Back door or root kit? Maybe Netstat can help

Computerworld - One of the most worrisome aspects of computer intrusions is that hackers generally prefer to avoid fame and try to hide their presence on compromised systems. Using sophisticated and surreptitious techniques, they may install back doors or root kits, which allow them to later gain full access and control while avoiding detection.

Back doors are, by design, often difficult to detect. A common scheme for masking their presence is to run a server for a standard service such as Telnet, but on an unusual port rather than on the well-known port associated with the service. While there are numerous intrusion-detection products available to aid in identifying back doors and root kits, the Netstat command (available under Unix, Linux and Windows) is a handy built-in tool that systems administrators can use to quickly check for backdoor activity.

In a nutshell, the Netstat command lists all the open connections to and from your PC. Using Netstat, you'll be able to find out which ports on your computer are open, which in turn may assist you in determining if your computer has been infected by some type of malevolent agent.

	Douglas Schweitzer is an Internet security specialist with a focus on malicious code. He is the author of several books, including Internet Security Made Easy and Securing the Network from Malicious Code and the recently released Incident Response: Computer Forensics Toolkit.

The next step is system restoration using one of two basic methods for cleaning the system and bringing it back online. You can either attempt to remove the effects of the attack via antivirus/anti-Trojan software, or you can use the better choice of reinstalling your software and data from known good copies.

For more detailed information about recovering from a system compromise, check out the CERT Coordination Center guidelines posted at www.cert.org/tech_tips/root_compromise.html.