author(s): [email protected]
How to read NETSTAT -AN results
This document is mainly written for news.grc.com, for the ahem newbies that heard about the Netstat command showing hidden trojans/servers on your system in an obfuscated way. After answering a few of those posts, I noticed I was pretty much the only one actually analyzing those Netstat listings myself, instead of posting a link to a document that explains those listings. So to fall in line with the others, I created this document to refer to myself. :) Netstat is a old-school DOS program that displays all TCP connections on your Windows system. The command line parameter -A adds all listening ports (both TCP and UDP) and any other TCP pseudo-connections. The N parameter makes all ports and IP addresses numerical instead of named (like nbname instead of 137, localhost instead of 127.0.0.1). A typical result from NETSTAT -AN looks like this: (this is a slightly edited result of my (online) machine)
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
TCP 0.0.0.0:27374 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1963 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1964 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1965 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1966 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1967 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1969 0.0.0.0:0 LISTENING
TCP 10.0.0.17:135 0.0.0.0:0 LISTENING
TCP 10.0.0.17:137 0.0.0.0:0 LISTENING
TCP 10.0.0.17:138 0.0.0.0:0 LISTENING
TCP 10.0.0.17:139 0.0.0.0:0 LISTENING
TCP 10.0.0.17:5000 0.0.0.0:0 LISTENING
TCP 10.0.0.17:1963 195.40.6.34:80 ESTABLISHED
TCP 10.0.0.17:1964 195.40.6.34:80 ESTABLISHED
TCP 10.0.0.17:1965 195.40.6.34:80 ESTABLISHED
TCP 10.0.0.17:1966 195.40.6.34:80 ESTABLISHED
TCP 10.0.0.17:1967 204.152.184.80:6667 ESTABLISHED
TCP 10.0.0.17:1969 207.71.92.194:119 ESTABLISHED
UDP 0.0.0.0:44334 *:*
UDP 10.0.0.17:137 *:*
UDP 10.0.0.17:138 *:*
I can imagine that anyone seeing this for the first time must be instantly freaking out over all the 'LISTENING' entries - their machine must be infested with trojans! But if they know a little more about Netstat, they'll calm down again. Now, read and learn:
- In lines saying 'ESTABLISHED', you need the remote port to identify what has connected to the remote site.
- In lines saying 'LISTENING', you need the local port to identify what is listening there.
- Each outbound TCP connection also causes a LISTENING entry on the same port.
- Most UDP listening ports are duplicates from a listening TCP port. Ignore them unless they don't have a TCP twin.
- TIME_WAIT entries are not important.
- If it says 0.0.0.0 on the Local Address column, it means that port is listening on all 'network interfaces' (i.e. your computer, your modem(s) and your network card(s)).
- If it says 127.0.0.1 on the Local Address column, it means that port is ONLY listening for connections from your PC itself, not from the Internet or network. No danger there.
- If it displays your online IP on the Local Address column, it means that port is ONLY listening for connections from the Internet.
- If it displays your local network IP on the Local Address column, it means that port is ONLY listening for connections from the local network.
So, if we look at the above list again, adding explanations for each line:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
TCP 0.0.0.0:27374 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1963 0.0.0.0:0 LISTENING <- from TCP #1
TCP 0.0.0.0:1964 0.0.0.0:0 LISTENING <- from TCP #2
TCP 0.0.0.0:1965 0.0.0.0:0 LISTENING <- from TCP #3
TCP 0.0.0.0:1966 0.0.0.0:0 LISTENING <- from TCP #4
TCP 0.0.0.0:1967 0.0.0.0:0 LISTENING <- from TCP #5
TCP 0.0.0.0:1969 0.0.0.0:0 LISTENING <- from TCP #6
TCP 10.0.0.17:135 0.0.0.0:0 LISTENING
TCP 10.0.0.17:137 0.0.0.0:0 LISTENING
TCP 10.0.0.17:138 0.0.0.0:0 LISTENING
TCP 10.0.0.17:139 0.0.0.0:0 LISTENING
TCP 10.0.0.17:5000 0.0.0.0:0 LISTENING
TCP 10.0.0.17:1963 195.40.6.34:80 ESTABLISHED <- TCP #1
TCP 10.0.0.17:1964 195.40.6.34:80 ESTABLISHED <- TCP #2
TCP 10.0.0.17:1965 195.40.6.34:80 ESTABLISHED <- TCP #3
TCP 10.0.0.17:1966 195.40.6.34:80 ESTABLISHED <- TCP #4
TCP 10.0.0.17:1967 204.152.184.80:6667 ESTABLISHED <- TCP #5
TCP 10.0.0.17:1969 207.71.92.194:119 ESTABLISHED <- TCP #6
UDP 0.0.0.0:44334 *:* <- \
UDP 10.0.0.17:137 *:* <- |- who cares?
UDP 10.0.0.17:138 *:* <- /
Breaking down the TCP connections:
- #1-#4 - HTTP connections to bofh.ntk.net. Most browsers use multiple connections to fetch webpages to speed up the process.
- #5 - IRC connection. I was connected to SorceryNet with mIRC at the time. Note: If you're not running an IRC client and see a line like this, you might be infected with a IRC bot trojan.
- #6 - NNTP connection to news.grc.com.
So what entries are left that are important?
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
TCP 0.0.0.0:27374 0.0.0.0:0 LISTENING
TCP 10.0.0.17:135 0.0.0.0:0 LISTENING
TCP 10.0.0.17:137 0.0.0.0:0 LISTENING
TCP 10.0.0.17:138 0.0.0.0:0 LISTENING
TCP 10.0.0.17:139 0.0.0.0:0 LISTENING
TCP 10.0.0.17:5000 0.0.0.0:0 LISTENING
That doesn't look so bad, does it now? Time to break down the last listening ports:
- Port 44334 - my firewall Tiny Personal Firewall, listening for connections from the TPF admin program.
- Port 135 - DCOM/RPCSS, a Microsoft program that's supposed to facilitate usage of programs that use DCOM, blah blah blah. If you have Windows 9x/ME, this can be disabled. See below.
- Port 137/138/139 - NetBIOS, used for File & Printer Sharing. If you are on a non-networked PC, you can disable this too. See below.
- Port 5000 - Universal Plug & Play, comes standard with Windows ME. Can definitely be disabled. See below.
- Port 27374 - The only one left not part of a default Windows install. To find out what ports like these are, you need documentation. After a quick search through Robert Grahams Firewall Forensics: What am I seeing? leads to the conclusion that this is the Sub7 trojan horse. Use a virusscanner to remove it.
Closing ports
I'll try to keep this list as complete as possible, but if you happen to find an open port on your system you can't explain or have an addition to this list, email me at the address at the bottom of this article. (If you're including a line from a Netstat listing, include the entire listing please!)
- TCP port 135 - Microsoft DCOM/RPCSS. Impossible to close in Windows NT/2000/XP Pro. Windows 9x/ME/XP Home: Start REGEDIT.EXE, go to HKLM\Software\Microsoft\OLE and change both EnableDCOM and EnableRemoteConnect to 'N'. Reboot. Optional: delete C:\WINDOWS\SYSTEM\RPCSS.EXE.
- TCP ports 137,138,139 and UDP ports 137,138 - Microsoft File & Printer Sharing. Go to Control Panel, Network, click the 'File & Printer Sharing' button and deselect both options. Click OK, OK and reboot.
- TCP port 445 - Microsoft Windows NT File & Printer Sharing. Go to Control Panel, Dial-Up & Network Connctions, click Advanced, Bindings and unbind File & Printer Sharing from the TCP/IP protocol.
- TCP port 5000 - Microsoft Universal Plug & Play (Windows ME only). Go to Control Panel, Add/Remove Software, select 'Universal Plug & Play' and hit Remove, OK.
Hope this all clears up some things for you :)