Port·Trojan·security·scanning applications knowledge-vulnerability warning-the black bar safety net

ID MYHACK58:6220069863
Type myhack58
Reporter 佚名
Modified 2006-06-19T00:00:00


See this topic you maybe a little strange, how can put this a few words put together, actually talking about ports and Trojans are commonplace, but even that is often talked about there are a lot of people a computer is a“shock wave”rushing through after the turn is“shock wave”severely earthquake a little, it seems necessary then talk to the old topic, so then is what wave gently sweep. The fact that these ultimate purpose is to ensure that the computer the Internet Security.

A, port

A), port of General meaning

Speaking of ports, this is a really old topic, but everything is from its beginning, had to say. What is a port, an analogy, you live in a house, want others to visit you and give a on the house open a door, you raised a cute kitten, for it Access specifically to it repair a small door to the rear garden, and opened a back door....... All of these in order to get to the house and opened the door we call it the port, these in order to someone to come in and open the port called'service port'on.

You have to visit a place called Joe's people, Joe Smith home should be opened to allow you to the door____service port, otherwise will be turned away. Go, you first at home to open a'door', and then through this'door'went straight into Joe Smith home door. In order to access someone in their own house to open the'door', we call it'client port'is. It is randomly opening and take the initiative to open, access finished itself off. It and service port properties are not the same, the service port is opened a door waiting for someone to access, and the client port is active open a door to open someone else's door, this point must be clear.

The following us from the professional point of view and then explain briefly the port concept. Networked computers to be able to communicate with each other must use the same Protocol, the Protocol is a computer communication language between computers must speak a language to communicate with each other, the Internet's common language is TCP/TP, which is a set of protocols, which provides the network of the fourth layer is the transport layer has two protocols TCP, UDP. The port is both a Protocol the open port into the source port and destination port, the source port is the machine is open, the destination port is is and native communication to another computer port, source-port active open a client port and a passive connected to the service port two kinds. In the Internet, you access a web site that is in the machine to open a Port to connect the web server to a port, others access you. That is the computer of the communication like we are stopping by the same, from the door into which the door. |

When you installed the system after the default will open a lot of'service port'on. How to know your computer system open up those ports? This is what the following to say:

II), the view port method

1, the command mode

Below to Windows XP as an example look at the newly installed systems have opened those ports, that are set aside for those door, without the aid of any tool to see the port command netstat, as follows:

a, in the'Start''Run'type cmd, enter

b, in a dos command interface, type netstat-na, shown in Figure 2 is to open the service port, wherein the Proto

Representation agreements, the figure can be seen that there is a TCP and UDP two Protocol. Local Address represents the local address, the address after the colon of the digital is the open port number. Foreign Address on behalf of the remote address, and if the other machine is communicating, the display is the other party's address, State on behalf of the state, the display of the LISTENING expressed in the listening state, that is to say the port is open, waiting for a connection, but has not been connected. Just like your house door has been opened, but this time also no one come in. To the first acts of the example to see what it means.


This line of meaning is the present machine of 1 3 5-port is waiting for connection. Note:only TCP Protocol Service Port to be in LISTENING state.


Figure 2

2, with the TCPView tool

In order to better analyze the port, it is best to use TCPView this software, this software is very small only 93KB, and is a green software, no installation.

Figure 3 is a TCPView running interface. The first display when the font is somewhat small, in the'Options'->'Font'in the font size up. TCPView displayed data is dynamic. Figure 3 Local Address displayed is the machine is open which port (a:number behind the numbers), TCPView can be seen which port is which app initiated. From Figure 3 It can be seen that the 4 4 5 and 1 3 9, A 1 0 2 5, the 1 3 5 and 5 0 0 0 other port is open, 4 4 5, A 1 3 9 other ports are system-initiated, 1 3 5, etc. are SVCHOST initiated.


Figure 3

Three), research port object:

1, know the present machine to open those ports, that is, can enter into the machine the'door'there are few, who are open?

2, The current of the machine the port is in what state, is waiting for connection or already connected, if it is already connected it would have to particularly pay attention to see the connection is a normal connection or an abnormal connection(Trojan, etc.)?

3, The current of the machine is not being and other computers to exchange data, is a normal program anti-go to a normal website, or access to a trap?

When you access the machine and other machine data transfer process to transfer the data must be used to the port, even some very sophisticated Trojan to use normal ports to transfer data is also not without trace, the data at the beginning of transmission, is the transmission and end of transmission of the different stages have their own state, in order to understand the above 3 questions, you must clear the status of the port changes. The following examples in conjunction with the first analysis of the service state of the port changes. Only the TCP Protocol only with the state, the UDP Protocol is unreliable transport, there is no state.

Four), a service state of the port changes

First in the machine(IP address: the FTP service, and then in the other computer(IP address: access the FTP service from TCPView to see port state changes.

Below in bold is displayed from the TCPView taken part.

1, the LISTENING state

The FTP service starts after the first is listening(LISTENING)state.

The State display is LISTENING when expressed in the listening state, that is to say the port is open, waiting for a connection, but has not been connected. Just like your house door has been wide open, but no one has come in.

From the TCPView can be seen that the present machine open the FTP. What it means is:the program inetinfo. exe open 2 1 port, and FTP default port is 2 1, visible in the machine open the FTP service. Currently in a listening state.

inetinfo. exe:1 2 6 0 TCP 1 LISTENING

2, the ESTABLISHED state

Now from 1 9 2. 1 6 8. 1. 1 This computer access 1 9 2. 1 6 8. 1. 1 0 the FTP service. In the present machine the TCPView can be seen that the port state changed to ESTABLISHED.

ESTABLISHED the means to establish a connection. Representation of the two machines is communication.

Shown below are the machine's FTP service is is 1 9 2. 1 6 8. 1. 1 This computer access.

inetinfo. exe:1 2 6 0 TCP 1 0 0 9 ESTABLISHED

Note:in the ESTABLISHED state of the connection be sure to pay extra attention, because it might not be a normal connection. Later we want to talk about this issue.

3, the TIME_WAIT state

Now from 1 9 2. 1 6 8. 1. 1 This computer the end of visit 1 9 2. 1 6 8. 1. 1 0 the FTP service. In the present machine the TCPView can be seen the port status changes to TIME_WAIT it.

The TIME_WAIT mean the end of the connection. Description 2 1 port used to have access to, but the end of the visit.

[System Process]:0 TCP 1 0 0 9 TIME_WAIT

4, the tips

a, you can telnet to an open Port to observe the port changes. For example, see 1 0 2 5-port is open, at the command of the state(as shown in Figure 1 Run cmd)and run:

telnet 1 0 2 5

b, from the present machine can also be tested, but the display is the machine connected to the machine c, in Tcpview, double-click the connection can be seen in the program location, right-click the connection, select End Process to end the connection

Five), a client port change of state

The client port actually is from the machine to access the other computer services open source port, most of the applications are Internet access, the following to access the baidu. com, for example, to see the port is open and change the state of the case.

1, The SYN_SENT state

SYN_SENT state indicates that the request is connected, when you want to access other computer services first to send a synchronization signal to the port, in this case the state is SYN_SENT, if the connection is successful becomes ESTABLISHED, then the SYN_SENT state is very short. But if you find SYN_SENT very much and in to a different machine issue, then your machine may be the Blaster or Sasser like virus. This type of virus in order to infect another computer, it is necessary to scan other computers, in the scanning process for each to scan the computer to issue a synchronization request, it is also appear many SYN_SENT reasons.

Shown below is the machine connected to baidu. com site when the start state, if your network is normal, and that soon becomes the ESTABLISHED connection state.

IEXPLORE. EXE:2 9 2 8 TCP 0 3 5 0 SYN_SENT

2, the ESTABLISHED state

Shown below is the present machine is to access the baidu. com website. 如果 你 访问 的 网站 有 许多 内容 比如 访问 www.yesky.com that will find an address there are many ESTABLISHED, this is normal, the site of each content such as images, flash, etc. are to establish a separate connection. See the ESTABLISHED state must pay attention to is not IEXPLORE. EXE(IE)to initiate the connection, if it is to EXPLORE. EXE like the program to initiate the connection, that may be your computer with a Trojan.


3, the TIME_WAIT state

If browsing the Web is completed, then it changed to the TIME_WAIT state.

[System Process]:0 TCP 2 5 9 0 TIME_WAIT

Six), the port detailed transition diagram

The above are the most major of the several States, the actual there are some, Figure 4 is the TCP state of the detailed transition diagram(from the TCP/IP details in the clip), with a thick solid line arrow indicates a normal client state changes, with a thick dotted arrow tableShows the normal status of the server changes. These are not in scope of this article. Interested friends can study it.


Figure 4 is the TCP state transition diagram seven), points

Generally the user must be familiar with(and then winded a few words):

1, Service Port focus to look at is the LISTENING state and the ESTABLISHED state, the LISTENING is the machine open what port, ESTABLISHED who is in access of your machine, from which address to access.

2, The Client port is in SYN_SENT state and the ESTABLISHED state, SYN_SENT is the machine to the other computer sends a connection request, generally this state exists for a short time, but if the machine sends a lot of SYN_SENT, it is probably poisoning. See the ESTABLISHED state is to be found in the present machines are and which machines to transfer data, mainly to see is not a normal procedure initiated.

Second, the Trojan

What is the Trojan, simply means that without your permission sneak in your computer open a back door Trojan to open back door there are two main ways.

1, There is a service port of the Trojan horse, these Trojans are going to open a service port of the back door, after the success of the back door is in the LISTENING state, the port number may be a fixed number, it may change, and the Trojans may be with a normal port combination, for example you open normal 8 0 port(WEB services), the Trojans also used 8 0 port. This Trojan is characterized by the largest port in the LISTENING state, the need for a remote computer connected to it. This Trojan for the average user the better the prevention, the firewall is set to reject from the outside to the inside of the connection. More difficult to guard against is a rebound type of Trojan.

2, a rebound type of Trojan, the rebound type of Trojan is from the inside to the outside of the connection, it can effectively penetrate the firewall, and even if you are using is within the network IP, like him also be able to access your computer. This Trojan is the principle of the service end of the actively connected client(hacker)address. Trojan server-side software like your Internet Explorer, use dynamic allocation of ports to connect the client to a port, is usually commonly used ports, like the port 8 to 0. And will use the covert of a strong file name, 像iexpiore.exe, explorer(IE 的 程序 是 IEXPLORE.EXE a). If you don't look carefully, you might think that is your Internet Explorer. So that your firewall will also be cheated too. If you are in TcpView to see following such a connection be sure to note that likely is a kind of Trojan horse. iexpiore.exe IP):1 0 3 5(your port) Y. Y. Y. Y(remote IP):8 0(remote port)

Or Rundll32.exe IP):1 0 3 5(your port) Y. Y. Y. Y(remote IP):8 0(remote port)

Or explorer.exe IP):1 0 3 5(your port) Y. Y. Y. Y(remote IP):8 0(remote port)

Third, security

Our analysis of the port's purpose is to ensure Internet Security, according to the above idea can from the following several aspects to prevention.

A), close unneeded ports

For the average Internet user to say as long as you can access the Internet on the line, do not need others to access you, that is not necessary to open the service port, and on WIN 9 8 Do not open any service port, access to the Internet, but in Win XP, Win 2 0 0 0, Win 2 0 0 3 No, but you can close the unnecessary ports. Figure 3 is installing the WIN XP system default to open port, for example, turn off unnecessary ports.

1, the closure 1 3 7, The 1 3 8 and 1 3 9 and 4 4 5-port

The several ports are to shared and open, is a NetBios application Protocol, the General Internet user is not need others to share your content, but also the vulnerability up to the port. Close in many ways, recently from the Internet learn a trick very easy to use, once all off the above port.

Start-> Control Panel-> system-> hardware-> Device Manager-> view-> Show hidden devices-> non Plug and play drivers-> Netbios over Tcpip.

Find the figure 5 The interface is disabled after the device restarts.


Figure 5 2, close 1 2 3 port

Some worms may use UDP 1 2 3 port, closed method:as shown in Figure 6 to stop the windows time Service.


Figure 6 closed 1 2 3 port

3, closed 1 9 0 0 port

As long as the attacker to a with more than one Win XP system, the network sends a false UDP packets, it may cause these Win XP host on the specified host to attack(DDoS) to. In addition if the to the system 1 9 0 0 Port to send a UDP packet, so the'Location'field of the address to another system's chargen port, it is possible to make the system into an infinite loop, consume all system resources(need to install the hardware when you need to manually open).

Off 1 9 0 0 port method as shown in Figure 7:stopping the SSDP Discovery Service Service


Figure 7 closed 1 9 0 0 port

Through the above way to close some loopholes or not the port is no problem? Not. Because some port is not turned off. Like 1 3 5 port, it is the RPC service to open the port if this service is stopped, then the computer will shut down, the same as Lsass to open the Port 5 0 0 and 4 5 0 0 also cannot be closed. Blaster virus use is 1 3 5 port, for the Can't close the port the best way A is a regular patch, the ports are the appropriate service to open, but for the General user is difficult to determine these services in the end what is the purpose, it is difficult to find the Stop which services you can shut down the corresponding port. The best way is the following we want to talk about the installation of the firewall. Install a firewall the role of the popular that just like you don't live in a sturdy house and live in a battered broken house, as long as you're around the house built a wall of impenetrable wall, that the wall of the house is safe.

II), installing a firewall

For the average user is concerned with the following three types of firewall

1, comes with firewall

On Win XP and Win 2 0 0 3 comes with firewall settings, please refer to the celestial pole network in the Book, not repeat them.

2, ADSL cat firewall

Through ADSL Internet access, if you have the best conditions for the ADSL cats set to the Address Translation mode(NAT), that is, we often say that the routing mode, in fact, Routing and NAT are not the same, time being so called it. With NAT mode the biggest benefit is set up, ADSL cats is a fire wall, it is generally only open 8 to 0, 2 to 1, 1 6 1, etc. in order for the ADSL cats is set to open the port. If you do not do port mapping, then, generally from remote attack and less than ADSL cat behind the computer. ADSL Cat the biggest security risks is that many users do not change the default password. This hack if feed to your cat to do a port mapping it is possible to enter into your computer, a certain put and the default password get rid of.

With that comes with the fire wall and ADSL cat NAT mode basic can withstand from the outside to the inside of the attack, that is even if the service port is open(including the system for open ports and open a service port of the Trojans), hackers, and similar shock waves of a class of viruses would do nothing not your computer. The firewall can only prevent from the outside to the inside of the connection, can not prevent from the inside to the outside of the connection, when you open the page and use the QQ chat is from the inside to the outside of the connection, the rebound type of Trojan is the use of a fire wall of this feature to steal your machine data. Rebound type of Trojan, although very subtle, but also not without the bag, to prevent such a Trojan the best way is to use a third party firewall.

3, third-party firewall

As mentioned above, a rebound type of Trojan and will use the covert of a strong file name, 像iexpiore.exe, explorer, etc. with the IE program IEXPLORE. EXE is want to name or with some of the rundll32 and the like seems to be the system file name, but the Trojan is the essence of you and the remote computer communication, as long as the communication will have a connection. As follows:normal connection is IEXPLORE. EXE to initiate, instead of the normal connection is a Trojan program explorer initiated.


Normal connection


The Trojan connection

Generally, the firewall has an application to access the network permission settings, as shown in Figure 8, in the firewall of such option will not be allowed to access the network application X, which does not allow access to the network.

In writing this article before I was a rebound type of Trojan, is that the explorer program is outwardly connected, with several virus scanning software also does not kill, was the first with days network fire wall blocking it access to the network, and then manually took a lot of effort was cleared off. Pity not to do the screenshots. Don't have the courage to write this article and then sacrifice a turn.


Figure 8

4, Using Tcpview to end a connection

When you use Tcpview to observe which connection there may be abnormal connections in Tcpview directly the right mouse button to click the connection, select End Process to end the connection.

Fourth, the scan

Talk about scanning and is a big topic, and there is a port scan(Superscan), vulnerability SCAN(X-scan), etc., on the scanning topic later on, this article is only for the average user a simple way onlinesafety testing. If you press the above said have made the appropriate security measures, you can find online a Online testing security of the website, test out your current system of the safety case, as to the following website:

1, Millennium online-and online detection

2, The Blue Shield of online detection

3, days network security online

4, Norton onlinesafety testing

Note that I test my machine when opened 2 of 1, 2, 3, and 8 0 port, but this is the ADSL service port, my cat does not provide the modifications and close the place, but that's okay, as long as the password is set of complex points on the line.

Five, shock wave

If you press the off 4 4 5 port or on the fire wall that would not be a shock spread like a virus harassment, about the Sasser virus article too much, I'm not here long-winded. Just do a good jobsecurity guard, either the shock wave or the impact of the wavelet can be in your computer in front of the brushing and do nothing you much.


About computer security there is a lot more to set up, but for the average user, too much of security provided is equal to no security, because even for the professional computer security personnel for the security of the setting is also not an easy thing, not to mention for the computer knowledge is also not enough of the General user. If you want to make a lot of settings in order to ensure safety, it certainly has a lot of people do not do. For the average user, my recommendation is able to do must be done, such as:

1, when the Internet be sure to install anti-virus software and timely upgrades.

2, at least install a firewall, the ADSL user is best to use routing access, change the default password.

3, regular patching, Windows users Best the system is set to automatically upgrade. 4, own have to do is use Tcpview often see the connection, to prevent rebound type of Trojan. Often see, a long time perhaps seen as the expert.

5, the Udp Protocol is unreliable transport, no status, from Tcpview, it is difficult to see it is not in the transmission of data, interested friends can be to use iris, a sniffer such Protocol Analysis Tool to see if there is Udp data. On this topic ever again talk.

6, the article title plays great, but the write up and think that a lot of the problem is someone else to say besides, there is no dark tan.

Know high one feet, magic feet. Network security is an eternal topic, there is no absolute security, but with the awareness than to open the door also don't know okay.