[ALL] Telus Actiontec v1000h ports opened mysteriously.

I do support work for businesses, and at two different client’s locations, I’ve noticed something weird on their routers. The routers are both Actiontec V1000H units from Telus. Both had uPNP enabled. Both had a laundry list of ports open, generally pointing to one or two machines on the network, all over TCP. So, you’d have, say, LAN start/End port 8080, directed to a machine, with a WAN port of 8123. But dozens of them. On one I worked on today, they have a little QNAP NAS. The list of WAN ports pointing to this unit is like so: 8105 8128, 9 8106, 7,8,9,10 8082 8111 8124, 5 8085, 6 8131 8112 8132, 3 8083, 4 8113, 4, 5, 6 8087 8090 8117, 8 , 9, 20 8126, 7 8091, 2, 3 8121 8094, 5, 6, 7 8122 8098 8123 8099 I killed them all off, except for 8080 pointing to the device, LAN and WAN, then turned off uPNP.. The other client’s was like this too. The only way to stop it was to kill uPNP, which I found really odd, because unless you can log in to this router, you shouldn’t be able to make changes to the firewall like this AFAIK. Now, it just occurred to me. If someone took control of a uPNP device (how, I don’t know), could they make changes like this, and if so, for what? Botting? One client has a ton of Barracuda filters, which haven’t picked anything…the other one didn’t have any other firewall gear. Any ideas?