Hi All

Quick question - looking at my router logs I see a lot of incoming UDP connections to my connection's public IP to port 57596

anyone know what that PORT is used for and whether its anything to be concerned.

Hi,
if is a free port number so no official service bound to that port. If you do not have a port forward for this port it cannot do any harm.

Possible causes: script kiddies scanning scanning IPs to look for ports of malware. If you get a new IP each day, like I do, perhaps the last owner of this IP did something with this port.

ciao

Definitely no port forward to it set by me.

I see incoming connections from multiple IP addresses every hour - which is what raised the alarm.

Try doing a port scan yourself to make sure its not open.

Try doing a port scan yourself to make sure its not open.

For info: Shields Up will scan for open ports. Select on the second page 'All service ports' to scan ports in the range 0 to 1055


https://www.grc.com/shieldsup


For port 57596 you have to select 'look-up specific port information' option in the second page and then type in the port number for scanning.

Doing the scans the port shows up as closed (or should I say stealth) - however the router logs say otherwise.

Hi,
your logs say that someone tries to connect. Why shouldn´t anybody try to connect to a closed port? As I said your router is connected to the open internet and there is always someone who is trying to knock on the doors of some router to see if there is an entry point.

ciao

I agree with Trial. The router is logging the attempts but the port is closed. I used to see this all the time.

I agree with Trial. The router is logging the attempts but the port is closed. I used to see this all the time.

what triggered my attention was that the router logs shows that the connection is being ALLOWED.

"Aug 20 09:35:17 2016 ALLOW UDP 175.16.202.229:11101 -> X.X.X.X:57596 on eth1"

I can only think its something on your internal network thats using this port. What have you got connected on your internal network?

probably some game that you play is using this port.See that also on my router when son is playing games like game of trones.These ports open only during game sessions.

I can only think its something on your internal network thats using this port. What have you got connected on your internal network?

Was thinking the same - process of elimination begins :)


Sent from my iPhone using Tapatalk

Having forced a Public IP change I am no longer seeing those incoming connections. Must be something related to the previous user of that IP.

Glad you have got it sorted. Shame we didn't find the culprit.

probably some game that you play is using this port.See that also on my router when son is playing games like game of trones.These ports open only during game sessions.Which would be using UPnP.
Basically it allows any internal client to tell the router to allow an external port (usually UDP for games) so that you can interact with multiple external clients. There may be an option somewhere on your router/modem to allow/disallow it (but if you disallow it presumably network games won't work...)

checked again in my router and so it is.UPNP ports open for mobile phone,TV interactive an gaming.Only open for external during session so no worry's.I can also block thes ports for connection but usualy are no tread .

If you ever see connections you don't recognise you can telnet to your STB and run the command 'telnet -anp' which will give details of the current connections and the process they're associated too under the active internet connections section - for example:


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 440/dropbear
tcp 0 0 0.0.0.0:3001 0.0.0.0:* LISTEN 560/oscam-latest
tcp 0 0 192.168.0.240:39780 91.121.28.44:48729 ESTABLISHED 560/oscam-latest
tcp 0 0 192.168.0.240:54794 37.242.51.221:45509 ESTABLISHED 560/oscam-latest
tcp 0 0 192.168.0.240:50461 37.182.93.124:13009 ESTABLISHED 560/oscam-latest
tcp 0 0 :::8001 :::* LISTEN 501/enigma2
tcp 0 0 :::80 :::* LISTEN 501/enigma2
tcp 0 0 :::21 :::* LISTEN 476/vsftpd
tcp 0 0 :::22 :::* LISTEN 440/dropbear
tcp 0 0 :::23 :::* LISTEN 472/telnetd
tcp 0 643 ::ffff:192.168.0.240:23 ::ffff:192.168.0.235:51176 ESTABLISHED 472/telnetd
udp 0 0 0.0.0.0:38619 0.0.0.0:* 484/avahi-daemon: r
udp 0 0 0.0.0.0:5353 0.0.0.0:* 484/avahi-daemon: r
udp 0 0 0.0.0.0:5355 0.0.0.0:* 484/avahi-daemon: r
udp 0 0 :::59050 :::* 484/avahi-daemon: r
udp 0 0 :::5353 :::* 484/avahi-daemon: r
udp 0 0 :::5355 :::* 484/avahi-daemon: r
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 522 484/avahi-daemon: r /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 1608 436/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 849 560/oscam-latest /tmp/camd.socket
unix 6 [ ] DGRAM 1643 466/syslogd /dev/log
unix 2 [ ACC ] STREAM LISTENING 640 501/enigma2 /tmp/.listen.ciplus.socket
unix 2 [ ACC ] STREAM LISTENING 642 501/enigma2 /tmp/.listen.camd.socket
unix 2 [ ACC ] STREAM LISTENING 668 501/enigma2 /tmp/hotplug.socket
unix 3 [ ] STREAM CONNECTED 1000 501/enigma2
unix 3 [ ] STREAM CONNECTED 524 484/avahi-daemon: r
unix 3 [ ] STREAM CONNECTED 519 485/avahi-daemon: c
unix 2 [ ] DGRAM 515 484/avahi-daemon: r
unix 3 [ ] STREAM CONNECTED 835 560/oscam-latest
unix 3 [ ] STREAM CONNECTED 361 436/dbus-daemon
unix 3 [ ] STREAM CONNECTED 1001 560/oscam-latest /tmp/camd.socket
unix 3 [ ] STREAM CONNECTED 525 436/dbus-daemon /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 518 484/avahi-daemon: r
unix 2 [ ] DGRAM 682 450/automount
unix 2 [ ] DGRAM 1007 6440/login
unix 3 [ ] STREAM CONNECTED 836 560/oscam-latest
unix 3 [ ] STREAM CONNECTED 360 436/dbus-daemon
unix 2 [ ] DGRAM 487 469/klogd