You may see this strange topic, how to put these words together, in fact, about the port and the Trojans are commonplace, but even there many people often talk about the computer is "shock wave" and later crossed theby "Sasser" severely earthquake a moment, it seems necessary to turn to the old topic, so what then is gently swept waves.Fact that these ultimate aim is to keep your computer safe online.
First, the port
A), the general meaning of the port
Speaking of ports, it really is an old topic, but it all started from, and have to say.What is a port, an analogy, you live in a house, want others to visit you have to open a door in the house, you raise a cute little kitten, it's out of order, specifically to give it a small door repairIn order to back garden, and opened a back door ... ... all of these to enter into this house and opened the door called the port, these people come in and open to the port called "service port."
You have to visit a third person called Zhang, Zhang three should allow you to open a door - service port, or they will be excluded.To, first of all you at home to open a "door", and then through this "door" the door straight into the three sheets.In order to access other people and open in their own house "door" called the "client port."It is random and is active open open, and access to complete on their own closed.The nature of it and the service port is not the same, the service port is an open door waiting for others to access, and customers take the initiative to open a port is the door to open another door, this point must be clear.
From the professional point of view the following then briefly explain the concept of the port.Networked computer to be able to communicate with each other must be the same kind of agreement, agreement is the language of computer communications, computers must speak a language to communicate with each other, Internet's common language is TCP / TP, which is a protocol that provides forThe fourth layer of the network, there are two transport layer protocols TCP, UDP.The port is open both protocols, ports are divided into the source port and destination port, source port is open the machine, destination port is working with the local communication port of another computer, open source port sub-active client portand passive connection service port two.In the Internet, you visit a site that is to open a port on the local Web server connected to a port when someone access to your well.That is just another stopping by the computer as the communication from the door into which the door.
When installed the system after the default to open a lot of "service port."How do I know those computer systems to open the port it?That is to say below.
B) to see the port's method
1, the command mode
An example below to see the newly installed Windows XP system are open to those ports, that are reserved for those doors, not using any tool to view the port command is netstat, is as follows:
a, in the "Start" and "Run", type cmd, enter
b, in the dos command line interface, type netstat-na, Figure 2 shows the service port is open, which Proto
Representative Agreement, which can be seen that there are two protocols TCP and UDP.Local Address on behalf of the local address, the address number after the colon is to open the port number.Foreign Address on behalf of the remote address, if the other machine is communication, the address displayed is the other side, State on behalf of the state, showing the LISTENING state that is listening, that the port is open, waiting for a connection, but has not been connected.As you have opened the door of the house, but this time no one came.Behavior of patients with a first look at what it means.
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
This line means that the machine is waiting for a connection port 135.Note: Only the TCP protocol service port can be in LISTENING state.
Figure 1 with the netstat command to view port status
2, with the TCPView tool
In order to better analysis of the port, it is best to use TCPView this software, the software is very small only 93KB, and is a green software, no installation.
Figure 3 is TCPView running interface.For the first time displayed some small fonts in the "Options" -> "Font" will be to transfer large font.TCPView shows the data is dynamic.Local Address shown in Figure 3 is what the local open port (: the number after number), TCPView can see which port is which program is launched.It can be seen from Figure 3 445,139,1025,135,5000 other port is open, 445,139 and other ports are system-initiated, 135 SVCHOST are all initiated.
Figure 2 View port status with TCPView
C), the purpose of the port
1, those who know the local open port, that is, access to the unit the "door" a few, who are open?
2, the port is currently at what the state machine is waiting for a connection or has been connected, if it is already connected it to pay special attention to see the connection is a normal connection or non-normal connection (Trojan, etc.)?
3, now the machine is not working with other computers exchange data, it is normal procedure for anti-asked access to a normal website or a trap?
When you're surfing the web is that machines and other machines the process of passing data, the data must be used to pass to port, even if some very clever use of the normal horse is not a port to transmit data without a trace, and data transmission at the beginning, istransmission and the end of transmission at different stages have their own state, in order to thoroughly understand the above three issues, we must clear the port state changes.With examples of the following first service port state changes.Only the TCP protocol only state, UDP transport protocol is unreliable, there is no state.
D), the service port state changes
First in the machine (IP address: 192.168.1.10) Configure FTP Service, and then in the other computer (IP address: 192.168.1.1) to access FTP services from TCPView to see the port state changes.
Shown in bold below is cut from the part of TCPView.
1, LISTENING state
FTP service starts at first listen (LISTENING) state.
State display is in a listening state LISTENING said, that the port is open, waiting for a connection, but has not been connected.As you have opened the door of the house, but no one came.
TCPView can be seen from the local open FTP situation.It means: inetinfo.exe process open port 21, FTP default port is 21, opened the machine can be seen in the FTP service.Currently in the listening state.
inetinfo.exe: 1260 TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
2, ESTABLISHED state
Now access to this computer from 192.168.1.1 192.168.1.10 click the FTP service.TCPView this machine can be seen that the port state to ESTABLISHED.
ESTABLISHED means that the connection is established.Said the two machines is communication.
The following shows the machine is 192.168.1.1 FTP service is access to this computer.
inetinfo.exe: 1260 TCP 192.168.1.10:21 192.168.1.1:3009 ESTABLISHED
Note: the connection is in ESTABLISHED state must pay special attention, because it may not be a normal connection.Later want to address this issue.
[Next]
3, TIME_WAIT state
Now the end of this computer from 192.168.1.1 to access 192.168.1.10 in the FTP service.TCPView this machine can be seen that the port state to TIME_WAIT.
TIME_WAIT means the end of the connection.That have had access to port 21, but the visit is over.
[System Process]: 0 TCP 192.168.1.10:21 192.168.1.1:3009 TIME_WAIT
4 tips
a, you can telnet to an open port, to observe changes in the port.For example look at 1025 port is open, the command state (Figure 1 run cmd) run:
telnet 192.168.1.10 1025
b, from the unit can also test, but shows the machine with the machine
c, double-click the connection in the Tcpview can be seen in the location of the program, right-click the connection, select the End Process to end the connection
E), the client port state changes
Customer is actually from the local port to access other computer services, open source port, most applications are online, the following example to access baidu.com to see the port open, and the changes in the state.
1, SYN_SENT state
SYN_SENT state that requests a connection, when you want to access other services when the computer first to send a sync signal to the port, when the state is SYN_SENT, if the connection is successful becomes ESTABLISHED, SYN_SENT state at this time is very short.However, if found SYN_SENT lot and sent to the different machines, your machine may be in a shock wave or shock wave, like the virus.Infected with this virus to other computers, it is necessary to scan other computers, in the process of scanning the computer for each scan to be sent to the synchronization request, which is the reason there were many SYN_SENT.
The following shows when the unit is connected baidu.com website starting state, if your normal network, it quickly becomes ESTABLISHED connection status.
IEXPLORE.EXE: 2928 TCP 192.168.1.10:1035 202.108.250.249:80 SYN_SENT
2, ESTABLISHED state
The following shows the machine being accessed baidu.com website.If you visit the site many elements such as access to www.yesky.com, it will find an address there are many ESTABLISHED, this is normal, the website content such as pictures of each, flash would have to establish a separate connection.See ESTABLISHED state must pay attention to process is IEXPLORE.EXE (IE) initiated the connection, if the procedure is initiated EXPLORE.EXE like the connection, it could be a Trojan horse on your computer has.
IEXPLORE.EXE: 3120 TCP 192.168.1.10:1045 202.108.250.249:80 ESTABLISHED
3, TIME_WAIT state
If you browse the web is completed, it would become a TIME_WAIT state.
[System Process]: 0 TCP 192.168.1.10:4259 202.108.250.249:80 TIME_WAIT
VI), the port changes detailed map
These are the most important of several states, actually there are some, Figure 4 is a detailed state transition diagram TCP (from TCP / IP Detailed come in the cut), with a thick solid arrow indicates a normal state of the client changes, withthick dashed arrows indicate the normal server status changes.These are not the scope of this article.Interested friends can make a thorough study.
Figure 3 TCP state transition diagram
Seven), points
General users must be familiar with (and then a few long-winded):
1, the service port is the key to look at the state and the ESTABLISHED state LISTENING, LISTENING is what the local open port, ESTABLISHED who is accessing your machine, from which address access.
2, the client port SYN_SENT ESTABLISHED state and the state, SYN_SENT is the machine to the other computers connection requests, the general existence of this state is very short, but if the unit sent a number of SYN_SENT, it might be poisoned.ESTABLISHED state is looking to find the machine and which machines are sending data, mainly to see is not a normal procedure initiated.
Second, the Trojan
What is a trojan, simply means that sneak in without your permission on your computer to open a back door Trojan to open the back door there are two ways.
1, a service port of the Trojan
Such Trojans should open a service port in the back door, after the success of the back door in a LISTENING state, it may be fixed a number port number may also change, as well as the Trojan horse can be combined with the normal port, for example, you open the normalport 80 (WEB Services), Trojan also uses port 80.This maximum is characterized by a Trojan in a LISTENING state of the port, you need the remote computer to connect to it.This Trojan is better to prevent the average user, the firewall is set to refuse connections from outside to inside can be.More difficult to rebound against the Trojans.
2, Trojans rebound
Trojans rebound from the inside out of the connection, it can effectively penetrate the firewall, and even if you are using the network IP, like him can access your computer.This Trojan is the principle of active server connection client (hacker) address.Trojan server software like Internet Explorer as your use of dynamically allocated port to connect to a client port, the port is usually used, such as port 80.Covert stronger and will use the file name, like iexpiore.exe, explorer (IE the program is IEXPLORE.EXE).If you do not look carefully, you may think your Internet Explorer.So that your firewall will be cheated.If you see the following in TcpView this connection we must note that the most likely kind of Trojan horse.iexpiore.exe 192.168.1.10 (the local IP): 1035 (your port) YYYY (remote IP): 80 (remote port)
Or Rundll32.exe 192.168.1.10 (the local IP): 1035 (your port) YYYY (remote IP): 80 (remote port)
Or explorer.exe 192.168.1.10 (the local IP): 1035 (your port) YYYY (remote IP): 80 (remote port)
Third, security
The purpose of the port is to ensure Internet safety, according to the above ideas can be from the following aspects to guard against.
A), close unneeded ports
As long as the average Internet user can access the Internet on the line, you do not need others to access, that is not necessary to open service ports can be done in the WIN 98 service ports not open any of the Internet, but in Win XP, Win 2000, Win 2003 under the No, but you can turn off unnecessary ports.Figure 3 is the default installation of WIN XP system, open ports, shut down unnecessary ports as an example.
1, closed ports 137,138,139,445
These ports are open to sharing, is the NetBios protocol applications, the general Internet users do not need someone else to share your content, but also the most loopholes in the port.Off in many ways, recently learned a trick from the Internet is very easy to use, a full closure of these ports.
Start -> Control Panel - "System -> Hardware -> Device Manager -> View -" Show hidden devices -> Non-Plug and Play Drivers -> Netbios over Tcpip.
Figure 5 to find after the interface is disabled immediately after the device restarts.
Figure 4 Close 137,138,139,445 port
[Next]
2, close the 123 port
Some worm can use UDP 123 port, close to the method: stop windows time service in Figure 6.
Figure 5 off 123 port
3, closed 1900 port
As long as the attacker to a Win XP system has more than one network to send a fake UDP packets, it may cause these Win XP host on the specified host to attack (DDoS).Also, if the port 1900 to the system to send a UDP packet, so that "Location" field of the address points to the chargen port to another system, it is possible to make the system into an infinite loop, consume all system resources (need to install the hardware requiredmanually open).
Close port 1900, the method shown in Figure 7 - Stop SSDP Discovery Service service.
Figure 6 Close port 1900
Through the above way to close a number of flawed or not the port is no problem after it?No.Because some ports are not turned off.Such as port 135, which is open RPC service port if the service stopped, then the computer to shut down, the same as Lsass open ports 500 and 4500 can not be closed.Blaster is using port 135, the port can not be closed first, often the best way to patch the corresponding service ports are open, but difficult to judge for the average user of any use of these services in the end, it is difficult to findWhat services will be able to stop and close the port.The best way is to talk about following the installation of a firewall.The role of the popular firewall like you said to live in a matter of good solid house or live in a house riddled with broken, as long as you built a wall around the house airtight wall,that the wall of the house is safe.
II), firewall
For the average user in terms of three types of firewalls have the following
1, comes with a firewall
Win XP and Win 2003 on the native firewall settings, please refer to the YORK in an apology, not repeat them.
2, ADSL firewall cat
Access to the Internet through ADSL, ADSL is best if the conditions set for the address translation means the cat (NAT), that is, we often say that the routing mode, in fact, is not the same routing and NAT, the time being so called it.The greatest advantage of using NAT mode is set up after, ADSL cat is a fire wall, it is generally only open 80,21,161, etc. In order to set the cat on the ADSL port open.If you do not do port mapping, then, generally less than an attack from a remote computer behind the ADSL cat.ADSL cat is the biggest security risk many users do not change the default password.If a hacker into your cat is likely to be a port mapping into your computer, be sure to get rid of the default password.
Fire wall with built-in NAT mode and basic ADSL cats can withstand an attack from outside to inside, which means that even if the service port is open (including the system for open ports and open a service port in the Trojan), hackers, and a similar shockWave a class of virus could not reach your computer.The firewall can prevent connections from outside to inside, can not prevent the connection from the inside out, when you open the page and chat with QQ is the connection from inside to outside, rebound type of Trojan is to use this feature to set fire to the wallsteal data on your machine.Trojans rebound though very subtle, but not without himself away, the best way to prevent this type of Trojan horse is to use third-party firewall.
3, third-party firewall
I said before, Trojans and will rebound stronger with Covert file name, like iexpiore.exe, explorer and other programs with IE IEXPLORE.EXE want rundll32 name or with some sort of system files like the nameBut the Trojan is the essence of communication with the remote computer, as long as the communication will have access.As follows: IEXPLORE.EXE normal connection is initiated, rather than the normal connection is initiated by Trojans explorer.
Figure 7 Normal connection
Figure 8 Trojan connection
General application firewall has permission to access the network settings shown in Figure 8, the firewall will not allow such options to access the network choose the applications X, that is not allowed to access the network.
Before writing this article, the author of a rebound type of Trojan horse is out connection explorer program, with several virus scanning software does not kill, then set fire to the wall on the first stop it with the Skynet network access, and then took a handgreat difficulty removed.Unfortunately, do not do shots.The courage to sacrifice in order to write this article a the.
4, the end of a connection with Tcpview
When you Tcpview see which may not be properly connected to the connection, you can right click directly Tcpview the connection, select the End Process to end the connection.
Fourth, scanning
About scanning is a big topic, with port scan (Superscan), vulnerability scanning (X-scan), etc., on the topic of a later scan of this article only briefly about the general user online safety testing.If you press the above put appropriate safety measures were made to connect the Internet to find a site online test security systems to test your current security situation, as to the following Web site:
1, Millennium Online - online test
2, Blue Shield line detection
3, Skynet Security Online
4, Norton Online Safety Testing
Note that the test machine opened 21,23,80 port, but this is the service port ADSL, MODEM did not provide the changes and close the place, but that's okay, as long as the password to the complexity of points on the line.
V. Sasser
If you press the close of the 445 port or open the fire wall and it would not be similar to the Sasser virus harassment, and too many articles about the Sasser virus, and here not to talk about.Just do a good job security, whether it is a large shock wave or impact of wavelet can only be crossed in front of your computer and you can not do nothing.
VI Epilogue
There are a lot of security on the computer to be set, but for the average user, too many security settings is equivalent to no security, because even for the professional staff of computer security settings for the security is not an easy task, not to mention theknowledge of the computer is not enough for the average user.If you want to make a lot of settings to ensure safety, it is certainly a lot of people do not do the.Personal advice for the average user is able to do must be done, such as:
1, the Internet be sure to install anti-virus software and timely upgrades.
2, at least install a firewall, ADSL Internet users the best way to use the route, get rid of the default password.
3, often patch, Windows users should be set to automatically update the system.
4, they ought to do is to use Tcpview often see connections, to prevent a rebound type of Trojan.Often look a long time, perhaps as an expert.
5, Udp protocol is not reliable transmission, not the state, from Tcpview difficult to see that it is not in the transmission of data, interested friends can use iris, sniffer to see this kind of protocol analysis tools are not there Udp data.Talk to you later on this topic.
6, this title from the great, but to write and think a lot of people say the problem is to say, and there is no deep talks.
One foot in mind that.Network security will be an eternal topic, there is no absolute security, but with the awareness of prevention is better than open the door do not know right.