Re: [unisog] Re: Port 109 Mystery

From: Buck Buchanan (lbuchana@csc.com)
Date: 03/13/03

Next message: larosa, vjay: "RE: CodeRed Observations."

Previous message: Carey, Steve T GARRISON: "RE: Defaced website listing..."
Next in thread: Harlan Carvey: "Re: [unisog] Re: Port 109 Mystery"
Reply: Harlan Carvey: "Re: [unisog] Re: Port 109 Mystery"
Maybe reply: David Moisan: "Re: [unisog] Re: Port 109 Mystery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: incidents@securityfocus.com, unisog@sans.org
From: "Buck Buchanan" <lbuchana@csc.com>
Date: Thu, 13 Mar 2003 09:01:20 -0500

Hi,

Loki <loki@fatelabs.com> writes:

>This may have been something you tried, but looking at that path, it
>looks like fport doesnt know how to interpret the initial dir name. Is
>it an ascii char space ALT-255, etc? Alt-255 directories will not show
>up at all in windows. It looks like someone either copied winlogin.exe
>to another dir and bound it to port 109, or its not winlogin at all, and
>rather, a trojan thats been renamed to winlogin to fool the admin.
...
>>On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:
...
>> 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe

According to "Developing Windows NT Device Drivers - A Programmer's
Handbook", by Dekker and Newcomer: \??\ is "the directory of all named
devices available for CreateFile". When a program tries to open C:
\WINNT\system32\winlogon.exe, "C:" is translated to "\??\C:" by the Win32
subsystem.

Since fport normally does not display the "\??\" prefix, I am wondering if
this might be a clue to how winlogon.exe was run.

B Cing U

Buck

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: larosa, vjay: "RE: CodeRed Observations."

Previous message: Carey, Steve T GARRISON: "RE: Defaced website listing..."
Next in thread: Harlan Carvey: "Re: [unisog] Re: Port 109 Mystery"
Reply: Harlan Carvey: "Re: [unisog] Re: Port 109 Mystery"
Maybe reply: David Moisan: "Re: [unisog] Re: Port 109 Mystery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: The performance of Editplus is much better than notepad,Why?
... Linux is one of the finest operating systems to have ever been created in the 1960s. ... windows desktop app developing is .Net,OS is becoming weaker as VM ... If you need to write device drivers, I think that C/C++ is the way to ... If Microsoft "closes" the Win32 APIs for next versions of Windows, ...
(microsoft.public.vc.mfc)
Windows CE Software Engineer Opportunity in Columbia, MD
... Title: Windows CE Software Engineer ... Write device drivers and integrate Windows CE to company's embedded single ... board computers. ... Inc. (ADS) is a leading developer of RISC-based ...
(microsoft.public.windowsce.embedded.vc)
Windows CE Software Engineer Opportunity in Columbia, MD
... Title: Windows CE Software Engineer ... Write device drivers and integrate Windows CE to company's embedded single ... board computers. ... Inc. (ADS) is a leading developer of RISC-based ...
(microsoft.public.pocketpc.developer.networking)
Re: Why linux is so stupid with hardware drivers?
... that sold to both the CP/M and DOS communities B.W. [Before the Windows ... Linux kernel drivers for complex custom systems that are used in ... Driver] programmer I have a bewildering API from which to choose ... some Windows 95 Device Drivers that can still be loaded and function ...
(comp.os.linux.development.system)
Re: Clean installation of XP Pro fails
... I've done three clean installations: two to the customer's disk and one to ... whereas surely a Windows CD is a Windows CD ... I appreciate that there may be PC-specific device drivers to be ...
(uk.comp.misc)