Unknown UPnP port

Hi,

I have 2 PC's setup with windows 7 x64 7600, one is my main PC and the other is my HTPC.

My HTPC is opening up UDP port 54838 via UPnP on startup, with out any applications starting.
This is a fresh install with no software other than iMon which is for the remote and VFD.
I have run tcpview and currport to see what is doing this, but they only show that the port is open and not what is associated with it. Have also run Sysinternals Autoruns, which lists everything that is running as a service or as a program, and I can see nothing suspicious !

I also have downloaded a free version of UPnP Explorer, but this only displays info on the physical router side of things.

I have searched the net and can find no mention of UDP port 54838 anywhere whatsoever, and have checked all of the port listing sites and none of them have any details of this port number, other than it is in the dynamic private range ... so it could be anything :shock:

I have tried to create a firewall rule to block it, but UPnP just creates another rule to enable it !

I know that the simple answer is to turn off UPnP, but I do actually use it for quite a few applications and devices so it would be a pain to do so as UPnP works really well with multiple devices that switch from wired to wireless mode and with dynamic IP's.

Has anyone got any ideas on a) what this port might be and b) if not, what else I can do to track it down ?

I don't want to get paranoid about it but I am security conscious enough to want to know what is making connections outside of my network with out my permission

Any thoughts would be gratefully received.

Cheers

Damob

Damob9k said:

Hi,

I have 2 PC's setup with windows 7 x64 7600, one is my main PC and the other is my HTPC.

My HTPC is opening up UDP port 54838 via UPnP on startup, with out any applications starting.
This is a fresh install with no software other than iMon which is for the remote and VFD.
I have run tcpview and currport to see what is doing this, but they only show that the port is open and not what is associated with it. Have also run Sysinternals Autoruns, which lists everything that is running as a service or as a program, and I can see nothing suspicious !

I also have downloaded a free version of UPnP Explorer, but this only displays info on the physical router side of things.

I have searched the net and can find no mention of UDP port 54838 anywhere whatsoever, and have checked all of the port listing sites and none of them have any details of this port number, other than it is in the dynamic private range ... so it could be anything :shock:

I have tried to create a firewall rule to block it, but UPnP just creates another rule to enable it !

I know that the simple answer is to turn off UPnP, but I do actually use it for quite a few applications and devices so it would be a pain to do so as UPnP works really well with multiple devices that switch from wired to wireless mode and with dynamic IP's.

Has anyone got any ideas on a) what this port might be and b) if not, what else I can do to track it down ?

I don't want to get paranoid about it but I am security conscious enough to want to know what is making connections outside of my network with out my permission

Any thoughts would be gratefully received.

Cheers

Damob

Click to expand...

Hi and welcome

You can read about UDP 54838 here Port 54838 (tcp/udp) : SpeedGuide.net

Hope this helps

There is essentially no information about that port in the link provided, except that it is used for TCP or UDP like most other ports.

Thanks Zigzag,

but as dj99 mentioned, that page doesn't actually give any details.
And Gibson Research has nothing on it, and that's a bad sign, as Gibson is the authority on these sorts of things as far as I'm concerned.

The fact that this is a dynamic private port range is of concern as any legitimate program would be using common know ranges.

I have run windows defender and malwarebytes and come up with nothing nasty.

I have grabbed some other network sniffer apps and will give them a go, as soon as the HTPC is not in use

Ta

Damob

port 54838 is just a random dynamic port, these types of ports are common for none registered services or temporary connections (this would be UPnP). Is this open port causing you problems? I think not. My advice is to leave it alone. As long as you have a firewall between you and the internet (aka., a router) then there is no threat.


UPnP uses a random port for data transfers, and a set port for control and communications with UPnP devices.

@logicearth

I am sorry to have to disagree with you , on all of your points. For the following reasons:

port 54838 is just a random dynamic port, these types of ports are common for none registered services or temporary connections (this would be UPnP).

Click to expand...

port 54838 is not being opened by random, it is being opened by something that is using UPnP and is not being opened by the UPnP service itself.

UPnP uses a random port for data transfers, and a set port for control and communications with UPnP devices.

Click to expand...

The UPnP framework uses tpc port 2869 and udp port 1900 as it's own service ports, it does not use random ports for data transfer, that is handled by the application or device that then request a port to be opened for that purpose.

Is this open port causing you problems? I think not. My advice is to leave it alone. As long as you have a firewall between you and the internet (aka., a router) then there is no threat.

Click to expand...

I just don't see the logic in this statement, for starters the whole point of UPnP is to automate port forwarding and allow traffic to pass freely to the port opened. i.e UPnP automatically creates a firewall rule within the router, assuming it is an all in one unit.

So yes there is potentially a threat, which is what I am trying to establish.

This might not be malicious but A) it has not been instigated by me or any application that I have installed ,B) it is not doing this on my other PC with the identical version of 7 and C) just because I can't say that it is causing a problem or is indeed something malicious doesn't mean that I leave it alone as you suggested.

I am not trying to disrespect or flame you as the saying goes, but the advise you have given is at best risky, and if I was an IT novice I would be taking bad advise.

As it is I work in IT as a 2nd/3rd line analyst in a large public sector environment, and have seen the result,(and had to sort them out) of people that are not security aware and do not know how to spot something that could be a risk. After all this is how millions upon millions of viral and mail splurging bots and malware propagate through the web... by people that know no better (can't blame them) or people that just say "ahh don't worry, I'm sure it's supposed to do that!" ... I am neither.

Like I said please don't take any of that personally, but this is one of the reasons I don't tend to spend a lot of time in forums... too much bad info and advise.

Best regards

Damo

Damob9k said:

port 54838 is not being opened by random, it is being opened by something that is using UPnP and is not being opened by the UPnP service itself.

Click to expand...

I meant random as in, nothing else is using it. Ports between 49152 and 65535 are used for this purpose. Opening these ports are common, just by browsing the web several of these ports are open.

The UPnP framework uses tpc port 2869 and udp port 1900 as it's own service ports, it does not use random ports for data transfer, that is handled by the application or device that then request a port to be opened for that purpose.

Click to expand...

Port 1900 does not talk to port 2869. When opening a port there is always two. One for the server the other for the client, in most cases in the 49152 & 65535 range for the client. You can see this relationship by using "netstat -an".

Just by browsing the web there is several ports opened, you may talk to the server on port 80 but the server talks back on one of the dynamic/random ports.

I just don't see the logic in this statement, for starters the whole point of UPnP is to automate port forwarding and allow traffic to pass freely to the port opened. i.e UPnP automatically creates a firewall rule within the router, assuming it is an all in one unit.

Click to expand...

So you configured the router to accept outside network communications for UPnP?

No No No No No......
You are just not getting it.

Browsing the web does not open any UPnP ports period! all ports relating to web browsing be it non secure http or https and ssl use port 80 and 443 and these ports are almost always open by default depending on the router in question.

Port 1900 does not talk to port 2869. When opening a port there is always two. One for the server the other for the client, in most cases in the 49152 & 65535 range for the client. You can see this relationship by using "netstat -an".

Click to expand...

That is not what I said. I never suggested that port 1900 talks to port 2869.

The UPnP framework uses tpc port 2869 and udp port 1900 as it's own service ports, it does not use random ports for data transfer, that is handled by the application or device that then request a port to be opened for that purpose.

Click to expand...

These are the control ports that all PC's ,Servers and UPnP devices use to communicate with the UPnP service, when you start or stop the UPnP service via the services mmc these are the ports that are activated for UPnP to work.

Just by browsing the web there is several ports opened, you may talk to the server on port 80 but the server talks back on one of the dynamic/random ports.

Click to expand...

????? How ? ....
If you open up your browser and type a HTTP address in you will connect to the end point via port 80, if you type HTTPS you will connect via 443.
The only and quite common occurrence of port switching is if you go to a web page via http, and that page requires you to use https/ssl your browser will start to communicate on that port.
To the best of my knowledge I do not know of any UPnP enabled web browsers, and for a good reason ... they would be a security disaster.

I just don't see the logic in this statement, for starters the whole point of UPnP is to automate port forwarding and allow traffic to pass freely to the port opened. i.e UPnP automatically creates a firewall rule within the router, assuming it is an all in one unit.

Click to expand...

So you configured the router to accept outside network communications for UPnP?

Click to expand...

NOOOO .... UPnP configures the router to allow the application that is asking to connect to an external server.
You do not configure UPnP, rather it is UPnP that does the configuring for you (or more correctly for the application or device)
This is the fundamental point of UPnP.
And no, I have not configured UPnP to accept out side connections, why on earth would I do that ? I have no wish to allow my UPnP service to configure someone's bittorrent application 5000 miles away !

I don't think you really understand the principles of UPnP and port forwarding that well. Or we are just having some major case of misunderstanding / misinterpretation , I don't know.

But either way this is not really getting anybody any closer to a resolution.

I will just do what I would normally do anyway, and that is to keep bashing at it until I find the answer.

Best regards

Damob

Damob, have you checked your router logs to see what IP address is associated with the upnp port? I'm also assuming your other Windows 7 computer, which is configured the same as your HTPC, does not open any upnp ports?

Hi kegobeer, (nice nick btw)

Unfortunately I have done a router reset this afternoon after faffing around with setting firewall rules.
But looking at it at the moment there is no ip associated to this port.

It is open but nothing is actually using it, which is odd behaviour ! and sort of looks like a backdoor to me. Although I have not come across this type of backdoor in my travels, but that's not to say they don't exist, and I have read about the vulnerabilities of UPnP on a few security bulletins.

Tis late now over here in GB and I am too tired to look at it now, but will have another crack at it tomorrow. woohoo that'll be a fun thing to do on my birthday actually it's my birthday now !! , I think I will have a JD

Cheers for now

Damob


Oh and yes your assumption is correct !, my main PC is not opening any UPnP ports.

Happy Birthday, Damob9k!

Cheers dj99,

On my second helping of JD now, must stop as I have to get up at 7 ... ish

Ok really need to step away from the laptop now and get some sleep !

Cheers

Damo

Damob9k said:

Browsing the web does not open any UPnP ports period! all ports relating to web browsing be it non secure http or https and ssl use port 80 and 443 and these ports are almost always open by default depending on the router in question.

Click to expand...

I'm talking about the low level systems that UPnP and other networking protocols work on top of. Ports and other such things are part of the TCP/IP standard.

[/quote]????? How ? ....
If you open up your browser and type a HTTP address in you will connect to the end point via port 80, if you type HTTPS you will connect via 443.
The only and quite common occurrence of port switching is if you go to a web page via http, and that page requires you to use https/ssl your browser will start to communicate on that port.[/quote]

When you establish a connection to a server, you connect to port 80. However, then the server sends back a reply, it does not use port 80 on the client. The client opens an random port again in the 40000+ range. This port is what accepts the reply from the server. The client send commands to port 80, the server send commands to a random port defined by the client.

Obviously this port you are trying to close is important enough to keep open and or is required for doing the task at hand. Why else would UPnP override the firewall if you blocked it?

If you want to waste your time goose chasing a dynamic/random port that can be used by any network service then go ahead. However, it is all rather pointless if that port is completely blocked by the routers firewall from remote access (AKA., the internet.) Use shields up if you want to be sure.

Shields Up:
https://www.grc.com/x/ne.dll?bh0bkyd2

Look I am sorry logicearth,

But you are just wrong !
The low level system that you are referring to IS UDP & TPC/IP.

When you establish a connection to a server, you connect to port 80. However, then the server sends back a reply, it does not use port 80 on the client. The client opens an random port again in the 40000+ range. This port is what accepts the reply from the server. The client send commands to port 80, the server send commands to a random port defined by the client.

Click to expand...

Again , you are incorrect, Web browsers are designed to work on specific ports, you can change these ports for ssl, https , ftp and socks in the browser config, but only if the server you are connecting to is configured the same way.
Which ever port you set it to will be the listening port for http or https etc.
How could you configure a firewall to protect your network from attacks if the server you connect to is replying on a randon port, you couldn't !

Obviously this port you are trying to close is important enough to keep open and or is required for doing the task at hand.

Click to expand...

Operating systems them selves don't instigate opening of ports via UPnP, applications and devises do.
There for it is an application that is doing this, and as I have not installed any applications that use UPnP on this pc and very few applications do automatically start using UPnP (you generally have to tell them to use it) there is something odd about this, hence my investigations.

Why else would UPnP override the firewall if you blocked it?

Click to expand...

As I have already said... this is the basic function of UPnP. It wouldn't be very affective if it didn't create a firewall rule, and not letting the UPnP software communicate with the outside world.

If you want to waste your time goose chasing a dynamic/random port that can be used by any network service then go ahead. However, it is all rather pointless if that port is completely blocked by the routers firewall from remote access (AKA., the internet.) Use shields up if you want to be sure.

Click to expand...

The only thing that is wasting my time and is also pointless, is replying to these incorrect and argumentative comments.
I spend most of my working day dealing with people that think they know what they are talking about, and I am not prepared to spend my personal time doing this.
I will ask the mods to lock or delete this thread if this continues.

Damob

Damob, have you used TCPView to see your open ports?

TCPView for Windows

It may help shed light on this odd port. Also, is there a similar port opened on your other Windows 7 computer?

Hi Kegobeer,

Yep have tried tpcview, current port ,openport scanner and run a full HJT scan (all latests versions)

And nothing gives any associated ip !

New development and a overall solution:

Today it has started to open port 61958 UDP instead of the previous one !
I have ran a full virus scan with nod32, and it comes up with nothing.
And have disabled the only startup apps (iMon and soundmanager) and temporarily disabled all non essential services , and after that it still opens this port

So in the interest of my sanity, I have disabled UPnP and network discovery on this PC, which solves the problem but does not explain it. Which I find very annoying, but nethermind !

Many thanks for your input my friends.

Damob

PS if I do suddenly have a brainwave and find what is doing this I will update the post so that others don't go through the same shenanigans.

Have you checked the Windows Event Log for messages such as:

UPnP Action: 'AddPortMapping' from IP=x.x.x.x (Success)

If so when are these messages logged?

Since this is a clean install of Windows have you tried disabling the SSDP Service?
If not try that and see if the issue persists.

I'm wondering if this is somehow related to teredo...

BTW I don't know anyone in their right mind that enables UPnP, it's such an easy technology to exploit from the internet if it's enabled on your router. Since UPnP doesn't support any authentication it almost makes it a breeze to change router configs from the internet without the need for any router logon credentials.

Damob9k said:

But you are just wrong !
The low level system that you are referring to IS UDP & TPC/IP.

Click to expand...

Why do I have to say UDP? UDP is just a subset of TCP without the overhead of handshaking.

Again , you are incorrect, Web browsers are designed to work on specific ports,

Click to expand...

Server are designed to work on specific ports, not "web browsers" or other client end-points.

Which ever port you set it to will be the listening port for http or https etc.
How could you configure a firewall to protect your network from attacks if the server you connect to is replying on a randon port, you couldn't !

Click to expand...

When opening a connection, port A is open for outbound communication to the server. At the same time port B is open for inbound communications from the server and only the server. This is called a solicited connection and these are what make it though. (Btw, the inbound port will never be the same as the outbound port, at least not for registered serveries like HTTP. Opening port 80 for outbound will not open port 80 for inbound.) (Don't even get me started on using hardware firewalls and NAT devices.)

If you do not believe me about this then just open "netstat -an" in a command prompt, all versions of Windows have it. Or review the attachment I've uploaded.

If you have UPnP devices on your network, they are going to need an outbound port while they are in the process of talking with the UPnP server. And by the looks of it, this device uses a dynamic/random port for inbound traffic from the UPnP server (aka., your computer).

@DC187

No can't find any mention of UPnP Port mappings in the event log, I tried searching for the string you mentioned and have searched manually.

With SSDP and UPnP device host services disabled it does not pop up on my router.
So at the moment this is how I have left it.

Yeah I know what your saying about UPnP being weak, but I do have good reasons to use it. And from everything that I have read up on it, it seems that the most common point of attack is via remote code execution through java and other types of browser add ins. Thankfully I have not used MS Internet Destroyer for over a decade at home, I use Opera with java, and script blocking and don't tend to click on any old thing on the web

@logicearth

Ok lets just scratch all of this and start again. As I think we are just splitting hairs here and getting far too deep into the inner workings of transport protocols.
You believe that I am wrong and I feel that some of what you have said is incorrect or misleading, however I do understand and agree with some of what you are saying.
But we could be going on ad infinitum and for no real purpose, so lets just shake hands and agree to disagree on some points

Although on your point on http connections going out on port 80 but coming back on a random port designated by the client.
As far as I understood the system or subsystem,the client sends a request on port 80 and then listens on the same port, I know of but don't fully understand the principles of RCP over TCP which I am aware uses higher range upd port numbers for running other low level services.
I am not an expert on this so will leave it at that


I also do have to admit that as I have not done much reading up on the new 7 home groups and network discovery and SSDP , I was unaware of how much this is tied into UPnP.
So I was wrong by saying Windows OS's don't use UPnP for it's own purposes, as now with Windows 7 this is the case. so hands up on that one !

As mentioned above I have now disabled SSDP and UPnP client discovery and that has stopped the offending item from making a connection, and all other functions of the OS are working correctly so it is definitely not an essential OS function.
And the 3 other programs that I have installed are all working correctly.

So basically what ever it was it is not doing it now so I am happy

Thank you all ,for all of your input.


Best Regards

Damob