Server 2003 - Upnp problem.

Laser402 · 22 Jan 2008 at 22:16

Hello all,

I have server 2003 setup on a box at home with apache, ssh, and other various things running.

Lately I’ve noticed that I can not access the web server from the net.

I’ve looked at the logs in the router (Linksys WAG354G) and found under the 'upnp' bit that something from the server is mapping ext port:42193 to the internal port:80 directed at the web server.

Then 15 seconds later the mapping is deleted. This then leaves the original ext port:80 to int port:80 unmapped and no longer accessible from the outside world :confused:

The router log says the request came from the server's IP. I have no idea what software is asking for this port and it seems a tad suspicious.

Currently I’ve had to disable upnp on the router, which is causing msn and outlook on other computers to lose connectivity.

Any idea's how to stop this getting mapped?

Regards Laser402

ns400r · 22 Jan 2008 at 22:34

Find the application that is using UPNP.

Laser402 · 22 Jan 2008 at 22:43

Care to tell me how?

Thats kind of the problem, all it has is apache, ssh, nod32, webui on it.

Cant find anything in the logs on the server and have turned off upnp on all the apps I know.

ns400r · 22 Jan 2008 at 23:21

Does the router have a dedicated UPNP page tha shows current connections?

ns400r · 22 Jan 2008 at 23:22

ns400r said:
Does the router have a dedicated UPNP page tha shows current connections?

Or turn UPNP off in the router and maunally forward needed ports.

Laser402 · 23 Jan 2008 at 13:32

No only options are upnp off/on.

Manually forwarding ports will be a pain for all the pc's on the network.

Bash · 23 Jan 2008 at 13:46

command line is your friend:-

tasklist /svc

Laser402 · 23 Jan 2008 at 20:49

No Luck =[

turned off all upnp on every program i could shown from 'tasklist /svc'

Just got unmapped again!

Any other ideas?

ns400r · 23 Jan 2008 at 21:45

Is Skype running on the server?

Laser402 · 23 Jan 2008 at 22:21

No

Apache, SSH, Webui are the main services.

Laser402

Mercutio · 23 Jan 2008 at 23:04

Not to scaremonger but that IS potential adware/zombie behaviour (just long enough for a keylogger to send its update kinda thing).
Install a firewall that gives a popup asking if connections are ok (eg zonealarm tho I think finding the free one is now a bit of a pain in the ass). When whatever it is tries to connect zonealarm will popup and tell you that something is trying to act as a server, if you dont recognise it take your cue to start being a little paranoid.
As a precaution you might want to change password on wow and internet banking just to be on the safe side (obviously do it from another machine).

Laser402 · 23 Jan 2008 at 23:58

Yes it is suspicious.

Have turned upnp off on the router now so it can’t access it. But is an issue for a few other computers with ports etc.

Had Nod32 do full scans 3 times with every filter on and 100% clean.

Does ZoneAlarm run as a service? just as it’s a server it isn’t usually logged on.

Many thanks

Laser402

Laser402 · 24 Jan 2008 at 23:55

Changed Apache's listening port and still gets unmapped.

It seems to be following what ever port apache is on.

Apache is using php 5. Could be someone hacking? (wasted effort nothing of any value except to me)

Trifid · 25 Jan 2008 at 12:02

I also have the same port mapped, but to a different internal port (8089). Also 14s and it is removed. Same router, same OS. Although it doesn't follow Apache when port is changed.