Router settings, upnp enabled by mistake


  1. Posts : 91
    Windows 10
       #1

    Router settings, upnp enabled by mistake


    Hello,

    I'm using a Netgear router which is configured to email logs to me once a day. We have been away from this residence with internet and router off for a few months. When we returned, I was having trouble with internet access, and at one point it looked like the router might be the issue. I had tried restoring settings from a previous backup as part of troubleshooting, and I failed to take a close look at those settings. Internet access was restored after some efforts from myself and the ISP. I have one Windows 10 laptop, 3 apple devices, and a printer, all wireless. I have difficult passwords for router admin access and wireless network access. Guest network is off. I have never used port triggering or port forwarding, have never been involved in torrents. Remote access to the router has never been on.

    For the past few days since we have been back at this residence and using this internet connection, I saw items in the router logs that I hadn't seen before and I now wish I had paid more attention. These are:

    [LAN access from remote] from....and then IP addresses and ports to the Windows 10 laptop. Some of the IP addresses are Microsoft. There are others, however, that are not, and these concern me. There is one from Taiwan, a couple from addresses in the U.S. (I am in the U.S.), and one from Greece. I've checked on the IP addresses in yesterday's log, and they are Spamhaus blacklisted. These connections were to port 57294.

    I did some research into this and I have since disabled UpnP in the router settings. These LAN access from remote entries stopped once I did that. A check with speedguide.net which I did just now (with Upnp on the router now disabled) shows that port is now filtered. I don't know if it was before I disabled Upnp.

    I use Windows Defender and the Windows firewall. I have Hitman Pro Alert always on. I have scanned the laptop with Malwarebytes and Hitman Pro. Hitman Pro always shows an Ask.com entry for the Chrome browser, but it's just an empty web data file. There's no toolbar involved. No malware has been found. I included the rootkit scan in the Malwarebytes scan.

    This laptop is used for banking and I have logged into bank accounts in the past week.

    Do I need to be concerned about malware or security compromise?
      My Computer


  2. Posts : 8,057
    windows 10
       #2

    Upnp let's local software or device go fully open ports like a Xbox so something Local was opening the ports once opened access can then be from remote system to the PC
      My Computer


  3. Posts : 91
    Windows 10
    Thread Starter
       #3

    Samuria said:
    Upnp let's local software or device go fully open ports like a Xbox so something Local was opening the ports once opened access can then be from remote system to the PC
    I don't have any sort of gaming console. All the "LAN access from remote" was related solely to the Windows 10 laptop. I don't know what on this laptop was opening those ports, I can't find anything that points to malware doing it. I am seeing these entries as well:

    [UPnP set event: add_nat_rule] and [UPnP set event: del_nat_rule as well. I found some old emails from a couple of years ago with these sorts of entries and I probably disabled UPnP after that. I didn't have this particular laptop back then, it would have been an older laptop running Windows 8. There were no LAN access entries in those logs from back then, just the UPnP events.

    I just wonder what was occurring when those connections I mentioned in my post were being made and if I need to be concerned about anything. I'm glad I closed the hole, just wish I had been paying closer attention and could have done it sooner.
      My Computer


  4. Posts : 822
    Microsoft Windows 10 Pro 64-bit
       #4

    Relax there are ten's hundreds of thousands of script kiddies out there that try to scan vulnerable IP's for open ports that they can use to run some type of exploit that will benefit them.

    I have not checked my router logs for quite a while, But when I did I used to strip all the IP's and use an automated scrip to WhoIs to find out what country they were from and never once did I suspect that they somehow managed to break into my home network.

    When I did check my router logs I posted them on pastebin.

    Here is the last time I checked, To see the whois info you will have to scroll down to line 206.
    http://pastebin.com/K9EiVwGN

    And also if you end up getting hell bent on blocking countries here is a good place to start
    Taiwan; http://www.ipdeny.com/ipblocks/data/...ggregated.zone

    All countries;
    http://www.ipdeny.com/ipblocks/
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 10:54.
Find Us




Windows 10 Forums