if u are scanning local pc.. i guess you should try soemthing like activeports.exe. it tells you the exe properties ,remoteport and and remoteip

Use fport.exe and see what exe is using that port.
Than, study the EXE and if you find it to be "wierd", delete it. If at first you cant, do a kill.exe procc_number our file_name.exe and then delete it, or just do it in safe-mode.

Cya
Wolfman

Hey wolfman did you come from securibox ?...if so those are some nice proggys you made.

Thanks everyone, I actually didn't know about fport, it's a good addition to my auditing tools. I used port explorer to find the process and link them. I ran it on all the machines with no luck. The connection was logged on the hardware firewall (The router) but not the software firewalls on the machines. It might be an operating system connection or something. Before I block the port though I am going to try running a honeypot on all the machines to capture any data on that port. Since it was on all those networks, it makes it seem less likely that it's trojan. The networks were unrelated in any way. I want to find out what it is. If the honeypot doesnt work, I'm going to place a hardware sniffer right outside the router. One of these should turn up something.

i would try the rootkit detector in the filedownload area...

greetz

If there is a legitimate service that runs on port 49320 then its one that google doesnt know about. Id say its a custom configured trojan/remote admin server listening on your systems.

Try these:

telnet to one of your systems on port 49320 from a dos prompt like this: "telnet localhost 49320" and hit enter a couple of times. Now see if you can get some info about it from the header it returns, then look it up on google. If it doesnt return a header then all the more reason to worry.

Download fport and run it from inside a dos prompt. Look for the entry 49320 tcp or udp and look at the path to the executable that is listening on this port. Look that up on google too.

Search your registry for entries of the executable name. Typical registry maps where a trojan would make entries are places like HKLM>Software>Microsoft>Windows>Current Version>Run+RunServices. No microsoft built in processes will contain keys in these maps of your registry but lots of 3rd party software does.

If none of this enlightens you then block the port on every computer and see if your network still works as it should. If it does then is there a need for this port to be open? Probably not.

Hope this helps.

Does anyone know what this port is? I have a feeling it might be something microsoft.

All the networks I have dealt with run windows clients and on all the networks have incoming connections to port 49320. Nobody seems to know what it is for.

I would say it might be a trojan, but on ALL those networks (Differrent time periods, some locations across the country).

I wasn't familiar with that port so I looked it up. Some people had posted thier open connections to security help forums and that port had activity as well. However, I was unable to find any information on what that port was. There were no applications or services that showed up in the search that used that port. A website that mapped the common ports didn't have any information on that port.

I did a local port scan (127.0.0.1) on most of the computers on the networks and the port was not open.

hey, you can see it man :

http://www.redhat.com/archives/redhat-inst...e/msg00135.html

and this :

http://www.iana.org/assignments/port-numbers

I intended to speak about that port, and I think it's a result of packets from edonkey/emule request into a rang but I don't really sur ...