|
Security Incidents
mailing list archives
Re: [unisog] Re: Port 109 Mystery
From: "Buck Buchanan" <lbuchana () csc com>
Date: Thu, 13 Mar 2003 09:01:20 -0500
Hi,
Loki <loki () fatelabs com> writes:
This may have been something you tried, but looking at that path, it
looks like fport doesnt know how to interpret the initial dir name. Is
it an ascii char space ALT-255, etc? Alt-255 directories will not show
up at all in windows. It looks like someone either copied winlogin.exe
to another dir and bound it to port 109, or its not winlogin at all, and
rather, a trojan thats been renamed to winlogin to fool the admin.
...
On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:
...
220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe
According to "Developing Windows NT Device Drivers - A Programmer's
Handbook", by Dekker and Newcomer: \??\ is "the directory of all named
devices available for CreateFile". When a program tries to open C:
\WINNT\system32\winlogon.exe, "C:" is translated to "\??\C:" by the Win32
subsystem.
Since fport normally does not display the "\??\" prefix, I am wondering if
this might be a clue to how winlogon.exe was run.
B Cing U
Buck
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
 By Date 
By Thread
Current thread:
- Re: [unisog] Re: Port 109 Mystery Buck Buchanan (Mar 13)
|
Intro
