Как обнаружить сетевого бота по несанкционированной отправке почты

Netstat is similar in intent to the tcpvcon version of tcpview, and is standard on most versions of Unix it’s been around for decades. Secondly, most versions of Windows have it. The main difference with tcpview is that netstat is a command line function that takes a single snapshot of current connections.

In many versions of netstat, the most effective command line to use is:

netstat -nap

Which could, in the case of Darkmailer, show an active infection like this:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      1 192.168.2.2:58246       212.69.102.240:25       SYN_SENT    12614/b.pl
tcp        0      0 192.168.2.2:35843       209.85.201.27:25        ESTABLISHED 7996/ciwhcnsb.pl
tcp        0      0 192.168.2.2:53051       81.13.48.2:25           TIME_WAIT   -
tcp        0      0 192.168.2.2:53623       77.243.121.126:25       TIME_WAIT   -
tcp        0      0 192.168.2.2:57816       217.13.210.81:25        TIME_WAIT   -
tcp        0      1 192.168.2.2:50531       217.16.16.81:25         SYN_SENT    12270/nxhbo.pl
tcp        0      0 192.168.2.2:52437       217.198.11.26:25        TIME_WAIT   -
tcp        0      1 192.168.2.2:50140       195.64.222.2:25         SYN_SENT    9273/yzezihd.pl

The “:25” under “Foreign Address” indicates an outbound SMTP connection. “NNNN/name” under “PID/Progran name” is the process id and process name of the offending program. The large variety of “states” show that it’s starting up/shutting down connections very quickly.

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search