Port · Trojan · Security · overview of scan application knowledge

It may be a bit strange to see this question. How can we put these words together? In fact, we have been talking about ports and Trojans, however, even if there are still many people whose computers have been overwhelmed by shock waves, they have been struck by a severe earthquake. It seems necessary to talk about the old topic again, so as not to be swept by any gentle wave. In fact, the ultimate goal is to ensure the computer's Internet security.
I. Port

1) general meaning of the port

Speaking of the port, this is indeed an old topic, but everything starts from it and has to be said. What is port? For example, if you live in a house and want others to visit you, you have to open a door on the house. You have a cute kitten, for its entry and exit, I made a small door for it. In order to go to the back garden, I opened a backdoor ...... All the doors opened to enter the house are called ports, and the ports opened for others' access are called service ports.

If you want to visit a person named James, Michael should open a ________ service port that allows you to access; otherwise, they will be rejected. First, you should open a door at home and then enter the door of Michael Jacob through the door. We call the door opened in our house to access others as the client port. It is opened randomly and automatically, and is disabled after access. It is different from the service port in nature. The service port opens a door waiting for others to access, and the client port actively opens a door to open others' doors, which must be clear.

Next we will briefly explain the port concept from a professional perspective. A networked computer must use the same protocol to communicate with each other. The protocol is the language of computer communication. Computers must speak one language to communicate with each other. The common language of the Internet is TCP/TP, it is a set of protocols, which stipulate that the layer-4 Transport Layer of the network has two protocols TCP and UDP. The port is opened by the two protocols. The port is divided into the source port and the destination port. The source port is opened by the local machine, and the destination port is the port of another computer that is communicating with the local machine, the source port is divided into active client ports and passive Connection Service ports. On the Internet, When you access a website, you open a port on the local machine to connect to a port on the website server. This is also true when others access you. That is to say, the computer's communication is like what we walk into from each other.

After you have installed the system, many service ports are enabled by default. How do I know the ports opened by my computer system? This is what we will talk about below:

2) view the port

1. Command Method

The following uses Windows XP as an example to check which ports are opened on the newly installed system. That is to say, all ports are reserved. The command to view ports without any tools is netstat. The method is as follows:

A. Enter cmd at the start and press Enter.

B. On the doscommand interface, type netstat-na. Proto indicates the protocol, which can be TCP or UDP. Local Address indicates the Address of the Local machine. The number after the colon is the open port number. Foreign ress indicates the remote address. If you are communicating with other machines, the address of the other party is displayed, and the State indicates the status.

LISTENING indicates that the listener is in the listener state, that is, the port is open, waiting for connection, but it is not connected yet. Just as the door of your house has been opened, but no one has come in. Take the first behavior as an example to see what it means.

TCP 0.0.0.0: 135 0.0.0.0: 0 LISTENING

This line means that port 135 of the local machine is waiting for connection. Note: Only the TCP Service port can be in the LISTENING status.

2. Use the TCPView Tool

For better analysis of the port, it is best to use the TCPView software, the software is only 93KB small, and is a green software, do not need to install.

The Font size is small for the first time. In Options> Font, increase the Font size. The data displayed in TCPView is dynamic. The Local Address displays the port opened on the Local machine (number after the port number). TCPView can see which port is initiated by which program. Ports 445, 139, 1025, 135, and 5000 are open, ports 445 and 139 are initiated by system, and ports 135 are initiated by SVCHOST.

3) Purpose of the research Port:

1. Who opened the ports on the local machine, that is, the number of ports that can enter the local machine?

2. What is the current status of the local port? Is it waiting for a connection or connection? If it is already connected, pay special attention to whether the connection is a normal connection or an abnormal connection (Trojan Horse, etc )?

3. Is the local machine currently exchanging data with other computers? Is it a normal program to prevent a normal website or access a trap?

When you access the Internet, it is the process of transferring data between the local machine and other machines. to transfer data, you must use ports. Even some very clever Trojans use normal ports to transmit data without any trace, data has their own statuses at different stages of transmission, transmission, and termination. To understand the preceding three problems, you must understand the port status changes. The following uses the instance to analyze the status changes of the Service port. Only the TCP protocol is stateful. The UDP Protocol cannot be @ transmitted, but is stateless.

4) Service port status changes

First configure the FTP service on the local machine (IP Address: 192.168.1.10), then access the FTP service on other computers (IP Address: 192.168.1.1), and check the port status changes from the TCPView.

The following part is taken from the TCPView.

1. LISTENING status

After the FTP service is started, it is in the LISTENING status.

When the State is displayed as LISTENING, it indicates that the port is in the LISTENING State, that is, it is open and waiting for connection, but it is not connected yet. Just as the door of your house has been opened, but no one has come in.

The TCPView shows that FTP is enabled on the local machine. It means that the program inetinfo.exe opens port 21, and the default FTP port is port 21. It can be seen that the FTP service is opened on the local machine. It is currently in the listening status.

Inetinfo.exe: 1260 TCP 0.0.0.0: 21 0.0.0.0: 0 LISTENING

2. ESTABLISHED status

Access the FTP service of 192.168.1.10 from the computer 192.168.1.1. The TCPView on the local machine shows that the port status changes to ESTABLISHED.

ESTABLISHED means to establish a connection. The two machines are communicating.

The following shows that the local FTP service is being accessed by the computer 192.168.1.1.

Inetinfo.exe: 1260 TCP 192.168.1.10: 21 192.168.1.1: 3009 ESTABLISHED

Note: You must pay special attention to the connection in the ESTABLISHED status, because it may not be a normal connection. We will discuss this issue later.

3. TIME_WAIT status

Now, access to the FTP service of 192.168.1.10 is terminated from 192.168.1.1. The TCPView on the local machine shows that the port status changes to TIME_WAIT.

TIME_WAIT indicates that the connection has ended. Port 21 has been accessed, but the access is over.

[System Process]: 0 TCP 192.168.1.10: 21 192.168.1.1: 3009 TIME_WAIT

4. Tips

A. You can telnet an open port to observe its changes. For example, if port 1025 is open, run it in the command status:

Telnet 192.168.1.10 1025.

B. It can also be tested from the local machine, but the display is that the local machine is connected to the Local Machine

C. Double-click the connection in Tcpview to view the program location. Right-click the connection and select End Process to End the connection.

5) client port status changes

The client port is actually the source port opened when accessing other computer services from the local machine. The most common application is internet access. The following uses accessing baidu.com as an example to check the port opening and status changes.

1. SYN_SENT status

The SYN_SENT status indicates a request for connection. When you want to access the services of other computers, you must first send a synchronous signal to this port. The status is SYN_SENT. If the connection is successful, it becomes ESTABLISHED, at this time, the SYN_SENT status is very short. However, if SYN_SENT is found to be very large and is being sent to different machines, your machine may be infected with viruses such as shock waves or shock waves. To infect other computers, these viruses need to scan other computers and send synchronous requests to each computer to be scanned during the scanning process, which is also the cause of many SYN_SENT attacks.

The following shows the starting status when the local machine is connected to the baidu.com website. If your network is normal, it will soon become the connection status of ESTABLISHED.

Iw.e. EXE: 2928 TCP 192.168.1.10: 1035 202.108.250.249: 80 SYN_SENT

2. ESTABLISHED status

The following shows that the local machine is accessing the baidu.com website. If the website you visit has a lot of content, such as accessing [url] www.yesky.com [/url], you will find that there are many ESTABLISHED addresses, which is normal, each content in the website must be connected to a single video or flash. Check whether the status of ESTABLISHED is i‑e. the connection initiated by the EXE program (IE. the connection initiated by an EXE program may be a trojan in your computer.

Iw.e. EXE: 3120 TCP 192.168.1.10: 1045 202.108.250.249: 80 ESTABLISHED

3. TIME_WAIT status

If the web page is viewed, the status changes to TIME_WAIT.

[System Process]: 0 TCP 192.168.1.10: 4259 202.108.250.249: 80 TIME_WAIT

7) Key Points

Generally, you must be familiar with the following ):

1. The service port should focus on the LISTENING and ESTABLISHED statuses. LISTENING is the port opened on the local machine, and the address from which the listablished accesses your machine.

2. SYN_SENT status and ESTABLISHED status of the client port. SYN_SENT is a connection request sent from the local machine to other computers. Generally, this status has a short time, but if the local machine sends many SYN_SENT, it may be poisoned. Check whether the State of ESTABLISHED is to find the machine with which the local machine is transmitting data, mainly to see if it is initiated by a normal program.

Ii. Trojan

What is a Trojan, simply put, is to secretly open a backdoor on your computer without your permission. There are two main methods to open a backdoor on the Trojan.

1. For a Trojan with a service port, all such Trojans need to open a backdoor with a service port. After the backdoor is successfully opened, it is in the LISTENING state, and its port number may be fixed or changed, other Trojans can be used together with normal ports. For example, if you open normal port 80 (WEB Service), the trojan also uses port 80. The biggest characteristic of this trojan is that a port is in the LISTENING state and needs to be connected by a remote computer. This trojan is a good precaution for general users. Set the firewall to reject connections from the outside to the inside. A rebound Trojan is hard to prevent.
2. A bounce Trojan is an internal connection. It can effectively penetrate the firewall and access your computer even if you use an intranet IP address. The principle of this trojan is that the server actively connects to the client (hacker) address.