Search for Trojans through TCP connections

Editor's note: You have anti-virus software, network firewalls, and various preventive measures. However, in the face of various unstable factors, can you ensure that you will never win? Do not be confused when exceptions occur. self-check helps you identify security risks and develop defensive strategies. To handle security problems with ease, you must start self-check. Starting from this issue, we will bring you a self-check trilogy to guide you to self-check. Today, we will introduce the self-check for TCP connections.
Viruses and Trojans pose an increasing threat to personal computers. They not only disrupt the security of local computers, but even completely destroy computers. They also use network technology, enabling multiple TCP connections to infect other computers in the network greatly enhances the destructive power of viruses or Trojans. As the saying goes, "snake farming is a 7-inch attack." How to minimize these threats from the network is a very important precaution. It is especially important to Manage TCP connections in the computer and perform self-check regularly.

There are two types of TCP connections in the computer: one is the internal-External TCP connection enabled by dangerous processes in the local machine, and the other is the external TCP connection from external malicious attacks. For the two TCP connections, different self-check and processing methods are required. Today we will introduce these two methods.

Knowledge: when a user uses some dangerous network services, or some viruses or hackers control the system, the user will first use the TCP protocol to establish an end-to-end connection, and then perform the next step, this is the so-called malicious TCP connection.

Careful: detects inbound and outbound TCP connections

Security alert: alert! Alert! An attack that is highly spreading in the network. It not only infected the local system, but also caused computer exceptions. It also spread over the network, opened a large number of TCP connections, and infected other machines in the network. In this case, you can perform self-check on the inbound and outbound TCP connections to identify and disable abnormal or malicious network processes.

If your computer is unfortunately infected with viruses or Trojans (such as shock waves and shock waves, many internal-External TCP connections will also be enabled to attack other computers in the network. If anti-virus software cannot be killed, then you will act as an accomplice to the virus.

Can it be easy to be an accomplice? Although the virus cannot be completely cleared at this time, we can completely mitigate the dangers of the virus and prevent viruses and trojans from creating inbound and outbound TCP connections to prevent them from spreading further.

1. Please visit Tcpview

Although the "NETSTAT" Command provided by the Windows system can detect the TCP connection of the local machine, the command is based on the command line method and is inconvenient to use, in addition, TCP connection conditions cannot be updated in real time. Therefore, I suggest you use the "Tcpview" tool.

In the network connection display box of Tcpview, the network connection status of all processes is displayed, including the TCP Connection established by the virus from the inside out. The connection information changes dynamically in real time and displays detailed TCP connection parameter information, such as the process name, process ID, connection protocol, local address, and port number. Now, the Tcpview program can easily analyze the situation of each TCP connection.

2. Check the TCP connection carefully.

If you find an unfamiliar process name in the Tcpview network connection display box (Figure 1 ),

In addition, this process has a large number of TCP connections and changes frequently. This shows that these TCP connections may be internal-to-External TCP connections established by viruses or Trojans in the system.

To prevent malicious programs from spreading and spreading, you can record the local port number used by the Process, right-click these Process items, and select "End Process" to End these TCP connections from the inside out. Next, we will use the network firewall to disable the port used by the virus to enable malicious TCP connections.

I also recommend that you install the SP2 patch for the Windows XP system, which can limit the number of threads enabled by the program to less than 10, this effectively limits the number of TCP connections established by the virus from the inside out.

Method Summary: the above method is applicable to self-check of TCP connections created by viruses or Trojans on the local machine, that is, to Detect TCP connections from inside to outside, this can effectively alleviate the harm caused by these evil horses. However, I would like to remind you that in order to completely eliminate these TCP connections from the inside out, you also need to immediately upgrade anti-virus software and install the corresponding patches for the Windows system.
Caution: strictly check external TCP connections

 

Security alert: alert! Alert! A port on the local machine suddenly has a large number of TCP connections, which seriously consumes the network resources of the local machine. The network speed decreases sharply and is unstable. It is suspected that it is a virus or hacker attack from outside.

In addition to viruses or Trojans, they may use TCP connections from the inside out to endanger other computers in the network. The local machine may also be attacked by external sources, such as viruses or hackers attacking a certain network port of the Local Machine. Of course, these attacks are also implemented through TCP connections, the difference is that they all come from external malicious TCP connections. Therefore, it is necessary to detect whether the local machine is vulnerable to external TCP connection attacks.

To know whether the local machine is attacked by external TCP connections, you need to monitor a port. Using the "TCP attack monitor v1.0" tool is a good choice.

1. Configure monitoring parameters

If I want to monitor whether port 80 of the IIS server of Windows XP is under attack, run the TCP attack monitor. First, enter "80" in the "monitoring port" column ", then, set the "Refresh cycle" and "minimum number of connections per IP Address" as needed. Then, the tool monitors the external TCP connections of port 80 of the IIS server (figure 2 ).

2. Find the attack source from the record

In the "TCP connections" column, the IP address of each machine that establishes a TCP connection with the IIS server is recorded in detail, and the number of TCP connections of this IP address is also recorded.

If the number of TCP connections from an IP address is very large within a short period of time, it is likely that the machine using this IP address is conducting TCP attacks on the IIS service, which is very dangerous. These external TCP attacks may be caused by viruses or hackers. To ensure the security of the IIS server, we can completely disable access initiated by this IP address on the IIS server or network firewall, in this way, we can get rid of the external malicious TCP connection attack, and the Windows system will be more secure.

Method summary: This method is suitable for self-check of TCP connections from outside, monitoring and self-check of these external TCP connections, and filtering harmful external TCP connections, it can minimize the harm caused by external viruses or hacker attacks.

This section describes how to perform self-check on TCP connections from the inside out to the outside. Efficient self-check plays an important role in preventing the spread and attack of viruses and Trojans. Of course, any malicious TCP connection is built for a port. Therefore, it is very important to perform port self-check. In the next period, we will introduce how to perform self-check on the port.