XP Pro and 2000 Pro-- some builtins that let you see more....
Straight_Man
Geeky, in my own wayNaples, FL Icrontian
One of the tricks to cleaning a box of malware is to see what is really running.
In XP Pro, and 2000 Pro, there are two processes you can call or use that many folks do not know about. Both give you info that can help in finding out if things are running that you do not see in Task manager even. They need to be used pretty much together, so I will show you how to get a printout from the first one, then you can use it along with displayed info from the second.
First, there is a process called netstat. 2000 and XP can open a command console by going to start|run and typing CMD and then clicking Ok or tapping the Enter key on keyboard once. Once in the command console, try typing this:
netstat /? (then tap enter key)
The command
netstat -ano
will give you port active info, and the PID of the process using the port. You can print one of two ways:
The easiest is to tell the command console to copy output to a file, or if you are in a Telnet local session you can capture the console output and save it to a capture file.
Here's a way to get telnet's port report to a txt file:
netstat -ano > c:\portrpt.txt
Once it is in a txt file, you can use Search to find that file name, and then doubleclick the file in result pane. Notepad should open. Tell notepad to print file, it should be open. Alternatively, if notepad is open, any word processor can open this file, essentially you want to use Open with to use a word processor to open it or simply write down where file is, open in any word processor, print from that.
So, you have ports and PIDs.
Now, lets open something that will give you a process name and PID for everything running on your computer. In you left teh command console window open, simply type:
msinfo32 (then tap enter key once)
Or if command console window is closed, type same thing into Start|Run.
On the resulting window, click the plus next to software environment. On my XP Pro box here, I have a list resulting from that click that lets me look at Running Tasks, Services, and many other things.
Clicking Running Tasks lets you look at processes by name, PID, and a bunch of other info including who provided the process if you look at the running processes list. You can see many details about what is really up with your system with System Information, (AKA msinfo32.exe) on 2000 Pro and XP Pro. AFAIK, this applies to XP Home also.
Now, if you want to go into depth, match PID on the port active list, to PID in System Information's Running Tasks list.
For Me and 98, there is also an msinfo, sometimes msinfo32 is present on Me or 98SE.
Why does this help??? Trojans open listening ports, wait for something remote to TALK to them. That something could be a hacker, a bot, or an nmap probe. Looking for and getting to know strange and normal ports that indicate things, is a good idea, this will give you the base info to look. Trojans typically use weird ports. If you want to know the most common ports, please ask.
This is a summarized INTRO to how to get higher levels of security info using common tools built into 2000 and XP-- for power users or admins. Suspicious or strange things, I suggest you Google by process name or program name.
In XP Pro, and 2000 Pro, there are two processes you can call or use that many folks do not know about. Both give you info that can help in finding out if things are running that you do not see in Task manager even. They need to be used pretty much together, so I will show you how to get a printout from the first one, then you can use it along with displayed info from the second.
First, there is a process called netstat. 2000 and XP can open a command console by going to start|run and typing CMD and then clicking Ok or tapping the Enter key on keyboard once. Once in the command console, try typing this:
netstat /? (then tap enter key)
The command
netstat -ano
will give you port active info, and the PID of the process using the port. You can print one of two ways:
The easiest is to tell the command console to copy output to a file, or if you are in a Telnet local session you can capture the console output and save it to a capture file.
Here's a way to get telnet's port report to a txt file:
netstat -ano > c:\portrpt.txt
Once it is in a txt file, you can use Search to find that file name, and then doubleclick the file in result pane. Notepad should open. Tell notepad to print file, it should be open. Alternatively, if notepad is open, any word processor can open this file, essentially you want to use Open with to use a word processor to open it or simply write down where file is, open in any word processor, print from that.
So, you have ports and PIDs.
Now, lets open something that will give you a process name and PID for everything running on your computer. In you left teh command console window open, simply type:
msinfo32 (then tap enter key once)
Or if command console window is closed, type same thing into Start|Run.
On the resulting window, click the plus next to software environment. On my XP Pro box here, I have a list resulting from that click that lets me look at Running Tasks, Services, and many other things.
Clicking Running Tasks lets you look at processes by name, PID, and a bunch of other info including who provided the process if you look at the running processes list. You can see many details about what is really up with your system with System Information, (AKA msinfo32.exe) on 2000 Pro and XP Pro. AFAIK, this applies to XP Home also.
Now, if you want to go into depth, match PID on the port active list, to PID in System Information's Running Tasks list.
For Me and 98, there is also an msinfo, sometimes msinfo32 is present on Me or 98SE.
Why does this help??? Trojans open listening ports, wait for something remote to TALK to them. That something could be a hacker, a bot, or an nmap probe. Looking for and getting to know strange and normal ports that indicate things, is a good idea, this will give you the base info to look. Trojans typically use weird ports. If you want to know the most common ports, please ask.
This is a summarized INTRO to how to get higher levels of security info using common tools built into 2000 and XP-- for power users or admins. Suspicious or strange things, I suggest you Google by process name or program name.
0
Comments