Detecting malware by listing open ports and listening services.

One way of detecting malware (virus, rootkits, etc) is by knowing what ports are open and what services and application are associated with those ports. A while back some of this malware would install on your computer with the intention of opening a backdoor for the attacker to connect leaving your PC to the mercy of an attacker, now with the use of NAT (Network Address Translation), this type of attack is less common, but as technology evolves, so are the new threats, now the malicious software will install on your PC and initiate a connection back to the attackers PC, which is listening for the connection. With that in mind you should turn off any services you don’t actually need so they will not become avenues of attacks for security threats. There’s no way to provide a comprehensive guide, of course different systems will have different services running by default, and new services are been invented from time to time, expanding the number of services that may possibly be running on a given computer.

What is needed is a tool for listing active services and open ports: “netstat”. I’ll explain how such tools can be used on the two most used OS (MS Windows and Linux) to list open and listening services.

Note: “Remember when all methods used fail google is your friend!”

Netstat in Linux:

Netstat is the obvious tool for detecting open ports in Linux. Most Linux distros use a different version of th utility; however, maintain separately from Linux as an independent software development project, and that’s why it may be different in some flavor of Linux like FreeBSD, Ubuntu, Fedora, etc…but the general use of this command is as follow:

netstat -lnpt

the output would look something like this:

additionally you could use “lsof” (list open files) command and the PID number to find what files a given application has opened.

lsof -p PID

Netstat in Windows:

Microsoft windows also offers netstat command that can be executed from the command line to get a list of open ports. The standard netstat version of Microsoft is slightly more limited than its Linux counterparts, but still gets the job done as follows.

netstat -a | find “LISTENING”

or to get a listing of the open ports and associated process

netstat -ano | find “ESTABLISHED”

after that you could use the PID and use the tasklist command

tasklist /svc /FI “PID eq 456”

although this should give you a good idea about what ports are open, there are lots of tools out there that would do this similar analysis like: tcpview, procexp.exe, procmon.exe from winternals, I find that sometimes we don’t have the ability to install any apps to the system for different reasons so knowing how to get the job done with the tools at hand can be of great advantage.

Other useful netstat commands in Linux:

netstat -s | less  #show summary of TCP, ICMP, UDP activity

To see active TCP connections

netstat -tanp

To narrow your output from netstat to daemons bound to a TCP port, look for the word “listen.”

netstat -tanp | grep -i listen
Share This!

Leave a Reply

Your email address will not be published.