Solved

LSA Shell

Posted on 2003-12-08
8
881 Views
Last Modified: 2007-12-19
My firewall picked up something coming into my compuyter.  I am trying to find out what it is, and whether it is an attempted hack on my system.

Here is the info given by my firewall....  I want to know what is going on with this, and whether I should allow this network traffic onto my system:


File Version :            5.1.2600.1106 (xpsp1.020828-1920)
File Description :      LSA Shell (Export Version)
File Path :            C:\WINDOWS\system32\lsass.exe
Process ID :            200 (Heximal) 512 (Decimal)

Connection origin :      remote initiated
Protocol :            UDP
Local Address :       207.136.232.33
Local Port :            500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :                  
Remote Address :      63.236.3.19
Remote Port :            134

Ethernet packet details:
Ethernet II (Packet Length: 225)
      Destination:       02-08-a1-01-33-7f
      Source:       02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
      Version: 4
      Header Length: 20 bytes
      Flags:
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
      Fragment offset:185
      Time to live: 52
      Protocol: 0x11 (UDP - User Datagram Protocol)
      Header checksum: 0x6c55 (Correct)
      Source: 63.236.3.19
      Destination: 207.136.232.33
User Datagram Protocol
      Source port: 134
      Destination port: 500
      Length: 8
      Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)

Binary dump of the packet:
0000:  02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010:  00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020:  E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030:  43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040:  BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050:  8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060:  ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070:  BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080:  14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090:  F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0:  2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0:  4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0:  40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0:  EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0:  54                      :                         | T              
0
Comment
Question by:dan_allen_dot_com
  • 2
  • 2
8 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9900769
Port 500 is used for VPN.  Unless you are doing VPN, you don't need to allow that traffic.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 30 total points
ID: 9902088
You're not alone:
http://isc.incidents.org/port_details.html?port=500
This port might be used by vulnerability CAN-2003-0108 (affects tcpdump) and CAN-2002-1103 (affects the Cisco VPN concentrator)

There seems to be increasing scanning in this port (as described in http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00374.html) which might be related to the release of a new tool (ike-scan, see http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00354.html)
see also
http://www.kb.cert.org/vuls/id/761651
http://www.kb.cert.org/vuls/id/677337
http://www.kb.cert.org/vuls/id/287771
0
 

Author Comment

by:dan_allen_dot_com
ID: 9916194
Thank you chicagoan.

I don't really understand what this is about yet though.  Is someone trying to do something malicious to my machine?  What would happen if I allowed this traffic and the attacker was successful?

0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9916251
If you are running a VPN device or software, then you might be at risk.  Check the articles that Chicagoan mentioned.  If you're not, you are likely not at risk.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9916419
>I don't really understand what this is about yet though.
THese are people (or zombie machines) probing for a vulnerability.

> Is someone trying to do something malicious to my machine?  
Yes

>What would happen if I allowed this traffic and the attacker was successful?
THis particular probe reboots a Cisco Remote Access Concentrator, a device that allows remote workers to access their corporate network through a VPN, as you likely don't have one of these, it would just be shrugged off.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
OnPage: Incident management and secure messaging on your smartphone
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question