January 24th, 2004, 06:12 PM
Howdy folks, here is my problem. Everytime i try to do a netstat -n, it will show the protocol, and the connection state. But the local and foreign address sections are completely blank. Yet every other netstat command seems to be working fine, ie -a, -o. I've tried doing a full system virus/trojan scan (using Kaspersky 4.5, and TDS 3.2), and nothing out of the ordinary came up. I'm currently running a dual-boot of winxp pro and home. Netstat -n works fine for the home edition. So does this sound like perhaps someone has replaced XP Pro's cmd.exe with a altered version to prevent me from seeing active connections? Or does this seem more like just an error somewhere? Any feedback would be greatly appreciated, and if I've left out any info, just let me know and I'll try to post it asap.
(Here is a picture of what I am talking about for what happens when i try netstat -n for XP Pro, just incase I wasn't clear in my description. http://www.boomspeed.com/sub1/netstat.JPG)
January 24th, 2004, 06:42 PM
Netstat is an external command. Meaning it is it’s own program found in %system%. You can rename it and run another version of netstat to see if you get the same results.
The only reason someone would replace it would be to hide a backdoor, irc notifier or something else malicious. Get fport from foundstone (free), run it from a cmd prompt and see what ports are being kept open by what and do a full system scan with your av
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”