Solved

LSA Shell

Posted on 2003-12-08
8
879 Views
Last Modified: 2007-12-19
My firewall picked up something coming into my compuyter.  I am trying to find out what it is, and whether it is an attempted hack on my system.

Here is the info given by my firewall....  I want to know what is going on with this, and whether I should allow this network traffic onto my system:


File Version :            5.1.2600.1106 (xpsp1.020828-1920)
File Description :      LSA Shell (Export Version)
File Path :            C:\WINDOWS\system32\lsass.exe
Process ID :            200 (Heximal) 512 (Decimal)

Connection origin :      remote initiated
Protocol :            UDP
Local Address :       207.136.232.33
Local Port :            500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :                  
Remote Address :      63.236.3.19
Remote Port :            134

Ethernet packet details:
Ethernet II (Packet Length: 225)
      Destination:       02-08-a1-01-33-7f
      Source:       02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
      Version: 4
      Header Length: 20 bytes
      Flags:
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
      Fragment offset:185
      Time to live: 52
      Protocol: 0x11 (UDP - User Datagram Protocol)
      Header checksum: 0x6c55 (Correct)
      Source: 63.236.3.19
      Destination: 207.136.232.33
User Datagram Protocol
      Source port: 134
      Destination port: 500
      Length: 8
      Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)

Binary dump of the packet:
0000:  02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010:  00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020:  E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030:  43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040:  BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050:  8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060:  ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070:  BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080:  14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090:  F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0:  2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0:  4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0:  40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0:  EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0:  54                      :                         | T              
0
Comment
Question by:dan_allen_dot_com
  • 2
  • 2
8 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9900769
Port 500 is used for VPN.  Unless you are doing VPN, you don't need to allow that traffic.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 30 total points
ID: 9902088
You're not alone:
http://isc.incidents.org/port_details.html?port=500
This port might be used by vulnerability CAN-2003-0108 (affects tcpdump) and CAN-2002-1103 (affects the Cisco VPN concentrator)

There seems to be increasing scanning in this port (as described in http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00374.html) which might be related to the release of a new tool (ike-scan, see http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00354.html)
see also
http://www.kb.cert.org/vuls/id/761651
http://www.kb.cert.org/vuls/id/677337
http://www.kb.cert.org/vuls/id/287771
0
 

Author Comment

by:dan_allen_dot_com
ID: 9916194
Thank you chicagoan.

I don't really understand what this is about yet though.  Is someone trying to do something malicious to my machine?  What would happen if I allowed this traffic and the attacker was successful?

0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9916251
If you are running a VPN device or software, then you might be at risk.  Check the articles that Chicagoan mentioned.  If you're not, you are likely not at risk.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9916419
>I don't really understand what this is about yet though.
THese are people (or zombie machines) probing for a vulnerability.

> Is someone trying to do something malicious to my machine?  
Yes

>What would happen if I allowed this traffic and the attacker was successful?
THis particular probe reboots a Cisco Remote Access Concentrator, a device that allows remote workers to access their corporate network through a VPN, as you likely don't have one of these, it would just be shrugged off.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Minimum security requirements for WiFi in GPO 10 78
MS hosted exhange security 2 36
AWS Default Security Group Question 3 33
Review of a VPN cert policy 4 28
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question