Who is leaving my home?

January 7, 2011, by | Start Discussion

Introduction
The whole team came to me and said this issue will have to be on BOTNET only. They gathered article in all sections related to the same topic & now it was my responsibility to make “Command Line Gyan” on the related topic. So finally I decided to give you a closer look at my good old, cross platform friend ‘netstat’.  There is a reason why I chose ‘netstat’, this would give you an idea and help you keep an eye on outgoing connection & monitor if your machine is a part of botnet or not.
You can say that my antivirus is up-to-date and it will take care of the same, but having said that are we sure all the malware are caught by ‘my’ antivirus? Am I sure my Linux box doesn’t have a malware which is  leaving me vulnerable to this?
And that’s where our friend ‘netstat’ comes handy but we’ll take a different approach to use it this time.

Windows
Although again we are dividing this article in windows vs linux subsections, remember most of the commands will work on both the OS. All you have to be careful is with additional tools you are using to filter results.
To start with we’ll see on how many ports is my machine listening to a connection
C:> netstat -na | find /i “Listening”

This will give you a list of ports on your machine which are in listening mode. Make sure you check reason behind each, to be sure which application has opened that port
You may want to use switch –o to see the PID of the process which has opened the port
C:> netstat -noa | find /i “Listening”

Now how can you check which application does that PID belong to?
For that use WMIC
C:> wmic process where processid=”pid” list full

This will tell you the process with your chosen PID.
You may also try other switches of netstat like
-b = display executable name responsible for the connection
-p = specific protocol
-o = display process ID
-a = display all
-n = display IP only and no the fqdn

But the most interesting you’ll find is using a continuous netstat to keep looking at  the results
C:> netstat –na 5

This will keep checking the result of “netstat –na” every 5 seconds. You may choose your own time interval and make a script out of it
For more work on netstat there is an interesting but more difficult way in Microsoft Powershell but we’ll keep that out from this article

Linux
For linux more or less all the parameters are same. You may want to try the same command on linux too. Remember parameter for netstat are same, not the other executables
Like the first example in linux will become

# netstat -na | grep –i “listen”

Aah! I hate & love the case sensitivity of Linux environment. And that’s why we use –i to ignore case while searching and use only “listen” in filter as it may differ among  various Linux flavors.

I know Linux users are geek themselves, so this article was just a reminder that don’t forget your friend netstat, keep using it

Rohit Srivastwa
rohit@clubhack.com

 

bio data - Rohit Srivastwa

Leave a Reply