Hi, Loki <lokiat_private> writes: >This may have been something you tried, but looking at that path, it >looks like fport doesnt know how to interpret the initial dir name. Is >it an ascii char space ALT-255, etc? Alt-255 directories will not show >up at all in windows. It looks like someone either copied winlogin.exe >to another dir and bound it to port 109, or its not winlogin at all, and >rather, a trojan thats been renamed to winlogin to fool the admin. ... >>On Wed, 2003-03-12 at 11:54, Douglas Brown wrote: ... >> 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe According to "Developing Windows NT Device Drivers - A Programmer's Handbook", by Dekker and Newcomer: \??\ is "the directory of all named devices available for CreateFile". When a program tries to open C: \WINNT\system32\winlogon.exe, "C:" is translated to "\??\C:" by the Win32 subsystem. Since fport normally does not display the "\??\" prefix, I am wondering if this might be a clue to how winlogon.exe was run. B Cing U Buck ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 08:23:15 PST