Categories
Spyware Removal

Monitor Ports on Windows

This tutorial will tell you how to test if you are infected with worms, trojans and other types of malware. You’ll also learn how to run dos programs in a for loop ….
Lets say we wanted to loop over and over watching for port 80 connections (perhaps we are looking for a worm and trying to find out where it connects to, or we want to investigate all connections that our computer is making without our permission/knowledge). This is a typical method of investigating for spyware infections…

This tutorial will tell you how to test if you are infected with worms, trojans and other types of malware. You’ll also learn how to run dos programs in a for loop ….
Lets say we wanted to loop over and over watching for port 80 connections (perhaps we are looking for a worm and trying to find out where it connects to, or we want to investigate all connections that our computer is making without our permission/knowledge). This is a typical method of investigating for spyware infections…

Port 80 is a web server, and most worms and malware connect via HTTP (a web server on port 80), or HTTPS (an encrypted webserver on port 443). In reality though spyware can connect to any port, these are simply the most common. We could simply look for “TCP” connections and find which ports they are using. Anyway, assuming it’s port 80 you are looking for:
In Linux, you’d simply type:

shell>watch "netstat -ano |grep ':80'"

In winblow$ though, there isn’t such a command as “watch” by default. There is a several hacks available on the resource cd, but that’s not a default install for most users… So, lets expand our example and pretend we want to see all connections to port 80, on a windows box:

netstat -ano | find ":80"

using netstat to monitor port 80
This will show you what happens at that moment, but won’t allow you to monitor unless you up arrow and run the command over and over …. bleh
So, put it in a for loop:

for /L %1 in (0,0,0) do netstat -ano|find ":80"

for loop netstat ano find port 80
for loop netstat ano find port 80 scrolling by too fast

But this scrolls by like a jack rabbit on crack when I open up a browser, so we’ll slow it down with a ping in between each loop using the && operator
We’ll ping the multicast address of 224.0.0.0 once (-n 1) and then wait 2000 milliseconds (2 seconds, -w 2000). This is a hack that allows us to pause for 2 seconds:

ping -n 1 -w 2000 224.0.0.0

And to use the loop, the command and the pause all together:

for /L %i in (0,0,0) do netstat -ano|find ":80" && @ping -n 1 -w 2000 224.0.0.0

using ping to slow down a for loop
using ping to slow down a for loop - still ugly

It’s slow now, and readable, but it’s ugly still and will be difficult to monitor casually, so I’m going to use @, cls and NUL to erase data I don’t want see, making changes easier to see, so final tweaks:

for /L %i in (0,0,0) do @cls && netstat -ano|find ":80" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

Monitoring Port 80, Real time - looks nice!
Monitoring Port 80, Real time - looks nice!

And a few seconds later, if we keep monitoring (wait for the TCP connections that I initiated to time out):
Using a for loop, ping and netstat to monitor port 80 - LAST_ACKs
Using a for loop, ping and netstat to monitor port 80 - LAST_ACKs

Etc.
Find out what port you are looking for and it will tell you what ip address it’s communicating to.
For example, if you were watching for all TCP connections you’d instead say:

for /L %i in (0,0,0) do @cls && netstat -ano | find "TCP" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

And just a few seconds later after most of the connects have timed out:

Real time port monitoring on windows - TIME_WAIT
Real time port monitoring on windows - TIME_WAIT

Other Examples:
SSH:

for /L %i in (0,0,0) do @cls && netstat -ano | find ":22" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

FTP:

for /L %i in (0,0,0) do @cls && netstat -ano | find ":21" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

RDP:

for /L %i in (0,0,0) do @cls && netstat -ano | find ":3389" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

Be creative and you can use a loop to find and monitor for useful information, such as all TCP connections, that are not Ipv6 (here I use another find, but this time I use it to remove [::], which is an ipv6 connection:

for /L %i in (0,0,0) do @cls && netstat -ano|find "TCP"|find /V "::" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

Monitoring TCP Connections in Real Time on Windows
Monitoring TCP Connections in Real Time on Windows

Simply replace the green text with whatever commands/parameters you want to monitor and this dos 1 liner will monitor it for you in real time. You can adjust the ping -n 1 -w 2000 224.0.0.0 line to be some other number if you want screen updates to happen faster or slower. Each 1000 ms is a second. So to do a 10 second wait: ping -n 1 -w 10000 224.0.0.0
So … we found a connection and don’t know what it’s to. What do you do? First, use task manager and look at the Process ID. We’ll use the line above and look for the PID of 1116.
Using Task Manager to Track Unknown, Open Ports
Using Task Manager to Track Unknown, Open Ports

We can see that 1116 in the PID column is safe, it’s our virus scanner (Google AvastSvc.exe to verify and make sure you have avast.com free antivirus installed.)
We can also look at the established connections using nslookup to find out who owns the ip address. That will often give a great clue as to what you are connected to. Scroll up and look at the established connection for 74.125.19.19, who owns it and why is process id 2648 (chrome web browser) connected to it?
Common sense should tell me to go look at my chrome browser and see what might be https (netstat shows it’s connected on port 443, which is https), but lets assume that it’s not chrome and it’s some program in the background that is connecting to some ip address without my knowledge, here is how I’d find out who that remote ip address is:
Using nslookup to track trojans and spyware
Using nslookup to track trojans and spyware

This says that the root domain is 1e100.net, and if I do a lookup on http://whois.sc or any other domain lookup tool it tells me that it’s owned by google. As I’m connected to gmail on https, this established connection makes perfect sense and I don’t need to investigate further.

4 replies on “Monitor Ports on Windows”

Interesting, but you do know netstat has an interval parameter right.
So from your earlier example if you want to listen to port 80 every 2 seconds you could just type
netstat -ano 2 | find “:80” where the 2 is the interval in seconds.

Hi,
Nice tuto; wondering if you could help in making this to launch at logon : having a CMD pop up window showing exactly the output of the above code.
What i have tried with no success so far:
1) create a batch file [Nbstat.batch] containing [ for /L %i in (0,0,0) do @cls && netstat -ano | find “ESTABLISHED” && @ping -n 1 -w 5000 224.0.0.0 >NUL && @cls ] (without the [])
2) create a second batch file with [ cmd /k Nbstat.batch ] that i put on my startup folder.
Nothing happens, even when i test it by executing the second file.
But when i remove [ for /L %i in (0,0,0) do @cls && ] it exutes for few seconds then stops.
Halp ! 😉
Thx for your input.

Leave a Reply to Anonymous Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.