Security Incidents mailing list archives
Re: [unisog] Re: Port 109 Mystery
From: "Buck Buchanan" <lbuchana () csc com>
Date: Thu, 13 Mar 2003 09:01:20 -0500
Hi, Loki <loki () fatelabs com> writes:
This may have been something you tried, but looking at that path, it looks like fport doesnt know how to interpret the initial dir name. Is it an ascii char space ALT-255, etc? Alt-255 directories will not show up at all in windows. It looks like someone either copied winlogin.exe to another dir and bound it to port 109, or its not winlogin at all, and rather, a trojan thats been renamed to winlogin to fool the admin.
...
On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:
...
220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe
According to "Developing Windows NT Device Drivers - A Programmer's Handbook", by Dekker and Newcomer: \??\ is "the directory of all named devices available for CreateFile". When a program tries to open C: \WINNT\system32\winlogon.exe, "C:" is translated to "\??\C:" by the Win32 subsystem. Since fport normally does not display the "\??\" prefix, I am wondering if this might be a clue to how winlogon.exe was run. B Cing U Buck ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Re: [unisog] Re: Port 109 Mystery Buck Buchanan (Mar 13)
- Re: [unisog] Re: Port 109 Mystery Harlan Carvey (Mar 13)
- <Possible follow-ups>
- Re: [unisog] Re: Port 109 Mystery David Moisan (Mar 14)
- RE: [unisog] Re: Port 109 Mystery Patrick R. Sweeney (Mar 16)
- RE: [unisog] Re: Port 109 Mystery Rob Shein (Mar 16)
- RE: [unisog] Re: Port 109 Mystery Patrick R. Sweeney (Mar 16)