Home > Security

Computerworld - One of the most worrisome aspects of computer intrusions is that hackers generally prefer to avoid fame and try to hide their presence on compromised systems. Using sophisticated and surreptitious techniques, they may install back doors or root kits, which allow them to later gain full access and control while avoiding detection.

Back doors are, by design, often difficult to detect. A common scheme for masking their presence is to run a server for a standard service such as Telnet, but on an unusual port rather than on the well-known port associated with the service. While there are numerous intrusion-detection products available to aid in identifying back doors and root kits, the Netstat command (available under Unix, Linux and Windows) is a handy built-in tool that systems administrators can use to quickly check for backdoor activity.

In a nutshell, the Netstat command lists all the open connections to and from your PC. Using Netstat, you'll be able to find out which ports on your computer are open, which in turn may assist you in determining if your computer has been infected by some type of malevolent agent.

	Douglas Schweitzer is an Internet security specialist with a focus on malicious code. He is the author of several books, including Internet Security Made Easy and Securing the Network from Malicious Code and the recently released Incident Response: Computer Forensics Toolkit.

To use the Netstat command under Windows, for example, open a command (DOS) prompt and enter the command Netstat -a (this lists all open connections going to and from your PC). If you discover any connection that you don't recognize, you should probably track down the system process that's using that connection. To do this under Windows, you can use a handy freeware program called TCPView, which can be downloaded at www.sysinternals.com.
Once you've discovered that a computer has been infected by a root kit or backdoor Trojan, you should immediately disconnect any compromised systems from the Internet and/or company network by removing all network cables, modem connections and wireless network interfaces.

The next step is system restoration using one of two basic methods for cleaning the system and bringing it back online. You can either attempt to remove the effects of the attack via antivirus/anti-Trojan software, or you can use the better choice of reinstalling your software and data from known good copies.

For more detailed information about recovering from a system compromise, check out the CERT Coordination Center guidelines posted at www.cert.org/tech_tips/root_compromise.html.

Read more about Security in Computerworld's Security Topic Center.