Fport is a free tool that will show you what programs on your system are opening which ports (both TCP and UDP). You can look at the output and see if you notice any strange programs that don't belong on the machine. Then you can use a command-line "kill" utility such as PSKill to stop the programs. Typically, trojans and some viruses will open up non-standard ports which can be a great clue to determining if a system is compromised or not. Watch out for open high numbered ports such as 3112, 31337, 12345, and 65000. Fport can be used on Windows NT4, Windows 2000, and Windows XP.
Installation:
Go to http://www.foundstone.com/knowledge/proddesc/fport.html to download fport.
After you unzip the installation file, be sure to place all three files directly into your C drive. Fport works only if you navigate to where it is being stored in the command prompt.
Usage:
Once installed, invoke fport like this:
Start --> Run --> cmd
C:\> cd \
C:\> fport -p
If you want to pipe the output of fport into a file:
C:\> fport -p >> [filename].txt
Sample fport output:
Here is what the text file will look like if you redirect the output to a file, in this case "results.txt":
From looking at the results we can see all the ports that are open on the machine and all the programs that are opening those ports. We know that TCP and UDP ports 135, 137, 138, and 139 are all part of NetBIOS so we can usually ignore those when looking for anomalies. Ports 1026 and 1963 are opened by the Windows Task Scheduler, so that's normal. Ports 2967 and 4069 are called by C:\Program Files\NavNT\rtvscan.exe. This is Norton Anti-Virus, waiting for a virus definition update. Having these ports open is not unusual for a Windows system.
The program contains five (5) switches. The switches may be utilized using either a '/'
or a '-' preceding the switch. The switches are;
Usage:
/? usage help
/p sort by port
/a sort by application
/i sort by pid
/ap sort by application path
If you would like to use PSKill to stop unwanted services, you can download it from http://www.sysinternals.com/ntw2k/freeware/pskill.shtml. It is compatible with Windows NT, 2000, and XP.
If you would like more assistance with interpreting your results, you can maill us the [filename].txt file, we can help you to evaluate what ports need to be opened and what programs may or may not be legitimate. Please email us at mailto:cavere.org?subject=Fport Assessment.
Wassalamu'alaikum.
0 komentar: