New
#11
Happy Birthday, Damob9k!
Unknown UPnP port
-
-
New #12
Cheers dj99,
On my second helping of JD now, must stop as I have to get up at 7 ... ish
Ok really need to step away from the laptop now
and get some sleep !
Cheers
Damo
-
New #13
I'm talking about the low level systems that UPnP and other networking protocols work on top of. Ports and other such things are part of the TCP/IP standard.
[/quote]????? How ? ....
If you open up your browser and type a HTTP address in you will connect to the end point via port 80, if you type HTTPS you will connect via 443.
The only and quite common occurrence of port switching is if you go to a web page via http, and that page requires you to use https/ssl your browser will start to communicate on that port.[/quote]
When you establish a connection to a server, you connect to port 80. However, then the server sends back a reply, it does not use port 80 on the client. The client opens an random port again in the 40000+ range. This port is what accepts the reply from the server. The client send commands to port 80, the server send commands to a random port defined by the client.
Obviously this port you are trying to close is important enough to keep open and or is required for doing the task at hand. Why else would UPnP override the firewall if you blocked it?
If you want to waste your time goose chasing a dynamic/random port that can be used by any network service then go ahead. However, it is all rather pointless if that port is completely blocked by the routers firewall from remote access (AKA., the internet.) Use shields up if you want to be sure.
Shields Up:
https://www.grc.com/x/ne.dll?bh0bkyd2
-
New #14
Look I am sorry logicearth,
But you are just wrong !
The low level system that you are referring to IS UDP & TPC/IP.
Again , you are incorrect, Web browsers are designed to work on specific ports, you can change these ports for ssl, https , ftp and socks in the browser config, but only if the server you are connecting to is configured the same way.When you establish a connection to a server, you connect to port 80. However, then the server sends back a reply, it does not use port 80 on the client. The client opens an random port again in the 40000+ range. This port is what accepts the reply from the server. The client send commands to port 80, the server send commands to a random port defined by the client.
Which ever port you set it to will be the listening port for http or https etc.
How could you configure a firewall to protect your network from attacks if the server you connect to is replying on a randon port, you couldn't !
Operating systems them selves don't instigate opening of ports via UPnP, applications and devises do.Obviously this port you are trying to close is important enough to keep open and or is required for doing the task at hand.
There for it is an application that is doing this, and as I have not installed any applications that use UPnP on this pc and very few applications do automatically start using UPnP (you generally have to tell them to use it) there is something odd about this, hence my investigations.
As I have already said... this is the basic function of UPnP. It wouldn't be very affective if it didn't create a firewall rule, and not letting the UPnP software communicate with the outside world.Why else would UPnP override the firewall if you blocked it?
The only thing that is wasting my time and is also pointless, is replying to these incorrect and argumentative comments.If you want to waste your time goose chasing a dynamic/random port that can be used by any network service then go ahead. However, it is all rather pointless if that port is completely blocked by the routers firewall from remote access (AKA., the internet.) Use shields up if you want to be sure.
I spend most of my working day dealing with people that think they know what they are talking about, and I am not prepared to spend my personal time doing this.
I will ask the mods to lock or delete this thread if this continues.
Damob
-
New #15
Damob, have you used TCPView to see your open ports?
TCPView for Windows
It may help shed light on this odd port. Also, is there a similar port opened on your other Windows 7 computer?
-
New #16
Hi Kegobeer,
Yep have tried tpcview, current port ,openport scanner and run a full HJT scan (all latests versions)
And nothing gives any associated ip !
New development and a overall solution:
Today it has started to open port 61958 UDP instead of the previous one !
I have ran a full virus scan with nod32, and it comes up with nothing.
And have disabled the only startup apps (iMon and soundmanager) and temporarily disabled all non essential services , and after that it still opens this port
So in the interest of my sanity, I have disabled UPnP and network discovery on this PC, which solves the problem but does not explain it. Which I find very annoying, but nethermind !
Many thanks for your input my friends.
Damob
PS if I do suddenly have a brainwave and find what is doing this I will update the post so that others don't go through the same shenanigans.
-
New #17
Have you checked the Windows Event Log for messages such as:
UPnP Action: 'AddPortMapping' from IP=x.x.x.x (Success)
If so when are these messages logged?
Since this is a clean install of Windows have you tried disabling the SSDP Service?
If not try that and see if the issue persists.
I'm wondering if this is somehow related to teredo...
-
New #18
BTW I don't know anyone in their right mind that enables UPnP, it's such an easy technology to exploit from the internet if it's enabled on your router. Since UPnP doesn't support any authentication it almost makes it a breeze to change router configs from the internet without the need for any router logon credentials.
-
New #19
Why do I have to say UDP? UDP is just a subset of TCP without the overhead of handshaking.
Server are designed to work on specific ports, not "web browsers" or other client end-points.Again , you are incorrect, Web browsers are designed to work on specific ports,
When opening a connection, port A is open for outbound communication to the server. At the same time port B is open for inbound communications from the server and only the server. This is called a solicited connection and these are what make it though. (Btw, the inbound port will never be the same as the outbound port, at least not for registered serveries like HTTP. Opening port 80 for outbound will not open port 80 for inbound.) (Don't even get me started on using hardware firewalls and NAT devices.)Which ever port you set it to will be the listening port for http or https etc.
How could you configure a firewall to protect your network from attacks if the server you connect to is replying on a randon port, you couldn't !
If you do not believe me about this then just open "netstat -an" in a command prompt, all versions of Windows have it. Or review the attachment I've uploaded.
If you have UPnP devices on your network, they are going to need an outbound port while they are in the process of talking with the UPnP server. And by the looks of it, this device uses a dynamic/random port for inbound traffic from the UPnP server (aka., your computer).Last edited by logicearth; 09 Dec 2009 at 14:01.
-
New #20
@DC187
No can't find any mention of UPnP Port mappings in the event log, I tried searching for the string you mentioned and have searched manually.
With SSDP and UPnP device host services disabled it does not pop up on my router.
So at the moment this is how I have left it.
Yeah I know what your saying about UPnP being weak, but I do have good reasons to use it. And from everything that I have read up on it, it seems that the most common point of attack is via remote code execution through java and other types of browser add ins. Thankfully I have not used MS Internet Destroyer for over a decade at home, I use Opera with java, and script blocking and don't tend to click on any old thing on the web :)
@logicearth
Ok lets just scratch all of this and start again. As I think we are just splitting hairs here and getting far too deep into the inner workings of transport protocols.
You believe that I am wrong and I feel that some of what you have said is incorrect or misleading, however I do understand and agree with some of what you are saying.
But we could be going on ad infinitum and for no real purpose, so lets just shake hands and agree to disagree on some points
Although on your point on http connections going out on port 80 but coming back on a random port designated by the client.
As far as I understood the system or subsystem,the client sends a request on port 80 and then listens on the same port, I know of but don't fully understand the principles of RCP over TCP which I am aware uses higher range upd port numbers for running other low level services.
I am not an expert on this so will leave it at that
I also do have to admit that as I have not done much reading up on the new 7 home groups and network discovery and SSDP , I was unaware of how much this is tied into UPnP.
So I was wrong by saying Windows OS's don't use UPnP for it's own purposes, as now with Windows 7 this is the case. so hands up on that one !
As mentioned above I have now disabled SSDP and UPnP client discovery and that has stopped the offending item from making a connection, and all other functions of the OS are working correctly so it is definitely not an essential OS function.
And the 3 other programs that I have installed are all working correctly.
So basically what ever it was it is not doing it now so I am happy :)
Thank you all ,for all of your input.
Best Regards
Damob
Quote
Related Discussions