Is TCP port 49966 activity caused by a virus/trojan?

  • Thread starter Thread starter Virus Guy
  • Start date Start date
V

Virus Guy

I'm seeing TCP port 49966 traffic in my router's log and I can't find
anything on the net about that port (other than it might be associated
with Red Hat Linux).

Is anyone else seeing this traffic?

Anyone know what it's associated with?
 
I'm seeing TCP port 49966 traffic in my router's log and I can't find
anything on the net about that port (other than it might be associated
with Red Hat Linux).
Click to expand...

Who knows; I might have caused some of it. See below.
Is anyone else seeing this traffic?
Nope.

Anyone know what it's associated with?
Click to expand...

Not specifically; but that port falls within the range that I configured the
BitTornado client to use through a router using UPnP. If you have a dynamic
IP address assignment, you may have picked up an IP address from such a
client which failed to close gracefully. You will need to examine the
packets to see exactly what the cause may be.
 
Not specifically; but that port falls within the range that I configured the
BitTornado client to use through a router using UPnP.
Click to expand...

This traffic is more than likely just internet noise. There is nothing
on the ISC about it at the moment.
If you have a dynamic
IP address assignment, you may have picked up an IP address from such a
client which failed to close gracefully.
Click to expand...

Picked up an IP address from a client? - this doesn't make sense even
if it was static or dynamically assigned.
You will need to examine the
packets to see exactly what the cause may be.
Click to expand...

Ha ha, examine packets - interrogation by packet sniffing would be a
time consuming and pointless. Why don't you just ignore it. There is
no attempted intrusion or anything malicious about it - is there!?!
Just block the 'offending' ip (if it really is offending you) using a
simple rule with your personal firewall.

--

Regards,
Ian Kenefick
Got a virus?
Go to www.ik-cs.com > 'Got a virus?'
 
Ian said:
This traffic is more than likely just internet noise. There is nothing
on the ISC about it at the moment.
Click to expand...

Approx 11:31 PM EST

Unrecognized access from 38.115.4.237:4253 to TCP port 49966

(some Cogentco machine - for the moment)

About a dozen of these showing up in a 20 minute span (the running
capacity of my router's log file).

Each time I look, yesterday AM, PM, today, etc - there's always these
hits to port 49966. IP's change, but within any given log view its
always from 1 or 2 different IP's.

I just started looking at the log a few days ago for another reason,
so I don't know when these port 49966 attempts started.

It's not a lot of hits (90% to 95% of hits are ports 135/139) but
49966 is becoming the next most common port (my ISP must already be
blocking 445). As common as 1026 (Gnutella).
Just block the 'offending' ip (if it really is offending you)
using a simple rule with your personal firewall.
Click to expand...

The log shows only blocked attempts, so it's no problem.

I'm just curious. Normally a consistent port attempt like this is
related to a specific virus or trojan. In this case, there's no info
at all about it.
 
From: "Virus Guy" <Virus@Guy.com>


|
| Approx 11:31 PM EST
|
| Unrecognized access from 38.115.4.237:4253 to TCP port 49966
|
| (some Cogentco machine - for the moment)
|
| About a dozen of these showing up in a 20 minute span (the running
| capacity of my router's log file).
|
| Each time I look, yesterday AM, PM, today, etc - there's always these
| hits to port 49966. IP's change, but within any given log view its
| always from 1 or 2 different IP's.
|
| I just started looking at the log a few days ago for another reason,
| so I don't know when these port 49966 attempts started.
|
| It's not a lot of hits (90% to 95% of hits are ports 135/139) but
| 49966 is becoming the next most common port (my ISP must already be
| blocking 445). As common as 1026 (Gnutella).
||
| The log shows only blocked attempts, so it's no problem.
|
| I'm just curious. Normally a consistent port attempt like this is
| related to a specific virus or trojan. In this case, there's no info
| at all about it.


My WallWatcher log shows ZERO WAN activity on this port see on my Linksys BEFSR81.

As you have noted, the number is low. I log 100's of thousands of port 445 and NetBIOS over
IP hits per month.
 
Back
Top