Security knowledge: Port · Trojan · Security · Scanning

Security knowledge: Port · Trojan · Security · Scanning

Author: Unknown

Source: Unknown

I. Port 1). The general meaning of a port is that it is an old topic, but everything starts from it. What is port? For example, if you live in a house and want others to visit you, you have to open a door on the house. You have a cute kitten, for its entry and exit, I made a small door for it. In order to go to the back garden, I opened a backdoor ...... All the doors opened to enter the house are called ports, and the ports opened for others' incoming calls are called "service ports ". If you want to visit a person named James, Michael should open a ________ service port that allows you to access; otherwise, they will be rejected. When you go, first you open a "Door" at home, and then go straight to the door of Michael Jacob through this "door. The "Door" opened in your house to access others is called "client port ". It is opened randomly and automatically, and is disabled after access. It is different from the service port in nature. The service port opens a door waiting for others to access, and the client port actively opens a door to open others' doors, which must be clear. Next we will briefly explain the port concept from a professional perspective. A networked computer must use the same protocol to communicate with each other. The protocol is the language of computer communication. Computers must speak one language to communicate with each other. The common language of the Internet is TCP/TP, it is a set of protocols, which stipulate that the layer-4 Transport Layer of the network has two protocols TCP and UDP. The port is opened by the two protocols. The port is divided into the source port and the destination port. The source port is opened by the local machine, and the destination port is the port of another computer that is communicating with the local machine, the source port is divided into active client ports and passive Connection Service ports. On the Internet, When you access a website, you open a port on the local machine to connect to a port on the website server. This is also true when others access you. That is to say, the computer's communication is like what we walk into from each other. After you have installed the system, many "service ports" are enabled by default ". How do I know the ports opened by my computer system? This is what we should talk about below: 2) method of viewing the Port 1. Command method the following uses Windows XP as an example to see which ports are opened in the newly installed system, that is, all the ports are reserved, the command for viewing the port without any tools is netstat. The method is as follows: A. Enter cmd in the "run" section of "start" and press Enter. B. On the doscommand interface, type netstat-na. The opened service port is displayed. proto indicates the protocol. The figure shows that there are two Protocols: TCP and UDP. Local Address indicates the address of the local machine. The number after the colon is the open port number. Foreign Address indicates the remote address. If you are communicating with other machines, the address of the other party is displayed. The State indicates the status, and the listening indicates that the port is open, waiting for connection, but not connected yet. Just as the door of your house has been opened, but no one has come in. Take the first behavior as an example to see what it means. TCP 0.0.0.0: 135 0.0.0.0: 0 listening indicates that the local port 135 is waiting for connection. Note: Only the TCP Service port can be in the listening status. 2. Use the tcpview tool to better analyze the port. It is best to use the tcpview software, which is only 93kb small and is a green software without installation. Is the running interface of tcpview. The font size is small for the first time. In "options"-> "font", increase the font size. The data displayed in tcpview is dynamic. In Figure 3, the local address shows the port opened on the local machine (number after the port number). tcpview can see which port is initiated by which program. As shown in figure 3, ports 445, 139, 1025, 135, and 5000 are open, ports 445 and 139 are initiated by system, and ports 135 and are initiated by SVCHOST. 3) Purpose of the research port: 1. Know which ports are opened on the local machine, that is, the number of "Doors" that can enter the local machine. Who opened them? 2. What is the current status of the local port? Is it waiting for a connection or connection? If it is already connected, pay special attention to whether the connection is a normal connection or an abnormal connection (Trojan Horse, etc )? 3. Is the local machine currently exchanging data with other computers? Is it a normal program to prevent a normal website or access a trap? When you access the Internet, it is the process of transferring data between the local machine and other machines. to transfer data, you must use ports. Even some very clever Trojans use normal ports to transmit data without any trace, data has their own statuses at different stages of transmission, transmission, and termination. To understand the preceding three problems, you must understand the port status changes. The following uses the instance to analyze the status changes of the Service port. Only the TCP protocol is stateful. The UDP protocol is unreliable for transmission and stateless. 4) when the status of the Service port changes, configure the FTP service on the local machine (IP Address: 192.168.1.10) and access the FTP service on other computers (IP Address: 192.168.1.1, check the status of the port in tcpview. The section in the black text below is truncated from the tcpview. 1. The listening status is in the listening status after the FTP service is started. When the State is displayed as listening, it indicates that the port is in the listening state, that is, it is open and waiting for connection, but it is not connected yet. Just as the door of your house has been opened, but no one has come in. The tcpview shows that FTP is enabled on the local machine. It means that the program inetinfo.exe opens port 21, and the default FTP port is port 21. It can be seen that the FTP service is opened on the local machine. It is currently in the listening status. Inetinfo.exe: 1260 TCP 0.0.0.0: 21 0.0.0.0: 0 listening 2. The status of established is now accessing the FTP service of 192.168.1.10 from 192.168.1.1. The tcpview on the local machine shows that the port status changes to established. Established means to establish a connection. The two machines are communicating. The following shows that the local FTP service is being accessed by the computer 192.168.1.1. Inetinfo.exe: 1260 TCP 192.168.1.10: 21 192.168.1.1: 3009 established Note: You must pay special attention to connections in the established status, because they may not be a normal connection. We will discuss this issue later. 3. The time_wait status is now starting from 192.168.1.1. This computer stops accessing the FTP service 192.168.1.10. The tcpview on the local machine shows that the port status changes to time_wait. Time_wait indicates that the connection has ended. Port 21 has been accessed, but the access is over. [System process]: 0 TCP 192.168.1.10: 21 192.168.1.1: 3009 time_wait 4. Tip A: Telnet an open port to observe the port changes. For example, if port 1025 is open, run in command status (1 run cmd): Telnet 192.168.1.10 1025 B, and test from the local machine, only the local connection to the local machine C is displayed. Double-click the connection in tcpview to view the program location. Right-click the connection and select end process to end the connection. 5) client port status change the client port is actually the source port opened when accessing other computer services from the local machine, the most application is the Internet, the following uses the access to Baidu.com as an example to check the port opening and status changes. 1. The syn_sent status indicates the request connection, when you want to access the services of other computers, you must first send a synchronous signal to this port. At this time, the status is syn_sent. If the connection is successful, it becomes established. At this time, the syn_sent status is very short. However, if syn_sent is found to be very large and is being sent to different machines, your machine may be infected with viruses such as shock waves or shock waves. To infect other computers, these viruses need to scan other computers and send synchronous requests to each computer to be scanned during the scanning process, which is also the cause of many syn_sent attacks. The following figure shows the local connection protocol TCP 192.168.1.10: 1035 202.108.250.249: 80 syn_sent 2 and established status. The local machine is accessing the http://www.baidu.com/website. If the website you visit has a lot of content, such as accessing the website. Check whether the status of established is i‑e. the connection initiated by the EXE program (IE. the connection initiated by an EXE program may be a trojan in your computer. "Target = _ blank> Baidu.com website. If the website you visit has a lot of content, such as accessing the website. Check whether the status of established is i‑e. the connection initiated by the EXE program (IE. the connection initiated by an EXE program may be a trojan in your computer. Iexplore. EXE: 3120 TCP 192.168.1.10: 1045 202.108.250.249: 80 established 3. time_wait status changes to time_wait status after the web page is viewed. [System process]: 0 TCP 192.168.1.10: 4259 202.108.250.249: 80 time_wait 6), the detailed port change diagram above is the most important status, there are actually some, figure 4 shows a detailed change of the TCP status (cut from the TCP/IP explanation). A rough solid-line arrow is used to indicate a normal client status change, use the bold dotted arrow to indicate normal server status changes. These are not covered in this article. If you are interested, you can study it. 7) Key Points Generally, you must be familiar with the following ): 1. The service port should focus on the listening and established statuses. Listening is the port opened on the local machine, and the address from which the listablished accesses your machine. 2. syn_sent status and established status of the client port. syn_sent is a connection request sent from the local machine to other computers. Generally, this status has a short time, but if the local machine sends many syn_sent, it may be poisoned. Check whether the State of established is to find the machine with which the local machine is transmitting data, mainly to see if it is initiated by a normal program. 2. What a trojan is, simply put, is to secretly open a backdoor on your computer without your permission. There are two main methods to open a backdoor on a Trojan. 1. For a Trojan with a service port, all such Trojans need to open a backdoor with a service port. After the backdoor is successfully opened, it is in the listening state, and its port number may be fixed or changed, other Trojans can be used together with normal ports. For example, if you open normal port 80 (Web Service), the trojan also uses port 80. The biggest characteristic of this trojan is that a port is in the listening state and needs to be connected by a remote computer. This trojan is a good precaution for general users. Set the firewall to reject connections from the outside to the inside. A rebound Trojan is hard to prevent. 2. A bounce Trojan is an internal connection. It can effectively penetrate the firewall and access your computer even if you use an intranet IP address. The principle of this trojan is that the server actively connects to the client (hacker) address. Like your Internet Explorer, the Trojan server uses a dynamically allocated port to connect to a port of the client, which is usually a common port, such as port 80. In addition, it will use a strongly secured file name, such as iexpiore.exe and Explorer (the program of IE is iw.e. EXE ). If you do not take a closer look, you may think it is your Internet Explorer. In this way, your firewall will also be cheated. If you see the following connection in tcpview, it is likely to be a Trojan. Iexpiore.exe 192.168.1.10 (local IP): 1035 (your port) y.y. y.y (remote IP): 80 (remote port) or rundll32.exe 192.168.1.10 (local IP): 1035 (your port) y.y. y.y (remote IP): 80 (remote port) or assumer.exe 192.168.1.10 (local IP): 1035 (your port) y.y. y.y (remote IP address): 80 (remote port) 3. The purpose of port security analysis is to ensure the security of the Internet. Based on the above ideas, we can prevent the attacks from the following aspects. 1) disable unnecessary ports. for Internet users, you only need to be able to access the Internet and do not need to be accessed by others. That is to say, there is no need to open the service port, in Windows 98, you can access the Internet without opening any service ports, but not in Windows XP, Windows 2000, and Windows 2003, but you can disable unnecessary ports. Figure 3 shows the default port opened by the Windows XP system after it is installed. This is an example to disable unnecessary ports. 1. ports 137, 138, 139, and 445 are all enabled for sharing. They are applications of the NetBIOS protocol, generally, Internet users do not need to share your content, and they are also the port with the most vulnerabilities. There are many ways to close the port. Recently I learned from the Internet that it is very useful to close all the above ports at once. Start> Control Panel> system> hardware> Device Manager> View> display hidden devices> plug-and-play drivers> NetBIOS over tcpip. Find the page and disable the device from restarting. 2. disable port 123. Some worms can use UDP port 123 to disable the Windows Time Service. 3. disable port 1900. As long as an attacker sends a fake UDP packet to a network with multiple Windows XP systems, these windows XP hosts may attack the specified host (DDoS ). In addition, if you send a UDP packet to the system port 1900 and direct the address of the location domain to the chargen port of another system, the system may be in an endless loop, all resources of the system are consumed (manually enable hardware installation ). To disable port 1900, stop the SSDP Discovery Service. If some ports with vulnerabilities or unused ports are closed through the above method, is it okay? No. Because some ports cannot be switched off. For example, port 135 is the port opened by the RPC service. If the service is stopped, the computer will shut down. Similarly, ports 500 and 4500 opened by LSASS cannot be closed. The shock wave virus uses port 135. The best solution for a port that cannot be closed is to install a regular patch, and the port is opened by the corresponding service, however, it is difficult for general users to determine the purpose of these services, and it is difficult to find out which services can be stopped to close the corresponding port. The best solution is to install the firewall as described below. In general, the function of installing a firewall is like whether you live in a solid, good house or in a broken house, as long as you build an airtight wall around the house, it is safe for the house in the wall. 2) install a firewall. For general users, there are the following three types of firewalls. 1. For the firewall settings of Windows XP and Windows 2003, refer to the firewall in Skynet. 2. If the ADSL cat firewall accesses the Internet through ADSL, it is best to set the ADSL cat as the address translation method (NAT) if there are conditions, that is, the common routing mode, in fact, routes are different from nat. The biggest advantage of using NAT is that after the configuration is complete, the ADSL cat is a fire wall, which generally only opens 80, 21, 161 and so on to set open ports for the ADSL cat. If Port ing is not performed, generally remote attacks cannot be performed on computers behind ADSL cats. The biggest security risk for ADSL cats is that many users do not change the default password. In this way, if a hacker enters your cat and creates a port ing, the hacker may access your computer and change the default password. The built-in firewall and the NAT mode of ADSL cat can basically defend against attacks from the outside to the inside, that is to say, even if the service port is open (including the system Port and the Trojan with the Service port opened), hackers and viruses similar to the shock wave will not be able to help your computer. The above firewall can only prevent external to internal connections, and cannot prevent internal to external connections. When you open a webpage and use QQ chat, It is a connection from internal to external, A bounce trojan uses this feature to steal data from your machine. Although rebound Trojans are hidden, they are not without Trojans. The best way to prevent such Trojans is to use a third-party firewall. 3rd-party fireproof wall, the reverse bullet-type Trojan will use a concealed file name, such as iexpiore.exe, explorer, and other program iexplore with IE. the name that EXE really wants or rundll32 is like the name of the system file, but the essence of the Trojan is to communicate with a remote computer, as long as the communication will be connected. As shown in the following figure: the normal connection is initiated by ie e. EXE, and the abnormal connection is initiated by the trojan program explorer. 1812 Generally, firewalls have the permission settings for applications to access the network, as shown in figure 8. In this type of firewall option, select X for applications that do not allow access to the network, that is, network access is not allowed. Before writing this article, I had a bounce Trojan, that is, the Explorer program was connected to the outside, and several anti-virus software were used to prevent it from accessing the network, then it took a lot of effort to clear the manual. Unfortunately, it was not done. I have no courage to sacrifice this article. 4. Use tcpview to end a connection. When you use tcpview to check which connection may be abnormal, right-click the connection in tcpview, select end process to end the connection. 4. Scanning and scanning are another big topic, including port scanning (superscan) and vulnerability scanning (X-scan, this article only briefly introduces online security detection for general users. If you have taken the appropriate security measures as mentioned above, you can find an online security testing website on the Internet to test the security of your current system, as shown on the following website: 1. Millennium online-Online Detection 2. Blue Shield online detection 3. Skynet security online 4. Norton Online Security Detection note that ports 21, 23, and 80 are enabled to test my machine, but this is all the service port of ADSL. My cat does not provide any modification or closure, but it does not matter, as long as the password is set to a complex point. 5. If you close port 445 or open a firewall as mentioned above, you will not be harassed by the shock wave or similar viruses. There are too many articles about the shock wave virus, I am not here. As long as the security protection is done, whether it is a large wave of shock or an impact wavelet, you can only pass in front of your computer, but you can't help. 6. Note that there are still many requirements for computer security, but for general users, too many security settings mean no security, this is because security settings are not easy for professional computer security personnel, not to mention general users who do not have enough knowledge about computers. If you need to make a lot of settings to ensure security, there will certainly be many people who will not do it. For general users, I suggest you do what you can. For example, 1. install anti-virus software and upgrade it in time when accessing the Internet. 2. Install at least one firewall. It is best for ADSL users to use a route to access the Internet and change the default password. 3. Install patches frequently. It is best for Windows users to set the system to automatic upgrade. 4. All you have to do is use tcpview to check the connection and prevent the bounce Trojan Horse. I often look at it. It may take a long time to become an expert. 5. UDP is unreliable and stateless. It is hard to see from tcpview whether it is transmitting data, if you are interested, you can use protocol analysis tools such as Iris and sniffer to check whether UDP data exists.