Spotting strange connections on the network

A few nights back, I was sorting the pile of books, newspapers and magazines in the bedside reading pile into two more piles: “no time to read so send for recycling”; and “I really must read that”. As I did so, I came across a copy of .net magazine that included an article on using netstat.exe to detect spyware. This is a well-known, but often forgotten tool in the IT administrator’s arsenal:

netstat -a

will give a list of all network and Internet connections, detailing the protocol (e.g. TCP or UDP), local IP address (and port), foreign (remote) IP address (and port) and the state of the connection.

netstat -an

will display addresses in numeric form, so it’s pretty easy to spot those that are listening from another network and a whois lookup will help work out who’s listening in who shouldn’t be (often it will turn out to be something intentional).

netstat -abnv

will take it a step further and show you the applications and components used to initiate the connection – look out on this list and you should be able to spot any strange applications and google them to find out what they are.

Incidentally, netstat is not just for Windows, but the command switches I gave above are. If you are using Windows and you don’t like the command line, then TCPView is a former Sysinternals tool (now owned by Microsoft) that provides a GUI front end for netstat, including whois lookups and process properties. Another useful tool is Nir Sofer’s CurrPorts, which displays the list of all open TCP and UDP ports along with information about the process that opened the port (including highlighting suspicious processes) and the ability to close unwanted TCP connections, kill the process that opened the ports, and save the information to a file.

Leave a Reply