dan_allen_dot_com
asked on
LSA Shell
My firewall picked up something coming into my compuyter. I am trying to find out what it is, and whether it is an attempted hack on my system.
Here is the info given by my firewall.... I want to know what is going on with this, and whether I should allow this network traffic onto my system:
File Version : 5.1.2600.1106 (xpsp1.020828-1920)
File Description : LSA Shell (Export Version)
File Path : C:\WINDOWS\system32\lsass. exe
Process ID : 200 (Heximal) 512 (Decimal)
Connection origin : remote initiated
Protocol : UDP
Local Address : 207.136.232.33
Local Port : 500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :
Remote Address : 63.236.3.19
Remote Port : 134
Ethernet packet details:
Ethernet II (Packet Length: 225)
Destination: 02-08-a1-01-33-7f
Source: 02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:185
Time to live: 52
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x6c55 (Correct)
Source: 63.236.3.19
Destination: 207.136.232.33
User Datagram Protocol
Source port: 134
Destination port: 500
Length: 8
Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)
Binary dump of the packet:
0000: 02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010: 00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020: E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030: 43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040: BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050: 8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060: ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070: BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080: 14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090: F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0: 2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0: 4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0: 40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0: EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0: 54 : | T
Here is the info given by my firewall.... I want to know what is going on with this, and whether I should allow this network traffic onto my system:
File Version : 5.1.2600.1106 (xpsp1.020828-1920)
File Description : LSA Shell (Export Version)
File Path : C:\WINDOWS\system32\lsass.
Process ID : 200 (Heximal) 512 (Decimal)
Connection origin : remote initiated
Protocol : UDP
Local Address : 207.136.232.33
Local Port : 500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :
Remote Address : 63.236.3.19
Remote Port : 134
Ethernet packet details:
Ethernet II (Packet Length: 225)
Destination: 02-08-a1-01-33-7f
Source: 02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:185
Time to live: 52
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x6c55 (Correct)
Source: 63.236.3.19
Destination: 207.136.232.33
User Datagram Protocol
Source port: 134
Destination port: 500
Length: 8
Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)
Binary dump of the packet:
0000: 02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010: 00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020: E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030: 43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040: BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050: 8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060: ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070: BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080: 14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090: F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0: 2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0: 4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0: 40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0: EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0: 54 : | T
Port 500 is used for VPN. Unless you are doing VPN, you don't need to allow that traffic.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you chicagoan.
I don't really understand what this is about yet though. Is someone trying to do something malicious to my machine? What would happen if I allowed this traffic and the attacker was successful?
I don't really understand what this is about yet though. Is someone trying to do something malicious to my machine? What would happen if I allowed this traffic and the attacker was successful?
If you are running a VPN device or software, then you might be at risk. Check the articles that Chicagoan mentioned. If you're not, you are likely not at risk.
>I don't really understand what this is about yet though.
THese are people (or zombie machines) probing for a vulnerability.
> Is someone trying to do something malicious to my machine?
Yes
>What would happen if I allowed this traffic and the attacker was successful?
THis particular probe reboots a Cisco Remote Access Concentrator, a device that allows remote workers to access their corporate network through a VPN, as you likely don't have one of these, it would just be shrugged off.
THese are people (or zombie machines) probing for a vulnerability.
> Is someone trying to do something malicious to my machine?
Yes
>What would happen if I allowed this traffic and the attacker was successful?
THis particular probe reboots a Cisco Remote Access Concentrator, a device that allows remote workers to access their corporate network through a VPN, as you likely don't have one of these, it would just be shrugged off.