As a matter of fact, a great deal of the kernel-mode rootkits in use by attackers can purposefully modify netstat so that any backdoors they install will be hidden from the output. It’s important to keep in mind here that netstat is not infallible. It helps to know your system very well when examining this output so you have an idea of what connections are normal. When an attacker compromises your system it’s often the case that he will leave a backdoor listening for easier connections back. Also, be sure to look for any LISTENING connections on your local system on odd ports. Once you’ve done that, the first things to look for here are unrecognized foreign addresses, especially in the ESTABLISHED state.
That being the case, make sure you have closed any network-centric applications and processes so that your results aren’t clouded with legitimate connections. When examining netstat output you can be overwhelmed with information easily. An example of this output is shown in Figure 1.įigure 1: Output of the netstat -nao command
#IS TCPVIEW SAFE WINDOWS#
In addition to this command, you can also run netstat -nao on modern Windows versions to add a fifth column that displays the process ID associated with the displayed connections. The first column in the protocol in use (TCP or UDP), after that is the local address and port, the third column is the foreign address and port, and the last column in the state of the connection. You can use netstat on Windows to output a list of listening TCP and UDP ports by typing netstat -na at a command prompt. This is made possible the netstat command line tool which is actually available on both Linux and Windows. One of the simplest and most effective things you can do is to output a list of the open connections to your system. In this article I will demonstrate a few of the things you can do to find out if someone else is hanging around your system. Whether it’s an obscure antivirus alert or a strange firewall notification, it’s a good idea to know what to do in this situation. When this type of thing happens it will often be the case that something might tip you off to the intruder’s presence. It’s 4 PM on a Thursday afternoon…do you know what ports you’re communicating on? One of the biggest fears for any systems administrator is that his/her machine has been compromised.
0 kommentar(er)
