Security Incidents mailing list archives

Re: [unisog] Re: Port 109 Mystery

From: "Buck Buchanan" <lbuchana () csc com>
Date: Thu, 13 Mar 2003 09:01:20 -0500


Hi,

Loki <loki () fatelabs com> writes:

This may have been something you tried, but looking at that path, it
looks like fport doesnt know how to interpret the initial dir name. Is
it an ascii char space ALT-255, etc? Alt-255 directories will not show
up at all in windows. It looks like someone either copied winlogin.exe
to another dir and bound it to port 109, or its not winlogin at all, and
rather, a trojan thats been renamed to winlogin to fool the admin.

...

On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:

...

220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe


According to "Developing Windows NT Device Drivers - A Programmer's
Handbook", by Dekker and Newcomer: \??\  is "the directory of all named
devices available for CreateFile".  When a program tries to open C:
\WINNT\system32\winlogon.exe, "C:" is translated to "\??\C:" by the Win32
subsystem.

Since fport normally does not display the "\??\" prefix, I am wondering if
this might be a clue to how winlogon.exe was run.

B Cing U

Buck




----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Re: [unisog] Re: Port 109 Mystery Buck Buchanan (Mar 13)
- Re: [unisog] Re: Port 109 Mystery Harlan Carvey (Mar 13)
- <Possible follow-ups>
- Re: [unisog] Re: Port 109 Mystery David Moisan (Mar 14)
  - RE: [unisog] Re: Port 109 Mystery Patrick R. Sweeney (Mar 16)
    - RE: [unisog] Re: Port 109 Mystery Rob Shein (Mar 16)