RE: Port 109 Mystery

From: James C Slora Jr (Jim.Slora@phra.com)
Date: 03/13/03

  • Next message: larosa, vjay: "FW: CodeRed Observations." 
    From: "James C Slora Jr" <Jim.Slora@phra.com>
To: <doug@unc.edu>, <incidents@securityfocus.com>, <unisog@sans.org>
Date: Wed, 12 Mar 2003 22:52:36 -0500

    Douglas Brown wrote Wednesday, March 12, 2003 11:55

    > 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe

    This output does not indicate confusion about the path. It just means
    c:\WINNT\system32\winlogon.exe, and it is the normal path reported for
    Winlogon by fport and other utilities.

    As to why it is reported like that, here's a quote from
    http://msdn.microsoft.com/msdnmag/issues/02/06/debug/default.aspx
    " For some reason, the path names returned by GetModuleFilenameEx or the
    TOOLHELP32 module functions are very strange; they don't follow the Win32
    standard. For example, smss is retrieved as "\SystemRoot\System32\smss.exe";
    "\SystemRoot must be replaced by the actual name of the Windows folder. For
    winlogon, you get "\??\C:\WINNT\system32\winlogon.exe," which should be
    translated into "C:\WINNT\system32\winlogon.exe." The \??\ prefix might be a
    leftover from the Windows NT namespace root, essential in kernel mode, even
    though it is rarely used at the Win32 programming level. "

    So don't worry about the path reported by fport. The TCP 109 looks rather odd,
    though. I don't know the answer to that.

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: larosa, vjay: "FW: CodeRed Observations."
    • Quantcast