Wednesday, September 29, 2010

View open ports: Let Trojan True Features


Currently the most common Trojan is usually based on TCP / UDP protocol for client-side and server-side communication between, since the use of the two agreements will, inevitably, to the server-side (that is, the machine is kind of a Trojan horse was) open listening port to wait for the connection. For example, using the famous glaciers listen port is 7626, Back Orifice 2000 is the use of 54320 and so on. So, we can use the view of the machine open ports to check whether they have been kind of a Trojan horse or other hacker programs. The following is a detailed method description.

1. Windows itself comes with the netstat command

On the netstat command, we first look at windows help file description:

Netstat

Display protocol statistics and current TCP / IP network connection. This command is only installed TCP / IP protocol before they can use.

netstat [-a] [-e] [-n] [-s] [-p protocol] [-r] [interval]

Parameter

-A

Show all connections and listening ports. Server connection does not usually.

-E

Display Ethernet statistics. This parameter can be used in conjunction with the-s option.

-N

In digital format address and port number (instead of trying to find the name).

-S

Show the statistics for each protocol. By default, the display TCP, UDP, ICMP and IP statistics. -P option can be used to specify the default subset.

-P protocol

Protocol specified by the agreement shows the connection; protocol can be tcp or udp. If used in conjunction with the-s option to display statistics for each protocol, protocol can be tcp, udp, icmp, or ip.

-R

Display routing table contents.

interval

Re-display the selected statistics, pausing between each display interval seconds. Press CTRL + B to stop re-display statistics. If this parameter is omitted, netstat will print the current configuration information once.

Well, read the help file, we should understand to use the netstat command. Let us now study the current use, use this command to look at open ports on your machine. Access to the command line, use the netstat command of a and n are two parameters:

C:> netstat-an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7626 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 0.0.0.0:0
UDP 0.0.0.0:1046 0.0.0.0:0
UDP 0.0.0.0:1047 0.0.0.0:0

Explain, Active Connections is the current active connection of the machine, Proto is the protocol used to connect the name, Local Address is the local computer's IP address and port number being used to connect, Foreign Address is connected to the port of the remote computer's IP address and port number, State is that the state of TCP connections, you can see three rows behind the listening port is UDP protocol, so there is no State that state. Look! My machine's 7626 port is already open, is listening to wait for connections, like this case very likely have been infected with the ice! Quickly disconnected from the network, killing the virus with anti-virus software is the right approach.




[Next]



2. Work under the command line in windows2000 tool fport

Using windows2000 friend than use windows9X lucky, because you can use fport this program to display open ports and process the native correspondence.

Fport is FoundStone produced a system to list all open TCP / IP and UDP ports, and their corresponding application's full path, PID logos, names and other information of the software process. Use the command line, see example:

D:> fport.exe
FPort v1.33 - TCP / IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
748 tcpsvcs -> 7 TCP C: WINNTSystem32 tcpsvcs.exe
748 tcpsvcs -> 9 TCP C: WINNTSystem32tcpsvcs.exe
748 tcpsvcs -> 19 TCP C: WINNTSystem32tcpsvcs.exe
416 svchost -> 135 TCP C: WINNTsystem32svchost.exe

Is not readily seen. This time, what is the procedure in all ports open to all under the eyes of you. If there is a suspicious program opens a suspicious port, be sure not to the effect that Oh, maybe that is a sly Trojan Horse!

Fport the latest version is 2.0. In many sites available for download, but for safety reasons, of course, it is best to go home under: http://www.foundstone.com/knowledge/zips/fport.zip

3. Fport function with graphical interface tools like Active Ports

Active Ports produced as SmartLine, you can use to monitor the computer all open TCP / IP / UDP port, not only will you be shown all the ports, all ports are also shown where the path corresponding procedures, the local IP and remote IP (attempting to connect to your computer IP) whether it is activities.

Is not very intuitive? Even better, it also provides a closed port function, use it to find your horse in the open port, you can immediately shut down the port. The software work in Windows NT/2000/XP platforms. You can get it in http://www.smartline.ru/software/aports.zip.

In fact, users do not use windows xp with other software that can be correspondence between the port and the process, because the windows xp brought the netstat command more than the previous version of an O parameter, this parameter can be obtained using the port and the corresponding process years.

See above description of several local open ports, and the corresponding relationship between the port and process methods, these methods can be easily found based on TCP / UDP protocol Trojans hope that I can help you bring the love machine. But the emphasis on the Trojans against, and if the Trojans run into a rebound port, use the driver and dynamic link library technical production of a new Trojan horse, the above method is difficult to identify traces of a Trojan. Therefore, we must develop good surfing habits, do not run email attachments free, install a antivirus software, such as domestic Rising killing viruses and Trojan horses is a good helper. Download the software from the Internet first, again with antivirus software and re-use, open the network when the Internet firewall and virus real-time monitoring, to protect their machines are not hateful Trojan invasion.






Recommended links:



The most beloved of five welfare workers



VOB to SWF



Report Shell Tools



Thunder Raise his flag charges, cool 6 has the intention



Element Union and day encounter in the rubber of the Kingdom of thinking



Comment Dictionaries Education



"Aion" 1.2 There are a brush obs of the bug is still alive



3GP to MPEG



ArcGIS standard coordinate conversion in the end how?



Who will save the TV shopping?



Convert Dvr-ms To Mpeg



Wong Lo Kat: Benchmarking the danger of



for you Games Arcade



How GIS abstract surface Features of space?



FLV to Zune



XML Or CSS Tools Storage



No comments:

Post a Comment