Practice: View Trojans through established sessions

View Trojans through established sessions

Check the suspicious session to check whether the trojan is in progress.

An exception occurred recently on the server of a certain organization. The Network Administrator felt that someone was operating on the server, so he suspected that the server had a Trojan. He wants to check whether a trojan is in the server. How can he confirm it?

As long as your computer has a Trojan, the trojan program runs automatically, or serves as a service on your computer, or runs automatically upon startup, and then secretly connects to a remote client in the background. Attackers can see which computers with Trojans are running, and then operate the computers with Trojans. If a trojan is in the computer, the trojan program will automatically establish a connection with the client on the Internet. We can check whether the trojan is in the computer's external connection.

The network administrator can do the following.

First, you need to log on to the computer, but do not access any network resources, and ensure that Windows does not update the system in the background, and anti-virus software does not update the virus database because these activities will also establish sessions, interfering with your search for Trojans ).

From 1 to 24, run netstat-nob to check whether there is any connection to the Internet. You can see the source port and target port, source address and target address, and the process or program for establishing the session.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; 664px; padding-right: 0px; height: 300px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image001 "border =" 0 "alt =" clip_image001 "src =" http://www.bkjia.com/uploads/allimg/131227/0AH04548-0.png "width =" 664 "height =" 300 "/>

▲Figure 1-24 view the connection through netstat-nob

Next, we will mainly check the sessions connected to the Internet address. If there is a connection, it may be a Trojan program. Then we can see the program corresponding to the process number.

Additional knowledge

Another way to find Trojans is to use Microsoft's built-in System Configuration tool msconfig. A Trojan is typically disguised as a service on an operating computer or placed in an Automatic startup Item. We can check the service and Automatic startup items to find suspicious services or programs.

1) Select Start> run to open the run dialog box, enter msconfig, and click OK to open the System Configuration Utility dialog box.

2) from 1 to 25, switch to the "services" tab and select the "hide all Microsoft services" check box to check whether any suspicious services exist.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "src =" http://www.bkjia.com/uploads/allimg/131227/0AH019D-1.png "" 579 "height =" 384 "/>

▲Figure 1-25 hide all Microsoft services

3) switch to the "Startup" tab from 1 to 26 to check whether there are any suspicious Automatic startup items. Disable a suspicious startup Item.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; 614px; padding-right: 0px; height: 300px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image003 "border =" 0 "alt =" clip_image003 "src =" http://www.bkjia.com/uploads/allimg/131227/0AH02593-2.png "width =" 614 "height =" 300 "/>

▲Figure 1-26 view startup items

Advertisement

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; 679px; padding-right: 0px; height: 201px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" titel263 "border =" 0 "alt =" titel263 "src =" http://www.bkjia.com/uploads/allimg/131227/0AH042c-3.jpg "width =" 679 "height =" 201 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; 676px; padding-right: 0px; height: 300px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" 12353 "border =" 0 "alt =" 12353 "src =" http://www.bkjia.com/uploads/allimg/131227/0AH05Z8-4.jpg "width =" 676 "height =" 300 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; 676px; padding-right: 0px; height: 359px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" system63 "border =" 0 "alt =" system63 "src =" http://www.bkjia.com/uploads/allimg/131227/0AH02A4-5.jpg "width =" 676 "height =" 359 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; margin: 0px; padding-left: 0px; 672px; padding-right: 0px; height: 561px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" system373 "border =" 0 "alt =" system373 "src =" http://www.bkjia.com/uploads/allimg/131227/0AH051B-6.jpg "width =" 672 "height =" 561 "/>