what has opened a port on my router?

[ags]

I discovered the "Advanced Settings > System Log > Port Forwarding" page on my RT-N66U. I can see two opened ports that I have not explicitly created/authorized. I have FTP, Telnet, Samba all disabled. I have no USB drive connected to the router.

TCP 8443 (forwarded to the router itself)
UDP 50522 (forwarded to a Windows 7 PC on my LAN)

I found that TCP/8443 is:

SW Soft Plesk Control Panel, Apache Tomcat SSL, Promise WebPAM SSL, McAfee ePolicy Orchestrator (ePO)

but I don't recognize those services - why does the router need this?

More importantly, why has a dynamic port UDP/50522 been opened on a LAN PC? Is this something that UPnP enables?

I understand port forwarding and have manually forwarded the ports necessary to access what I need on my LAN from the WAN. I'd like to know if UPnP opened this port, why, and also what would happen if I disabled UPnP on my router? Is there anything I couldn't support by manually forwarding ports?

 

[RMerlin]

8443 is used by the router if you enable HTTPS access to the web interface.

The other look like a Torrent port forwarded through UPNP - you will have to see what's running on the client PC.

 

[ags]

Can you point me towards how I figure out what has opened the port using UPnP? I've never used any Torrent (on purpose) and there are no processes running that explain this. I presume it's some system service - and there are many that I'd need to examine. I am concerned that this is malware of some type.

If I disable UPnP on the router, what functionality will I loose (that I can't enable manually using port forwarding)? Thanks.

 

[ags]

8443 is used by the router if you enable HTTPS access to the web interface.

I don't have HTTPS enabled (Under "Administration>System>Miscellaneous>Authentication Method" I've selected HTTP, not HTTPS or BOTH). It looks like it's been opened anyway. Is this anything to be concerned about? (any additional vulnerability here?)

 

[RMerlin]

Can you point me towards how I figure out what has opened the port using UPnP? I've never used any Torrent (on purpose) and there are no processes running that explain this. I presume it's some system service - and there are many that I'd need to examine. I am concerned that this is malware of some type.

The fact that it's a UDP port makes it unlikely to be a malware, and more likely to be either a file sharing or media streaming application.

Go to the target computer, open a command prompt with elevated privileges, and run the following command:

netstat -bna

It will tell you which program is using which port on that computer. Look for what is listening to the port you had listed on the router.

If I disable UPnP on the router, what functionality will I loose (that I can't enable manually using port forwarding)? Thanks.

UPnP might be especially useful if you have, for instance, multiple gaming console, and you want to ensure that the appropriate ports get forwarded specifically to the console being used. Disabling it might also interfere with DLNA-based media streaming.

Go ahead and disable it for now if you prefer. You can always turn it back on later if you notice any issue.

 

[RMerlin]

I don't have HTTPS enabled (Under "Administration>System>Miscellaneous>Authentication Method" I've selected HTTP, not HTTPS or BOTH). It looks like it's been opened anyway. Is this anything to be concerned about? (any additional vulnerability here?)

It's not ideal, but as long nothing listens on that port on the router, it should be fine.