nerdexam
GIAC

GCIH · Question #260

You work as a Network Administrator for InformSec Inc. You find that the TCP port number 23476 is open on your server. You suspect that there may be a Trojan named Donald Dick installed on your server

The correct answer is D. Fport. Fport maps open TCP/UDP ports directly to the owning application, providing the process ID, process name, and full executable path - details that Netstat alone does not reliably supply.

Malware Analysis & Advanced Persistent Threats

Question

You work as a Network Administrator for InformSec Inc. You find that the TCP port number 23476 is open on your server. You suspect that there may be a Trojan named Donald Dick installed on your server. Now you want to verify whether Donald Dick is installed on it or not. For this, you want to know the process running on port 23476, as well as the process id, process name, and the path of the process on your server. Which of the following applications will you most likely use to accomplish the task?

Options

  • ATripwire
  • BSubSeven
  • CNetstat
  • DFport

How the community answered

(22 responses)
  • A
    5% (1)
  • D
    95% (21)

Why each option

Fport maps open TCP/UDP ports directly to the owning application, providing the process ID, process name, and full executable path - details that Netstat alone does not reliably supply.

ATripwire

Tripwire is a file integrity monitoring tool that detects unauthorized changes to files - it does not map network ports to running processes.

BSubSeven

SubSeven (Sub7) is itself a remote access Trojan, not a diagnostic or security analysis utility.

CNetstat

Netstat displays active network connections and listening ports but does not provide the full executable path of the owning process, making it insufficient for confirming the Trojan's file location.

DFportCorrect

Fport, developed by Foundstone, is specifically designed to enumerate all open TCP and UDP ports and correlate each one to the owning process, reporting the process name, process ID (PID), and the full file system path of the executable. This makes it the ideal tool for investigating a suspicious port like 23476 and confirming whether a specific Trojan binary is responsible. Its output directly answers the investigator's need to link a port number to a specific process and its location on disk.

Concept tested: Port-to-process mapping for Trojan identification

Topics

#Fport#trojan detection#port-to-process mapping#process identification

Community Discussion

No community discussion yet for this question.

Full GCIH Practice