[unisog] Port 109 Mystery

Matt Scarborough vexversa at verizon.net
Fri Mar 14 08:11:12 GMT 2003


On Wed, 12 Mar 2003 11:54:30 -0500, "Douglas Brown" wrote
<3E6F6646.8070904 at email.unc.edu>

> Got a server with port 109 open, requesting a password.


> FPort v1.33 - TCP/IP Process to Port Mapper
> Copyright 2000 by Foundstone, Inc.
> http://www.foundstone.com
> Pid   Process            Port  Proto Path
> 220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe

Check
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
for a REG_SZ value of
GinaDLL
By default, the GinaDLL value does not exist.

If the GinaDLL value does exist, it must point to a replacement for
MSGINA.DLL (the default GINA loaded when no GinaDLL value exists.)

If exists, the DLL specified by the GinaDLL value will be loaded
automatically by Winlogon.exe., e.g.,
GinaDLL = "C:\WINNT\System32\trojangina.dll"

Couldn't a trojaned GINA explain why the parent process WINLOGON.EXE is
listening on TCP port 109?

Matt Scarborough 2003-03-13



More information about the unisog mailing list