At present, the most common Trojan is usually based on TCP/UDP protocol to communicate between the client and the server. Since these two protocols are used, it is inevitable to open the listening port on the server (that is, the machine with Trojan horse) and wait for the connection. For example, the monitoring port of the famous glacier is 7626, and the back hole 2000 is 54320. Then, we can check whether we have been implanted with Trojan horses or other hacker programs by looking at the open port of this machine. The following is a detailed method introduction. The netstat command that comes with 1.windows. Regarding the Netstat command, let's take a look at the introduction in the Windows Help file: netstat displays protocol statistics and current TCP/IP network connections. This command can only be used after the TCP/IP protocol is installed. Netstat [-a] [-e] [-n] [-s] [-p protocol] [-r] [interval] parameter -a shows all connections and listening ports. Server connections are not usually displayed. -e Displays Ethernet statistics. This parameter can be used in combination with the -s option. -n Displays the address and port number in numeric format (instead of trying to find the name). -s displays statistics for each protocol. By default, statistics of TCP, UDP, ICMP and IP are displayed. The p option can be used to specify the default subset. -p protocol displays the connection of the protocol specified by the protocol; The protocol can be tcp or udp. If used with the -s option to display statistics for each protocol, the protocol can be tcp, udp, icmp or ip. -r displays the contents of the routing table. Interval redisplays the selected statistics, pausing for the number of seconds between each display. Press CTRL+B to stop redisplaying the master plan. If this parameter is omitted, netstat will print the current configuration information once. Well, after reading these help files, we should understand how to use the netstat command. Now, let's learn to use it and use this command to view the open ports of our machine. Enter the command line and use the two parameters a and n of the netstat command: c N:C:\ & gt；; Netstat -an active connection protocol local address external address status TCP 0.0.0: 800.0.0.0: 0 Listen to TCP 0. 0. 0. 0:2 1 0.0.0.0: 0 Listen in GTCP 0.0.0: 7626 0.0.0: 0 Monitor UDP 0.0.0: 445 0.0.0.0.0: 0 UDP 0.0.0.0:1 046 0Active Connections refers to the current local active connection, Proto refers to the protocol name used for connection, Local Address is the IP address of the local computer and the port number used for connection, Foreign Address is the IP address and port number of the remote computer connected to the port, and State indicates the status of TCP connection. You can see that the listening ports in the last three lines are all UDP protocols, so there is no state. Look! Port 7626 of my machine has been opened, and I am listening for the connection. In this case, it is very likely that I have infected the glacier! It is correct to cut off the network in a hurry and kill the virus with antivirus software. 2.fport, a command line tool working under windows2000, is luckier for friends who use windows2000 than for friends who use windows9X, because fport can be used to display the correspondence between local open ports and processes. Fport is a software produced by FoundStone, which is used to list all open TCP/IP and UDP ports in the system, as well as the complete path, PID identification, process name and other information of their corresponding applications. Used on the command line, please see the example of d: \ & gtfport.exe fport v1.33-TCP/IP process to port mapper copyright 2000 Foundstone, Inc. Pid process port protocol path 748 TCP SVCs->; 7 tcpsvcs.exe TCP C:\ WINNT \ System32 \ 748 tcpsvcs-& gt； 9 TCP C:\ WINNT \ System32 \ tcpsvcs . exe 748 tcpsvcs-& gt； 19 TCP C:\ WINNT \ System32 \ tcpsvcs . exe 4 16 svchost-& gt； 135 tcpc: \ winnt \ system32 \ svchost.exe is clear at a glance. Now, the programs open on each port are right under your nose. If you find suspicious programs opening suspicious ports, don't be careless. Maybe it's a cunning Trojan horse! The latest version of Fport is 2.0. Many websites offer downloads, but for the sake of safety, of course, it is best to go to its hometown:/knowledge/zips/fport.zip3. Active Ports Active Ports is a graphical interface tool produced by SmartLine, which is similar to fport. You can use it to monitor all the open TCP/IP/UDP ports of your computer. It can not only display all your ports, but also show the paths of programs corresponding to all ports, and whether local IP and remote IP (trying to connect to your computer IP) are active. Even better, it also provides the function of closing the port. When you use it to find the open port of Troy, you can close it immediately. The software runs on Windows NT/2000/XP platform. You can add an o parameter to the stat command, and you can get the corresponding relationship between ports and processes by using this parameter. The above introduces several methods to view the local open ports and the corresponding relationship between ports and processes. Through these methods, you can easily find Trojan horse based on TCP/UDP protocol, hoping to bring help to your favorite machine. However, we should pay attention to the prevention of Trojan horses. If we encounter a Trojan horse in rebound port and a new Trojan horse made by using driver and dynamic link library technology, it is difficult to find out the traces of Trojan horses by these methods. Therefore, we must develop a good habit of surfing the internet, don't run attachments in emails at will, and install a set of antivirus software.

Satisfied, please adopt.