apps and will give them a go, as soon as the HTPC is not in use

Ta

Damob
My System SpecsSystem Spec
08 Dec 2009   #5

Windows 8.1 Pro (x64)
 
 

port 54838 is just a random dynamic port, these types of ports are common for none registered services or temporary connections (this would be UPnP). Is this open port causing you problems? I think not. My advice is to leave it alone. As long as you have a firewall between you and the internet (aka., a router) then there is no threat.


UPnP uses a random port for data transfers, and a set port for control and communications with UPnP devices.
My System SpecsSystem Spec
08 Dec 2009   #6

Windows Seven 64bit build 7600
 
 

@logicearth

I am sorry to have to disagree with you , on all of your points. For the following reasons:

Quote:
port 54838 is just a random dynamic port, these types of ports are common for none registered services or temporary connections (this would be UPnP).
port 54838 is not being opened by random, it is being opened by something that is using UPnP and is not being opened by the UPnP service itself.

Quote:
UPnP uses a random port for data transfers, and a set port for control and communications with UPnP devices.
The UPnP framework uses tpc port 2869 and udp port 1900 as it's own service ports, it does not use random ports for data transfer, that is handled by the application or device that then request a port to be opened for that purpose.

Quote:
Is this open port causing you problems? I think not. My advice is to leave it alone. As long as you have a firewall between you and the internet (aka., a router) then there is no threat.
I just don't see the logic in this statement, for starters the whole point of UPnP is to automate port forwarding and allow traffic to pass freely to the port opened. i.e UPnP automatically creates a firewall rule within the router, assuming it is an all in one unit.

So yes there is potentially a threat, which is what I am trying to establish.

This might not be malicious but A) it has not been instigated by me or any application that I have installed ,B) it is not doing this on my other PC with the identical version of 7 and C) just because I can't say that it is causing a problem or is indeed something malicious doesn't mean that I leave it alone as you suggested.

I am not trying to disrespect or flame you as the saying goes, but the advise you have given is at best risky, and if I was an IT novice I would be taking bad advise.

As it is I work in IT as a 2nd/3rd line analyst in a large public sector environment, and have seen the result,(and had to sort them out) of people that are not security aware and do not know how to spot something that could be a risk. After all this is how millions upon millions of viral and mail splurging bots and malware propagate through the web... by people that know no better (can't blame them) or people that just say "ahh don't worry, I'm sure it's supposed to do that!" ... I am neither.

Like I said please don't take any of that personally, but this is one of the reasons I don't tend to spend a lot of time in forums... too much bad info and advise.

Best regards

Damo
My System SpecsSystem Spec
08 Dec 2009   #7

Windows 8.1 Pro (x64)
 
 

Quote   Quote: Originally Posted by Damob9k View Post
port 54838 is not being opened by random, it is being opened by something that is using UPnP and is not being opened by the UPnP service itself.
I meant random as in, nothing else is using it. Ports between 49152 and 65535 are used for this purpose. Opening these ports are common, just by browsing the web several of these ports are open.

Quote:
The UPnP framework uses tpc port 2869 and udp port 1900 as it's own service ports, it does not use random ports for data transfer, that is handled by the application or device that then request a port to be opened for that purpose.
Port 1900 does not talk to port 2869. When opening a port there is always two. One for the server the other for the client, in most cases in the 49152 & 65535 range for the client. You can see this relationship by using "netstat -an".

Just by browsing the web there is several ports opened, you may talk to the server on port 80 but the server talks back on one of the dynamic/random ports.

Quote:
I just don't see the logic in this statement, for starters the whole point of UPnP is to automate port forwarding and allow traffic to pass freely to the port opened. i.e UPnP automatically creates a firewall rule within the router, assuming it is an all in one unit.
So you configured the router to accept outside network communications for UPnP?
My System SpecsSystem Spec
08 Dec 2009   #8

Windows Seven 64bit build 7600
 
 

No No No No No......
You are just not getting it.

Browsing the web does not open any UPnP ports period! all ports relating to web browsing be it non secure http or https and ssl use port 80 and 443 and these ports are almost always open by default depending on the router in question.

Quote:
Port 1900 does not talk to port 2869. When opening a port there is always two. One for the server the other for the client, in most cases in the 49152 & 65535 range for the client. You can see this relationship by using "netstat -an".
That is not what I said. I never suggested that port 1900 talks to port 2869.

Quote:
The UPnP framework uses tpc port 2869 and udp port 1900 as it's own service ports, it does not use random ports for data transfer, that is handled by the application or device that then request a port to be opened for that purpose.
These are the control ports that all PC's ,Servers and UPnP devices use to communicate with the UPnP service, when you start or stop the UPnP service via the services mmc these are the ports that are activated for UPnP to work.

Quote:
Just by browsing the web there is several ports opened, you may talk to the server on port 80 but the server talks back on one of the dynamic/random ports.
????? How ? ....
If you open up your browser and type a HTTP address in you will connect to the end point via port 80, if you type HTTPS you will connect via 443.
The only and quite common occurrence of port switching is if you go to a web page via http, and that page requires you to use https/ssl your browser will start to communicate on that port.
To the best of my knowledge I do not know of any UPnP enabled web browsers, and for a good reason ... they would be a security disaster.

Quote:
I just don't see the logic in this statement, for starters the whole point of UPnP is to automate port forwarding and allow traffic to pass freely to the port opened. i.e UPnP automatically creates a firewall rule within the router, assuming it is an all in one unit.
Quote:
So you configured the router to accept outside network communications for UPnP?
NOOOO .... UPnP configures the router to allow the application that is asking to connect to an external server.
You do not configure UPnP, rather it is UPnP that does the configuring for you (or more correctly for the application or device)
This is the fundamental point of UPnP.
And no, I have not configured UPnP to accept out side connections, why on earth would I do that ? I have no wish to allow my UPnP service to configure someone's bittorrent application 5000 miles away !

I don't think you really understand the principles of UPnP and port forwarding that well. Or we are just having some major case of misunderstanding / misinterpretation , I don't know.

But either way this is not really getting anybody any closer to a resolution.

I will just do what I would normally do anyway, and that is to keep bashing at it until I find the answer.

Best regards

Damob
My System SpecsSystem Spec
08 Dec 2009   #9

Windows 7 Ultimate x64 SP1
 
 

Damob, have you checked your router logs to see what IP address is associated with the upnp port? I'm also assuming your other Windows 7 computer, which is configured the same as your HTPC, does not open any upnp ports?
My System SpecsSystem Spec
08 Dec 2009   #10

Windows Seven 64bit build 7600
 
 

Hi kegobeer, (nice nick btw)

Unfortunately I have done a router reset this afternoon after faffing around with setting firewall rules.
But looking at it at the moment there is no ip associated to this port.

It is open but nothing is actually using it, which is odd behaviour ! and sort of looks like a backdoor to me. Although I have not come across this type of backdoor in my travels, but that's not to say they don't exist, and I have read about the vulnerabilities of UPnP on a few security bulletins.

Tis late now over here in GB and I am too tired to look at it now, but will have another crack at it tomorrow. woohoo that'll be a fun thing to do on my birthday actually it's my birthday now !! , I think I will have a JD

Cheers for now

Damob


Oh and yes your assumption is correct !, my main PC is not opening any UPnP ports.
My System SpecsSystem Spec
Reply

 Unknown UPnP port




Thread Tools



Similar help and support threads for2: Unknown UPnP port
Thread Forum
Unknown Port Activity - Risky? System Security
UPnP activation. Network & Sharing
Opening an UPnP port on windows startup Network & Sharing
Can't see uPNP server Network & Sharing
internal USB port žs "unknown device" Hardware & Devices
Can't see UPNP devices Network & Sharing
Upnp Network & Sharing

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:29 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33