Wrt to the "netstat" thing, also see "lsof -i".
Is there any programs that I can install that will help me to detect outbound Trojans or backdoors?
This question is a bit harder to answer, so bare with me for a minute. It's harder, but not impossible, because you need to match network traffic or sockets to running applications and their fingerprint. For instance Chkrootkit uses a static list of ports to match against netstat output. Changing the port and recompiling and intercepting system calls are just two ways to thwart detection, and because Chkrootkit won't check the integrity of any running binary and match it against a "known good" list, running a perfectly sane application on a known trojan port, say TCP/5002 (Linux Rootkit 4) will trip the alarms as well. For matching in/outbound network traffic too "suspect behaviour" you will need the capability to sift tru traffic looking for signs. Best example of course is Snort. You could suggest Netfilter/Iptables also got string match support etc etc, but it's most likely those features are still experimental and besides Snort is built for that task. There's two main problems with this. One, like Chkrootkit, Snort is as good as its signature set. Second, if there's no traffic, there's nothing to match, even if a rootshell is offered. There's been some threads on LQ about "ZoneAlarm for Linux" (search LQ, they're a good read), but nothing resulted in anyone building one. So, how to shield against and detect trojans or rootshells?
Secure, harden. Take away possibilities for compromise:
Never install and run what you don't need NOW, especially network applications and applications that are exposed to (un/less controllable) (public) access. Harden. For the applications you need to run, limit or restrict access to specific accounts, IP addresses or ranges, remove script leftovers from a default install, use Tcp wrappers (/etc/hosts.{deny,allow}) and the firewall to regulate access. Remove options for anonymous access and use chroots where possible. Use a hardening kit if possible, like Bastille-Linux, SASTK or MSEC. if you're using ext2/3, set the immutable bit on crucial system binaries and configs. Mount partitions with restrictive mountflags. Remove module loading capabilities using Lcap. Use LIDS or Grsecurity to restrict access applications have to the system.
Log, audit:
Make extensive use of application and syslog logging. Check your logs regularly. Regularly run an integrity scanner like Aide, Samhain or tripwire (or Osiris, Integrit, Viper etc etc). Most likely they will find "rogue" files on the system that are an indication of unwanted activity. Regularly run specific O.S. checkers like Tiger and Chkrootkit. Log in and outbound traffic on the firewall. Deploy an IDS.
Restrict more:
Key is, all applications are run under a user account be it, root, lesser-privileged ones or unprivileged ones. The Grsecurity(.net) kernel patch gives you (amongst many other things) a means to deny a user or group access to network client, server or all sockets.
...and more:
Enter
Systrace and
Syscalltrack. Systrace being the more actively and prominently developed one, both give you the ability to detect application system call usage and bind actions to it. Systrace also has a GTK admin alert utility, and in that respect it's the only piece of SW I've seen that remotely resembles ZoneAlarm like features (if you can compare them, that is).
So, is it hard to protect and detect Trojans or backdoors? No, but it takes time reading, compiling, configuring, testing and more configuring. Is it worth it? That depends on how much you value the time you already invested in setting up your box, configuring and trusting it with yours and other ppls data.