In running-cmd-netstat-an, The opened port is displayed !!
Recently, the virus has been a big headache, but it has also gained a lot. I have learned a little bit about it and I would like to share it with you.
Currently, the most common Trojan Horse is based on the TCP/UDP protocol for communication between the client and the server. Since the two protocols are used, it is inevitable to open the listening port on the server side (that is, the machine where the trojan is planted) to wait for the connection. For example, the monitoring port used by the famous glaciers is 7626, And the Back Orifice 2000 is 54320. Then, we can check whether a trojan or other hacker program has been planted by checking the port opened on the local machine. The following describes the methods in detail.
1. netstat commands provided by Windows
For the netstat command, let's take a look at the introduction in the windows Help file:
Netstat
Displays protocol statistics and current TCP/IP network connections. This command can be used only after the TCP/IP protocol is installed.
Netstat [-a] [-e] [-n] [-s] [-p protocol] [-r] [interval]
Parameters
-
Display All connection and listening ports. Server connections are usually not displayed.
-E
Displays Ethernet statistics. This parameter can be used with the-s option.
-N
Display the address and port number in numeric format (instead of trying to find the name ).
-S
Displays statistics for each protocol. By default, statistics on TCP, UDP, ICMP, and IP are displayed. The-p option can be used to specify the default subset.
-P protocol
Displays the connection of the Protocol specified by protocol. Protocol can be TCP or UDP. If you use the-s option together to display statistics for each protocol, the protocol can be TCP, UDP, ICMP, or IP.
-R
Displays the contents of the route table.
Interval
Resend the selected statistics and pause interval seconds between each display. Press Ctrl + B to stop resending statistics. If this parameter is omitted, netstat prints the current configuration information once.
Now, after reading these help files, we should understand how to use the netstat command. Now let's learn how to use it. Use this command to check the ports opened on your machine. Go to the command line and use the parameters a and N of the netstat command:
C:/> netstat-
Active connections
PROTO local address foreign address State
TCP 0.0.0.0: 80 0.0.0.0: 0 listening
TCP 0.0.0.0: 21 0.0.0.0: 0 listening
TCP 0.0.0.0: 7626 0.0.0.0: 0 listening
UDP 0.0.0.0: 445 0.0.0.0: 0
UDP 0.0.0.0: 1046 0.0.0.0: 0
UDP 0.0.0.0: 1047 0.0.0.0: 0
To explain, Active Connections refers to the Active connection of the current Local machine, and Proto refers to the protocol name used for the connection. Local Address is the IP Address of the Local Computer and the port number being used for the connection, foreign Address is the IP Address and port number of the remote computer connected to this port, and the State indicates the TCP connection status. You can see that the listening ports of the next three rows are UDP, so there is no State. Look! Port 7626 of my machine is open and listening is waiting for connection. In this case, it is very likely that it has been infected with glaciers! It is correct to quickly disconnect the network and Use anti-virus software to kill viruses. 2. command line tool fport working in Windows
Friends who use windows are better than those who use Windows 9x, because you can use the fport program to display the correspondence between the local open port and the process.
Fport is a software developed by FoundStone to list all open TCP/IP and UDP ports in the system, as well as their full paths, PID IDs, process names, and other information corresponding to the application. For more information, see the following example:
D:/> fport.exe
FPort v1.33-TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
Http://www.foundstone.com
Pid Process Port Proto Path
748 tcpsvcs-> 7 tcp c:/WINNT/System32/tcpsvcs.exe
748 tcpsvcs-> 9 tcp c:/WINNT/System32/tcpsvcs.exe
748 tcpsvcs-> 19 tcp c:/WINNT/System32/tcpsvcs.exe
416 svchost-> 135 tcp c:/winnt/system32/svchost.exe
Is it clear at a glance. Now, what programs are opened on each port is under your eyes. If you find a suspicious program opens a Suspicious Port, don't worry about it. Maybe it's a tricky Trojan!
Fport is 2.0 in the latest version. In many websites provide download, but for the sake of safety, of course, it is best to go to its hometown: http://www.foundstone.com/knowledge/zips/fport.zip
3. graphic interface tool like fport active ports
Active ports are produced by Smartline. You can monitor all open TCP/IP/UDP ports on your computer. They not only display all your ports, it also shows the path of the program corresponding to all ports, and whether the local IP address and remote IP address (attempting to connect to your computer ip address) are active.
Even better, it also provides a function to disable the port. When you use it to discover the port opened by the trojan, you can immediately disable the port. This software works on Windows NT/2000/XP. You can go to the terminal at http://www.smartline.ru/software/aports.zip.
In fact, users who use Windows XP can obtain the correspondence between ports and processes without using other software, because the netstat command in Windows XP has an O parameter more than the previous version, you can use this parameter to obtain the port and process correspondence.
The preceding describes several methods for viewing the open ports on the local machine and the relationship between ports and processes. These methods can be used to easily discover Trojans Based on TCP/UDP protocol, hope to help your machine. However, it focuses on prevention of Trojans. If a new Trojan is created by using the driver and dynamic link library technology, the above methods will be difficult to identify the traces of the Trojan. Therefore, we must develop good internet habits, do not run attachments in emails, install a set of anti-virus software, like domestic rising is a good helper for virus and trojan detection. The software downloaded from the internet is checked and used again with anti-virus software. The network firewall and Virus Real-time Monitoring are enabled when accessing the internet to protect your machine from being infiltrated by hateful Trojans.
Author's blog:Http://blog.csdn.net/navyforce/