Solved

LSA Shell

Posted on 2003-12-08
8
869 Views
Last Modified: 2007-12-19
My firewall picked up something coming into my compuyter.  I am trying to find out what it is, and whether it is an attempted hack on my system.

Here is the info given by my firewall....  I want to know what is going on with this, and whether I should allow this network traffic onto my system:


File Version :            5.1.2600.1106 (xpsp1.020828-1920)
File Description :      LSA Shell (Export Version)
File Path :            C:\WINDOWS\system32\lsass.exe
Process ID :            200 (Heximal) 512 (Decimal)

Connection origin :      remote initiated
Protocol :            UDP
Local Address :       207.136.232.33
Local Port :            500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :                  
Remote Address :      63.236.3.19
Remote Port :            134

Ethernet packet details:
Ethernet II (Packet Length: 225)
      Destination:       02-08-a1-01-33-7f
      Source:       02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
      Version: 4
      Header Length: 20 bytes
      Flags:
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
      Fragment offset:185
      Time to live: 52
      Protocol: 0x11 (UDP - User Datagram Protocol)
      Header checksum: 0x6c55 (Correct)
      Source: 63.236.3.19
      Destination: 207.136.232.33
User Datagram Protocol
      Source port: 134
      Destination port: 500
      Length: 8
      Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)

Binary dump of the packet:
0000:  02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010:  00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020:  E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030:  43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040:  BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050:  8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060:  ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070:  BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080:  14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090:  F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0:  2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0:  4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0:  40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0:  EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0:  54                      :                         | T              
0
Comment
Question by:dan_allen_dot_com
  • 2
  • 2
8 Comments
 
LVL 7

Expert Comment

by:Robing66066
Comment Utility
Port 500 is used for VPN.  Unless you are doing VPN, you don't need to allow that traffic.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 30 total points
Comment Utility
You're not alone:
http://isc.incidents.org/port_details.html?port=500
This port might be used by vulnerability CAN-2003-0108 (affects tcpdump) and CAN-2002-1103 (affects the Cisco VPN concentrator)

There seems to be increasing scanning in this port (as described in http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00374.html) which might be related to the release of a new tool (ike-scan, see http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00354.html)
see also
http://www.kb.cert.org/vuls/id/761651
http://www.kb.cert.org/vuls/id/677337
http://www.kb.cert.org/vuls/id/287771
0
 

Author Comment

by:dan_allen_dot_com
Comment Utility
Thank you chicagoan.

I don't really understand what this is about yet though.  Is someone trying to do something malicious to my machine?  What would happen if I allowed this traffic and the attacker was successful?

0
 
LVL 7

Expert Comment

by:Robing66066
Comment Utility
If you are running a VPN device or software, then you might be at risk.  Check the articles that Chicagoan mentioned.  If you're not, you are likely not at risk.
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
>I don't really understand what this is about yet though.
THese are people (or zombie machines) probing for a vulnerability.

> Is someone trying to do something malicious to my machine?  
Yes

>What would happen if I allowed this traffic and the attacker was successful?
THis particular probe reboots a Cisco Remote Access Concentrator, a device that allows remote workers to access their corporate network through a VPN, as you likely don't have one of these, it would just be shrugged off.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now