Manage special ports on the local machine to prevent Trojan attacks

A Trojan is a malicious remote control software. A Trojan is generally divided into a Client and a Server. A Client is the console of various commands used locally, the server is running for others. Only computers running on the server can be completely controlled.
Currently, the most common Trojan Horse is based on the TCP/UDP protocol for communication between the client and the server. Since the two protocols are used, it is inevitable to open the listening port on the server side (that is, the machine where the trojan is planted) to wait for the connection. For example, the monitoring port used by the famous glaciers is 7626, And the Back Orifice 2000 is 54320. Then, we can check whether a trojan or other hacker program has been planted by checking the port opened on the local machine. The following describes the methods in detail.

Netstat commands provided by Windows

Netstat displays protocol statistics and current TCP/IP network connections. This command can be used only after the TCP/IP protocol is installed.

Netstat [-a] [-e] [-n] [-s] [-p protocol] [-r] [interval]

Parameters
-A displays all connection and listening ports. Server connections are usually not displayed.

-E displays Ethernet statistics. This parameter can be used with the-s option.

-N: the address and port number are displayed in numeric format (instead of trying to find the name ).

-S displays statistics for each protocol. By default, statistics on TCP, UDP, ICMP, and IP are displayed. The-p option can be used to specify the default subset.

-P protocol indicates the connection of the protocol specified by protocol. protocol can be tcp or udp. If you use the-s option together to display statistics for each protocol, the protocol can be tcp, udp, icmp, or ip.

-R displays the content of the route table.

Interval re-displays the selected statistics and pauses interval seconds between each display. Press CTRL + B to stop resending statistics. If this parameter is omitted, netstat prints the current configuration information once.

Now we know how to use the netstat command. Let's learn how to use it now. Use this command to check the port opened on your machine. Go to the command line and use the parameters a and n of the netstat command:

C: etstat-a-n

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0: 80 0.0.0.0: 0 LISTENING
TCP 0.0.0.0: 21 0.0.0.0: 0 LISTENING
TCP 0.0.0.0: 7626 0.0.0.0: 0 LISTENING
UDP 0.0.0.0: 445 0.0.0.0: 0
UDP 0.0.0.0: 1046 0.0.0.0: 0
UDP 0.0.0.0: 1047 0.0.0.0: 0

To explain, Active Connections refers to the Active connection of the current Local machine, and Proto refers to the protocol name used for the connection. Local Address is the IP Address of the Local Computer and the port number being used for the connection, foreign Address is the IP Address and port number of the remote computer connected to this port, and the State indicates the TCP connection status. You can see that the listening ports of the next three rows are UDP, so there is no State. From the above, we can see that port 7626 of the machine is open and listening is waiting for connection. In this case, it is very likely that the machine has been infected with glaciers! Therefore, you should quickly disconnect the network and Use anti-virus software to scan for viruses.