Why Did My Windows Server Run Out of Ports? A Real‑World Debugging Tale

On a Friday after a birthday celebration, the author received a payment‑failure alert because the bank's front‑end machine could not establish a connection.

Initial monitoring showed normal CPU, memory, disk I/O, and network usage, but the connection count on the front‑end machine spiked dramatically.

Remote access to the Windows server was possible, so basic network checks were performed: the domain could be opened in a browser, DNS resolution succeeded, but telnet to the IP and port failed.

Windows Event Logs contained many entries, revealing that local ports had been exhausted, preventing external communication.

The default dynamic port range (1024‑5000) allows about 4,000 sockets. The author enlarged the range by editing the registry at

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

and rebooted the server.

After the reboot the service appeared functional, but the high connection count persisted. Using

netstat -ano | find "47.95.x.x" | find /c "80"

showed thousands of connections to an IP belonging to Alibaba Cloud Beijing.

The IP was not a known Alibaba service, so it was blocked in the security group.

Further investigation with

netstat -ano

identified the process

uqccmg

(PID 1060) as the source of the connections. The process was unusual and likely malicious.

Attempts to terminate the process failed as it kept restarting. The associated executable was located and identified as malware.

Since the file could not be deleted directly, the author stopped the .NET service hosting it, which allowed the process to be killed and reduced the connection count.

Nevertheless, the infection remained, so a security tool (Huorong) was installed, which detected 17 risk items and removed the malware.

After cleaning, the business operations resumed normally, but the author concluded that the server should be reinstalled after proper hardening, regular inspections, and removal of unnecessary open ports.