The most common Trojan is usually based on the communication between the Client end and the Server end based on the TCP / UDP protocol. Since these two protocols are inevitable, they cannot be avoided in the Server end (which is used by Trojans). Listening ports are waiting to be connected. For example, the listening port used by Ding Ding's ice is 7626, and the Back Orifice 2000 is 54320 and so on. So, we can use the way to view the open port of this machine to check if you are specifically rooted with Trojans or other hacker programs. The following is a detailed method.
1. Netstat commands with Windows itself
About NetStat commands, let's take a look at the introduction in the Windows Help file:
Netstat
Display protocol statistics and current TCP / IP network connections. This command can only be used after the TCP / IP protocol is installed.
NetStat [-a] [-e] [-n] [-s] [-p protocol] [-r] [interval]
parameter
-A
Display all connection and listening ports. Server connections are usually not displayed.
-e
Display Ethernet statistics. This parameter can be used in conjunction with the -s option.
NN
Display addresses and port numbers in digital format (instead of trying to find name). -S
Displays statistics for each protocol. By default, statistics on TCP, UDP, ICMP, and IP are displayed. The -p option can be used to specify the default subset.
-p protocol
Displays the connection to protocol specified by protocol; Protocol can be TCP or UDP. If you use the -s option to display the statistics of each protocol, Protocol can be TCP, UDP, ICMP, or IP.
-r
Display the contents of the routing table.
Interval
Re-displays the selected statistics, suspend Interval seconds between each display. Stop the statistics by Ctrl B stop. If this parameter is omitted, NetStat will print a current configuration information.
Ok, after reading these help files, we should understand the use of the netstat command. Let us now learn to use this command to see your machine open port. Go to the command line, use two parameters of the a and n of the NetStat command:
C: /> netstat -an
Active Connections
Proto local tcp 0.0.0.0:0:80 0.0.0.0:0.0:80 0.0.0.0.0.0:21 0.0.0.0:0:0.0:0:0:0.0:0:0.0:0:0:0.0:0:0.0:0:0.0:0:445 0.0. 0.0: 0 UDP 0.0.0.0:1046 0.0.0.0:0:0:0:0:047 0.0.0.0:0:0
Explanation, Active Connections refers to the current active connection. Proto is the protocol name of the connection. Local address is the IP address of the local computer and the port number that is being used. Foreign Address is the IP address of the remote computer connected to the port. And the port number, State is a state that indicates the TCP connection, you can see the listening port of the three lines of the next three lines is the UDP protocol, so there is no state represented by the state. Look! My machine's 7626 port has been opened, listening to the connection, like this is very likely that it has been infected with the ice river! Running a network, killing viruses with anti-virus software is the right practice.
2. Working in Windows2000 Command Line Tool Fport
Friends using Windows2000 are more than lucky than using Windows9x because of the FPORT programs to display the correspondence between the local open port and the process. FPORT is a software for all Open TCP / IP and UDP ports in the system, as well as software such as all open TCP / IP and UDP ports, and their corresponding paths such as the full path, PID identity, process names and other information. Used in the command line, please see example: d: /> fport.exe fport v1.33 - tcp / ip process to port mapper copyright 2000 byfactStone, Inc. http://www.foundstone.com
PID Process Port Proto Path 748 TCPSVCS -> 7 TCP C: / Winnt / System32 / Tcpsvcs.exe 748 TCPSVCS -> 9 TCP C: /Winnt/System32/tcpsvcs.exe 748 TCPSVCS -> 19 TCP C: / WinNT / System32 / Tcpsvcs.exe 416 SVCHOST -> 135 TCP C: /Winnt/System32/svchost.exe
Is it clear. At this way, what is the procedure of each port is open under your eyelids. If there is a suspicious program to open a suspicious port, you can don't do it, maybe it is a sly Trojan!
The latest version of FPORT is 2.0. Downloadings are available in many websites, but for safety, of course, it is best to go to its hometown: http://www.foundstone.com/knowledge/zips/fport.zip
3. Tool ports similar to the FPORT functionality Active Ports
Active ports produced for SmartLine, you can use all of the Open TCP / IP / UDP ports of your computer, not only you can display all your ports, also display the path where all ports, local IP and remote IP (Attempt to connect your computer IP) is active. Here is a software screenshot:
Is it very intuitive? What's better is that it also provides a function of closing the port. When you use it to discover the port of Trojans, you can close the port immediately. This software is working under the Windows NT / 2000 / XP platform. You can get it at http://www.smartline.ru/software/aports.zip.
In fact, users who use Windows XP do not have to obtain the correspondence between port and process without having to use other software, because the netstat commands belled by Windows XP have more o parameters than the previous version. Use this parameter to derive the port and process. Come.
The above introductions have several ways to view local open ports, and port and process correspondence. Through these methods, it is easy to discover TCP / UDP protocol, I hope to help you. However, if the Trojan is preventing, and if you encounter the rebound port Trojan, use the new Trojan made by the driver and dynamic link library technology, it is difficult to find the traces of Trojans. So we must develop good Internet habits, don't run an attachment in the email, install a set of anti-virus software, like Rising in China, is a good helper for killing viruses and Trojans. Software downloaded from the Internet first checked again with anti-virus software, open the network firewall and virus real-time monitoring when online, protect your own machine, not being invaded.
