 |
 Backdoor or rootkit? Maybe Netstat can help!
by Douglas Schweitzer, A+, Network+. i-Net+, CIW, BIS
One of the most worrisome aspects of computer intrusions is that hackers (generally) prefer to avoid fame and usually seek to hide their presence on compromised systems. Using sophisticated and surreptitious techniques, they may install backdoors or rootkits which allow them to later gain full access and control, all the while avoiding detection.
Backdoors by design are often difficult to detect. A common scheme for masking their presence is to run a server for a standard service such as Telnet, but on an unusual port rather than the well-known port associated with the service. While there are numerous intrusion detection products available to aid in the detection of backdoors and rootkits, the Netstat command (available under UNIX, Linux and Windows) is a handy built-in tool that system administrators can use to quickly check for backdoor activity. In a nutshell, the Netstat command lists all the open connections to and from your PC. By using Netstat, you will be able to find out which ports on your computer are open, which in turn may assist you in determining if your computer has been infected by some type of malevolent agent.
Fortunately, UNIX, Linux and Windows all support the netstat command. To use it under Windows for example, open a command (DOS) prompt and enter the command netstat -a (this lists all open connections going to and from your PC). If you discover any connection that you don't recognize, you should probably track down the system process that is using that connection. To do this under Windows, you can use a handy freeware program called TCPView which can be downloaded at http://www.sysinternals.com.
Once it’s been discovered that a computer is infected by a rootkit or backdoor Trojan, you should immediately disconnect any compromised systems from the Internet and/or company network by removing all network cables, modem connections, and wireless network interfaces. The next step is system restoration using one of two basic methods for cleaning the system and bringing it back online. You can either: attempt to remove the effects of the attack via anti-virus/anti-Trojan software, or use the better choice of reinstalling your software and data from known good copies. For more detailed information for recovering from system compromise, please visit the CERT Coordination Center guidelines.
About the Author
Douglas is a Certified Internet Webmaster Associate, and he holds A+, Network+, and i-Net+ certifications from the Computing Technology Industry Association. He has appeared as an Internet security guest speaker on several radio shows, including KYW Philadelphia, as well as on Something You Should Know and Computer Talk America, two nationally syndicated radio shows. He is also the author of Incident Response: Computer Forensics Toolkit, Securing the Network from Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans and Internet Security Made Easy: A Plain-English Guide to Protecting Yourself and Your Company Online.
|
|
