Tuesday 9th February 2016Login | Register
Pages: [1]

UPnP action 'AddPortMapping' from ip= (Success) and....

« on 27/07/2010, 08:13 »
I have Windows7 Home Premium, Thomson 585v7 router. I am sole user and administrator, My computer is connected by Ethernet without network. I use Routerstats.

Lately I have noticed that the routers log has extremly frequent examples of
UPnP action 'AddPortMapping' from ip= (Success) .
These are accompanied by LOGIN User tried to login on [HTTP] (from

My screen is full within the hour with the entries.

Can anyone tell me if this is usual and what the entries are for? Can the frequency of the entriesbe reduced or stopped? What risks would that raise?
  • Peter Vaughan
  • Usergroup Member
  • *
  • Posts: 14466
  • Unofficial legendary bright spark bod!
  • View Profile
« Reply #1 on 27/07/2010, 08:29 »
What is your systems IP address?

Do you have the wireless enabled on the router - if so, turn it off if you don't use it.
plusnet ADSL Customer (PlusNet Pro)
PlusNet Usergroup | PUG Forums | Usertools | PUG Issue Tracker - Please vote!!
Volunteer at the National Museum of Computing @ Bletchley Park
FTTC unlimited syncing @ 77Mbs down / 18Mbs up, Data rate 62Mbs down / 14Mbs up
« Reply #2 on 27/07/2010, 09:33 »
Hi there Smiley

Connection settings states " server assigned", currently.

This rocking horse is not sure how to switch off wireless Embarrassed on the 585.
« Reply #3 on 27/07/2010, 10:40 »
You'll probably find that is the IP your router has assigned your computer - In that case, the `UPnP action 'AddPortMapping'` is nothing to worry about (probably), as it's just your computer telling the router it wants to be able to receive a certain port

Could be you've installed BitTorrent software that's used it to make your speeds faster, or something like Skype

Or, it could also be a trojan making life easier for whoever created it  Undecided

If you've been using new software recently that uses the internet to communicate (like Skype / BitTorrent), you probably have nothing to worry about... Thuogh you might want to run a virus check, too, just in case Wink
« Reply #4 on 27/07/2010, 10:51 »
Point is though that it leaves no room for any important info that may be needed, soon lost.

No Skype or BitTorrent.

Will run virus check later today.
« Reply #5 on 27/07/2010, 10:56 »
Have a read about uPNP and you should find it's nothing to worry about.
Posts made before June 14th 2014 were from staff viewpoint, now I'm a customer Smiley
« Reply #6 on 27/07/2010, 18:11 »
Ben Smiley I haven't had chance to read the article fully but uPNP ilooks as you say from quick scan innocuous.

However, it's the amount of entries, that mean potentially more important events are discarded,that are the point of my OP
« Reply #7 on 28/07/2010, 02:25 »
uPNP ilooks as you say from quick scan innocuous.

If you aren't using uPNP just disable it in your router.

I'm not telling you who I work for. Any opinions expressed here are my own.
« Reply #8 on 28/07/2010, 09:01 »
Hi Jaggies. Cool
So easy: a lot of sites were saying it had to be disabled in Win7!!!
« Reply #9 on 28/07/2010, 20:52 »
In my OP I mentioned the "LOGIN User tried to login on [HTTP]... []" entries that accompanied the UPnP action ones. The LOGIN events are still coming in spades, and also are not marked 'success'. I fail to see why there should be so many. Why are they happening still?  Are they able to be turned off too? I do not recall seeing the entries, or there were  far fewer, with my Netgear.

Coincidentally the connection dropped around 2.40 pm and reconnected at 1000kbps lower,


« Last Edit: 29/07/2010, 09:34 by lucerne »

« Reply #10 on 29/07/2010, 09:58 »
If there is any issue with logon attempts from the local network then it's a virus / spyware / malware issue.
Posts made before June 14th 2014 were from staff viewpoint, now I'm a customer Smiley
« Reply #11 on 24/04/2011, 16:33 »
Regarding the profusion of: LOGIN User tried to login on [HTTPS] (from

I have noticed this (with the TG585). I think it is the web-browser, and normal.

Every time you view a page of the router's web-interface your browser sends authentication to the router. You do not really login once at the start, but every time you view a page (the browser caches the username and password and resends them each time) -- that is how HTTP 'basic access authentication' works.

You can check this by opening your browser, viewing a few of the router pages, then closing the browser, then accessing the router with telnet and viewing the log (systemlog show): there should be a few of the 'LOGIN' messages just between the times you used the browser.

I do not know why the router bothers to show this when it is so useless in the usual case. But, strictly, it makes some sense.

Well, that is my conjecture on the matter based on observed evidence and available knowledge -- and it should be confirmable/refutable on those.
  • spraxyt
  • Usergroup Member
  • *
  • Posts: 7579
  • View Profile
« Reply #12 on 24/04/2011, 21:36 »
Is RouterStats using the admin account to access the router? Simultaneously logging in from your browser might confuse things.

I suggest setting up a second user for RouterStats to use. I think it needs admin privileges (or one step down) for access to the statistics pages. See if that reduces the number of login warning messages.
Pages: [1]
Jump to:  

Related Sites

Community Apps

Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!

View the Plusnet Open Source applications page

About Plusnet

We're a Yorkshire-based provider selling broadband and phone services to homes and businesses throughout the UK. Winner of the ISPA 2010 'Best Consumer Customer Service ISP' Award, we're proud to offer the UK's best value standalone broadband.

© Plusnet plc All Rights Reserved. E&OE

Powered by SMF | SMF © 2006-2008, Simple Machines LLC

Add to Technorati Favourites