Results 1 to 9 of 9

Thread: Identify rogue processes using netstat and the windows taskmanager

  1. #1
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397

    Identify rogue processes using netstat and the windows taskmanager

    Well, there are lots of tools that are designed to find trojans and malware available, but what do you do if these tools fail? You may find youself having to identify the processes manually. This tutorial will show you how. It is also a good idea to do this on a clean system in order to create a process baseline with which you can compare future data.

    I did this mainly as a reference for all the noobies, as well as to remind myself that even "experts" have a tendency to forget! (Memory, cheyenne1212, and MsMittens, you all know what I'm referring to!)

    Part I - The tools

    This method in this tutorial relies on the netstat command, notepad, and the Windows Task Manager, which are part of the Windows OS, in addition, in order tosucessfully accomplish this task, we will need access to the following:

    1.) An active internet connection

    2.) User account with administrative privelages preferred, but not entirely needed, as long as the user has access to the command line.

    3.) Access to a spreadsheet program. A text editior such as notepad can be used, but the output is much cleaner in a spreadsheet. I will be using Microsoft Excel in my examples.

    Part II - Gathering the information

    OK. The first thing that we want to do is get information on all the active TCP/IP connections. To do this, we'll bring up a command line and type "netstat -ano"

    the "-a" operand will display all the connections and their listening port

    the "n" operand will display the addresses and ports in numerical form, as opposed to the DNS name and TCP/IP service name. I use this option because the output is cleaner.

    the "o" operand will list the process identification number (PID) of the process using the connection. Without this switch, we're wasting our time, so don't forget it.

    The resulting output will look something similar to this:

    Active Connections

    Proto....Local Address.....................Foreign Address.......State.....................PID
    TCP......0.0.0.0:135.........................0.0.0.0:0..................LISTENING.............784
    TCP......0.0.0.0:445.........................0.0.0.0:0..................LISTENING.............4
    TCP......0.0.0.0:1025.......................0.0.0.0:0..................LISTENING.............832
    TCP......0.0.0.0:1032.......................0.0.0.0:0..................LISTENING.............4
    TCP......0.0.0.0:1080.......................0.0.0.0:0..................LISTENING.............3176
    TCP......0.0.0.0:1850.......................0.0.0.0:0..................LISTENING.............3268
    TCP......0.0.0.0:1851.......................0.0.0.0:0..................LISTENING.............1588
    TCP......0.0.0.0:1991.......................0.0.0.0:0..................LISTENING.............3148
    TCP......0.0.0.0:4569.......................0.0.0.0:0..................LISTENING.............4
    TCP......0.0.0.0:4633.......................0.0.0.0:0..................LISTENING.............4
    TCP......0.0.0.0:5000.......................0.0.0.0:0..................LISTENING.............1000
    TCP......0.0.0.0:12174.....................0.0.0.0:0..................LISTENING.............1924
    TCP......0.0.0.0:38292.....................0.0.0.0:0..................LISTENING.............1836
    TCP......127.0.0.1:1030...................0.0.0.0:0..................LISTENING.............1924
    TCP......127.0.0.1:1031...................0.0.0.0:0..................LISTENING.............1588
    TCP......127.0.0.1:1031..................127.0.0.1:1850.........ESTABLISHED........1588
    TCP......127.0.0.1:1080..................127.0.0.1:1031.........CLOSE_WAIT.........3176
    TCP......127.0.0.1:1850..................127.0.0.1:1031.........ESTABLISHED.........3268

    I trimmed it down and all, but you get the idea.

    Now, if we right-click inside the command prompt window, we'll be presented with an option menu. We want to "Select All". Now, to copy the info, right-click on the title bar of the cmd window and you'll see a menu option that says "Edit". If you hover over this option, it will open another menu where we can select "Copy". That's what we want to do.

    Now on to the next step

    Part III - Formatting the information for analysis

    Now, we'll open notepad and paste the information. Save it. Now we have a text file with most of the critical information that we need. At this point, I import the text file into Microsoft Excel as a Tab delimited spreadsheet. That gives me a much cleaner layout to work with, as well as the use of a search function. However, this is optional.

    In Excel, I add the following columns:

    Process Name
    Runs As
    Description

    You can do the same thing in notepad by tabing over and inserting.

    Now it's time to match the info from netstat's output to the processes that are running. To do this, we simply press <Ctrl>+<Alt>+<Delete> and select the "Task Manager". From here select the "Processes" Tab. Now select "View" from the menu at the top of the Task Manager Screen and then "Select Columns" option. For our purposes, the only item here that we are concerned with are "Image Name" (Process Name). "PID" (Process Identifier) and "User Name".

    Now we simply match the PID in our table to the PID in the Task Manager's Process List. If a process is hidden, we'll be able to easily identify it, as it's PID and image name will not be listed in the Process List. For each PID in the table (spreadsheet), record the corresponding Image Name and User Name.

    The reason that we want the User Name is co that we know under what context the process is running. This is important if a rogue process is identified, as this will show you the account, which can then be checked to see if it has been compromised by reviewing the system logs.

    Part IV - Research and Analyze

    Now comes the dirty work...finding out what the process is. For this, we will need an internet connection and our best friend Google. Enter the process name that you have for each process into the search engine, and you'll be able to identify what that process does. To save time in your process identification, you can access the Wintasks process library , which has a listing of most of the common system, application, and trojan process names and there discriptions.

    Armed with this information, you'll be able to not only find the process, but you'll know what it does, the port it's using, and with any luck, the IP address of the person using it.

    Hope you guys liked it.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    great way to get to know your system
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Thanks, For some reason I never thought to put the info into Excel. LEarn something new everyday.
    I have 315 relays and 118 switches and have all the power of a calculator.

  4. #4
    Senior Member Boogymantroy's Avatar
    Join Date
    Jan 2004
    Location
    Memphis Tn
    Posts
    100
    Thanks a ton. Newbies like me need to pay attention and try to learn something.

    Boogymantroy

  5. #5
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    looks good i will probably read it tommorow.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    FYI.

    I know that in windows XP pro, you can type "tasklist" from the command line to get the processes info instead of going to the taskmanager. It is easy to copy and paste this information (explained above) to a document and compare them that way, rather than scrolling all over looking for the info.

    If you can't find this command, it may have to be installed from the XP cdrom under the support? folder. I don't remember if is installed by default or not.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Thanks much 576.......7,

    I put yours into a word doc to keep it available.

    Also for those of us who still keep a win98se box lit up all the netstat operands are:

    “-a” displays all the connections and listening ports

    “-e” displays Ethernet connections

    “-n” displays address and port numbers in numerical form

    “-p” proto, show connections for protocol specified by proto

    “-r” shows the routing table

    “-s” shows per protocol stats

    “interval” redisplays selected stats, pausing interval seconds between each display

    **unfortunately the operand “-o” isn’t available for that OS.


    Have a great evening.

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    **unfortunately the operand “-o” isn’t available for that OS.
    -o is only known on xp

    what to do on w2k ?
    is there a (third partys) tool that shows the pids for thr listening or connected?
    Industry Kills Music.

  9. #9
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    fport available from Foundstone. www.foundstone.com
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •