in reply to RAdmin detector for Win32

As suggested by pg, I think the easiest way would be to simply run a script which parsed the output of netstat.

Something like 

#!C:\perl\bin\perl.exe

my $netstat = "C:\\WINDOWS\\System32\\netstat.exe";
my $RAdminPort = "4899";

open(NETSTAT, "$netstat -an -p tcp|") or die "Couldn't run netstat - $
+!\n";
while(<NETSTAT>) {
    next unless $_ =~ /TCP/;
    my $line = $_;
    $line =~ s/\s+//;
    my ($protocol, $local, $remote, $status) = split(/\s+/, $line, 4);
    my ($localAddress, $localPort) = split(/:/, $local);
    if (($localPort eq $RAdminPort) && ($status eq "ESTABLISHED")) {
        print "Discovered connection to RAdmin from $remote\n";
                # Do something here.......
    }
}
close(NETSTAT);

[download]

should do the trick, if you run it as a scheduled task every 10 minutes (or however often). You could also write this into a loop which slept for 10 minutes and then opened netstat, etc and save yourself from running it as a task at a defined period, etc.

In Section Seekers of Perl Wisdom