LSA Shell

My firewall picked up something coming into my compuyter.  I am trying to find out what it is, and whether it is an attempted hack on my system.

Here is the info given by my firewall....  I want to know what is going on with this, and whether I should allow this network traffic onto my system:


File Version :            5.1.2600.1106 (xpsp1.020828-1920)
File Description :      LSA Shell (Export Version)
File Path :            C:\WINDOWS\system32\lsass.exe
Process ID :            200 (Heximal) 512 (Decimal)

Connection origin :      remote initiated
Protocol :            UDP
Local Address :       207.136.232.33
Local Port :            500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :                  
Remote Address :      63.236.3.19
Remote Port :            134

Ethernet packet details:
Ethernet II (Packet Length: 225)
      Destination:       02-08-a1-01-33-7f
      Source:       02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
      Version: 4
      Header Length: 20 bytes
      Flags:
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
      Fragment offset:185
      Time to live: 52
      Protocol: 0x11 (UDP - User Datagram Protocol)
      Header checksum: 0x6c55 (Correct)
      Source: 63.236.3.19
      Destination: 207.136.232.33
User Datagram Protocol
      Source port: 134
      Destination port: 500
      Length: 8
      Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)

Binary dump of the packet:
0000:  02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010:  00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020:  E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030:  43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040:  BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050:  8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060:  ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070:  BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080:  14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090:  F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0:  2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0:  4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0:  40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0:  EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0:  54                      :                         | T              
dan_allen_dot_comAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robing66066Commented:
Port 500 is used for VPN.  Unless you are doing VPN, you don't need to allow that traffic.
chicagoanCommented:
You're not alone:
http://isc.incidents.org/port_details.html?port=500
This port might be used by vulnerability CAN-2003-0108 (affects tcpdump) and CAN-2002-1103 (affects the Cisco VPN concentrator)

There seems to be increasing scanning in this port (as described in http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00374.html) which might be related to the release of a new tool (ike-scan, see http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00354.html)
see also
http://www.kb.cert.org/vuls/id/761651
http://www.kb.cert.org/vuls/id/677337
http://www.kb.cert.org/vuls/id/287771

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dan_allen_dot_comAuthor Commented:
Thank you chicagoan.

I don't really understand what this is about yet though.  Is someone trying to do something malicious to my machine?  What would happen if I allowed this traffic and the attacker was successful?

Robing66066Commented:
If you are running a VPN device or software, then you might be at risk.  Check the articles that Chicagoan mentioned.  If you're not, you are likely not at risk.
chicagoanCommented:
>I don't really understand what this is about yet though.
THese are people (or zombie machines) probing for a vulnerability.

> Is someone trying to do something malicious to my machine?  
Yes

>What would happen if I allowed this traffic and the attacker was successful?
THis particular probe reboots a Cisco Remote Access Concentrator, a device that allows remote workers to access their corporate network through a VPN, as you likely don't have one of these, it would just be shrugged off.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.