Show #2: Worm-hunting with netstat and tasklist
With Windows XP, Microsoft improved on some of the command-line tools, and added new ones. I've used some of these improvements to diagnose worm problems.
If you suspect that a machine has a virus or worm, one confirmation can be large numbers of unexplained network connections as the virus attempts to spread. For example, Sasser and its variants would create dozens of connections on tcp ports 139 or 445.
The netstat command has always been available to list network connections, but in XP and Server 2003 the -o switch was added. This lists the process ID (PID) associated with the network connections. I usually run netstat -no to list the process IDs and skip resolving ip addresses to machine names.
If you see a process ID that has created a lot of network connections, you need to figure out the process name. You can use Task Manager and add the PID column, or you can use the new tasklist command like so (say we want to find the name for PID 1234):
tasklist /fi "pid eq 1234"
In the past, I have recommended the PsTools suite of tools from SysInternals for things like this, but XP now has its own tasklist and taskkill (PsTools is still worth checking out for other tools).
I hope this tip helps you out!
Links:
XP Command-line tools
PsTools Suite
Server 2003 Tools Reference
If you suspect that a machine has a virus or worm, one confirmation can be large numbers of unexplained network connections as the virus attempts to spread. For example, Sasser and its variants would create dozens of connections on tcp ports 139 or 445.
The netstat command has always been available to list network connections, but in XP and Server 2003 the -o switch was added. This lists the process ID (PID) associated with the network connections. I usually run netstat -no to list the process IDs and skip resolving ip addresses to machine names.
If you see a process ID that has created a lot of network connections, you need to figure out the process name. You can use Task Manager and add the PID column, or you can use the new tasklist command like so (say we want to find the name for PID 1234):
tasklist /fi "pid eq 1234"
In the past, I have recommended the PsTools suite of tools from SysInternals for things like this, but XP now has its own tasklist and taskkill (PsTools is still worth checking out for other tools).
I hope this tip helps you out!
Links:
XP Command-line tools
PsTools Suite
Server 2003 Tools Reference
posted by Karl Kranich at
5:12 PM
|
0 comments
