Re: [unisog] Re: Port 109 Mystery

From: David Moisan (dmoisan@davidmoisan.org)
Date: 03/14/03

  • Next message: Martin Roesch: "Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit" 
    Date: Thu, 13 Mar 2003 23:21:15 -0500
To: incidents@securityfocus.com
From: David Moisan <dmoisan@davidmoisan.org>

    At 09:01 AM 3/13/2003 -0500, Buck Buchanan wrote:

    >Since fport normally does not display the "\??\" prefix, I am wondering if
    >this might be a clue to how winlogon.exe was run.

    Winlogon is a native process (as opposed to a Win32 process). It runs
    early in the boot process. As someone else noted, the path you saw is normal.

    It *does* have a DLL, MSGINA.DLL; this gets the logon info from the user
    for Winlogon. It's designed so that third-parties can use, say, a
    biometric MSGINA in place of the usual prompt.

    Next question is if it's possible for MSGINA to be co-opted?

    "Inside Windows 2000" is the best investment any Windows admin can make,
    next to the RK.

    Take care,

    Dave

    David Moisan, N1KGH ARES/SKYWARN dmoisan@davidmoisan.org
    Invisible Disability: http://www1.shore.net/~dmoisan/invisible_disability.html
    ATS-909 FAQ: http://www1.shore.net/~dmoisan/faqs/sangean/ats909faq.html

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: Martin Roesch: "Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit"