Show #2: Worm-hunting with netstat and tasklist

With Windows XP, Microsoft improved on some of the command-line tools, and added new ones. I've used some of these improvements to diagnose worm problems.

If you suspect that a machine has a virus or worm, one confirmation can be large numbers of unexplained network connections as the virus attempts to spread. For example, Sasser and its variants would create dozens of connections on tcp ports 139 or 445.

The netstat command has always been available to list network connections, but in XP and Server 2003 the -o switch was added. This lists the process ID (PID) associated with the network connections. I usually run netstat -no to list the process IDs and skip resolving ip addresses to machine names.

If you see a process ID that has created a lot of network connections, you need to figure out the process name. You can use Task Manager and add the PID column, or you can use the new tasklist command like so (say we want to find the name for PID 1234):
tasklist /fi "pid eq 1234"

In the past, I have recommended the PsTools suite of tools from SysInternals for things like this, but XP now has its own tasklist and taskkill (PsTools is still worth checking out for other tools).

I hope this tip helps you out!

Links:
XP Command-line tools
PsTools Suite
Server 2003 Tools Reference

Thanks to In the Trenches!

Many thanks to Kevin Devin and George Starcher for using my blat feature as an Admin-to-Admin segment on In the Trenches. Check out the podcast at www.kevindevin.com

Show #1: blat

I originally thought of this podcast as a way to motivate me to explore the Resource Kit and Support Tools that are available from Microsoft. But when I sat down to think about which tool to talk about first, I realized that I've used blat in many more places than any of the resource kit tools.

"Blat is a Win32 command line utility that sends email using SMTP or posts to usenet using NNTP." (straight from the official blat web site at www.blat.net)

I've used blat in many scripts to send me notifications or scheduled reports. You can also send SMS messages by emailing your phone number @ the correct domain (see a list here). Of course, SMTP is not known for reliable, immediate delivery, so I wouldn't use this method for your top-priority notifications.

How do you actually use blat? Here's the quick tutorial:

1. Figure out what smtp server you're going to use. If you're using blat to send yourself alerts and reports from your servers, you should be able to use an internal smtp server at your company.


2. Download the latest blat zip file from www.blat.net
   
3. Unzip it and copy blat.exe to somewhere in your path (like c:\windows or c:\windows\system32)
   
4. Check out the built-in docs by running blat for the short version or blat -h for all the details.


5. Now you're ready to use it, but you might as well tell it to store some of the options in the registry with
   blat -install smtp.yourcompany.com youremail@yourcompany.com 3
   (that tells blat to use your smtp server by default, with your from address, and 3 retries).


6. Now, sending an email is as easy as
   blat - -t someemail@somewhere.com -s "testing blat" -body "this is a test"
   (the "-" says not to read a file for the message body, the "-t" is short for "-to", and the "-s" is short for "-subject")

Here are some tips and other usage notes:

• Put quotes around the subject and body text if they're more than one word.


• One way to generate the body in a batch file is to echo lines to a temporary file and then
  blat c:\temp.txt -t email@yourcompany.com -s "scheduled report"


• Other features that blat includes are attachment handling, debug mode for troubleshooting, and POP login if you need to authenticate to a POP server before sending.

That's about it for podcast #1. Send comments or suggestions for cool admin scripting and troubleshooting tools to karl.kranich at gmail.com.