Windows Port and Trojan Summary
Basically, all Trojans are client/server-side systems based on TCP/IP communication. After the server is installed, a listening port is opened on the monitored end and waiting for the client to connect, generally, different Trojans use different listening ports by default. Therefore, check the listening ports opened on your computer, you can determine whether or not your computer is in a trojan or what kind of Trojan. Identifying the system's default port: PORTS lower than 1024 on the computer are usually allocated to some services. These ports and their corresponding and services are already well known ", therefore, these ports are recognized as ports. For example, port 80 is fixed to Web Services and port 21 is fixed to FTP services. If your computer has installed and enabled these services, these ports should be open on your computer. Below are some common accepted ports. Port 80: The port defined in hypertext transfer protocol, used to provide WEB services; port 21: Port defined in the file transfer protocol, used to provide file upload and download services; port 23: the port defined in the remote logon protocol to provide remote maintenance services; port 25: The port defined in the Simple Mail transmission protocol to provide mail sending services; port 110: the port defined in the mail acceptance protocol to provide the mail receiving service. Tip: some ports will be automatically opened after Windows is installed. I did a survey on these ports and found that, ports 135, 137, 138, and 139 are open in almost all Windows systems. In addition, ports 2000 are also open in Windows 445 and later systems. A port system over 1024 is generally not fixed to a service and is dynamically allocated, therefore, these ports are also called dynamic ports (some articles believe that ports from 1024 to 49151 are relatively fixed and allocated to some services, so they are subdivided into "registered ports". In fact, the system usually allocates ports dynamically from 1024 ). Dynamic ports can be used by any network program. As long as the program requests to access the network from the system, the system can allocate one from these ports for the program to use. After the access, the occupied ports are also released. When other programs access the network, these ports may be used again. In theory, dynamic ports should not be used as service ports. However, some normal programs and the server of most Trojans use one or more ports in this range. (The listening ports used by most Trojans can be customized, the port here refers to its default listening port) Listening network. The following lists some common programs and the default listening ports of known Trojans. Port 3389: the default listening port of the Windows terminal service or remote desktop; port 7626: the default listening port of the Moma glacier server; port 7306: the default listening port of the Trojan network genie (NetSpy) server; port 6267: the default listening port of the Trojan girl's server, and port 19191: the default listening port of the Trojan blue flame server. Because there are too many known Trojans, we cannot list them here. You can find the port in the listening status according to the method described below, and then search for the port number on the Internet, check whether it is caused by a Trojan. To use the Netstat command to view the port, one machine must communicate with another machine. First, four elements must be clarified: the IP address of the local machine, the IP address of the remote host, and the communication port used by the local machine, communication Port used by the remote host. Use the Netstat command to identify these four elements. Netstat is a built-in network detection tool for Windows. We can use this command if the TCP/IP protocol is installed. Netstat Command Format and main parameter Netstat [-a] [-e] [-n] [-o] [-s] [-p proto] [-r] [interval]- a. This parameter is used to display all ports and connections in the listparts state on the computer; -n displays the computer's ports and network addresses in addition to the LISTENING status in digital format;-o displays the computer's ports and network addresses in addition to the LISTENING status, and displays the PID of the port process enabled; -e lists the data traffic on the port (generally used together with parameter s), including the total number of bytes of the sent and received datagram, the number of errors, and the number of deletions; -s displays the statistical data of each protocol. The common port status LISTENING-this is what we often call the listener port. A port in this status is generally opened by a service program and is waiting for other hosts to connect. Therefore, this port is also called a service port; ESTABLISHED-if the LISTENING port has been connected to other hosts, the "LISTENING" Status of the port will change to "ESTABLISHED"; SYN_SENT-in most cases, our computer will take the initiative to open a port to connect to other machines, then the port status is "SYN_SENT", this port is generally opened by the client program, therefore, this port is also called a client port. If the client port establishes a connection with the Service port, the port status changes from "SYN_SENT" to "ESTABLISHED"; TIME_WAIT -- the port in the ESTABLISHED status. If the connection ends, the port status changes to TIME_WAIT. In the above parameters, we often use three: "Netstat-a", "Netstat n", and "Netstat-o" 1. "Netstat-a" is mainly used to check which listening ports are open on the local computer. As shown in 1, port 7626 appears in the listening port. We can preliminarily conclude that, this computer may have been implanted with Ice Horse. 2. "Netstat n" and "Netstat-o" (compared with the Netstat-n command, although this command does not parse the address, you can view the PID that initiates the connection process, knowing the PID that initiates the connection process, with some other software, we can know the application corresponding to the PID) is mainly used to view the network connection between the local machine and the external machine. Compared with traditional Trojans, there is also a trojan that uses the bounce port. That is to say, the Trojan server does not open a listening port and waits for the client to connect, instead, the server actively connects to the port listened by the client. To deal with such Trojans, we need to use "Netstat n" or "Netstat-o" to view the network connection between the local machine and the external server. As shown in 2, I have not used any software such as IE to connect to the outside, but the computer has been connected to port 8000 of the "211.99.188.167" host for a long time. By querying the PID, I found that this connection was initiated by Internet Explorer. through other means, I initially determined that my computer may be implanted with a Trojan horse that rebounded the port-the gray pigeon. In general checks, we generally combine the parameters "-a", "-n", and "-o" for use. In the Command Prompt window, enter "Netstat-an" or "Netstat-ao". In this way, we can not only view listener ports opened on the local machine, you can also view the network hosts to which network programs are connected by using IP addresses. There are many software for scanning ports using software. SuperScan is recommended. It is a port scanning tool launched by GoundStone, a foreign security group. It can not only scan ports, in addition, a port list file of the Trojan Horse is built in. With this list file, we can directly scan our computer for Trojans. 1. port Scan: Start SuperScan and click the "local machine" or "network" button. Enter the "Starting IP" and "ending IP" fields for your lan ip address or public IP address. Next, select "all ports" single listener, type all ports from 1 to 65535 in the text box, and click "start" to scan. After the scan is complete, the following window lists all listener ports opened in your system. If the ports are opened by Trojans, it can also give the trojan name or description based on the Trojan's port list file (3 ). 2. Scan Trojan: The method described above takes a long time to scan all ports. If you only scan the trojan, you can use the port list file of the Trojan horse. Step 1: click "Port Settings" on the SuperScan interface to open the "Edit port list" dialog box, and select "trojans. the lst file (figure 4) lists the port numbers and descriptions of Trojans in the following window. You can select some ports for scanning, you can also click "select all" to select all ports in the list for scanning. Step 2: On the SuperScan interface, click "each port in the list" to scan "trojans. all ports listed in the lst file, and "ports selected in all lists" are only scanned in "trojans. the port selected in the lst file. You can also enter a start port number and end port number, and then select "port in the list" to scan "trojans. step 3 of the port in this range in the lst file: select the port to be scanned, and then enter your own public IP address in "Start IP" and "end IP, click Start to scan the Trojan. TIPS: New trojans are emerging on the Internet. To enable SuperScan to identify these trojans, we can add new trojans to the trojans. lst file. In the "Edit port list" dialog box, select "trojans. in the lst file, enter the default port number used by the trojan in the "Port" text box on the left, enter the name or description of the Trojan in the "Description" text box, and click "add ", the new Trojan is added to the port list on the right. Click "save" to save the list as another file, but it can still be saved in "trojans. in the lst file.