Solved

LSA Shell

Posted on 2003-12-08
8
875 Views
Last Modified: 2007-12-19
My firewall picked up something coming into my compuyter.  I am trying to find out what it is, and whether it is an attempted hack on my system.

Here is the info given by my firewall....  I want to know what is going on with this, and whether I should allow this network traffic onto my system:


File Version :            5.1.2600.1106 (xpsp1.020828-1920)
File Description :      LSA Shell (Export Version)
File Path :            C:\WINDOWS\system32\lsass.exe
Process ID :            200 (Heximal) 512 (Decimal)

Connection origin :      remote initiated
Protocol :            UDP
Local Address :       207.136.232.33
Local Port :            500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :                  
Remote Address :      63.236.3.19
Remote Port :            134

Ethernet packet details:
Ethernet II (Packet Length: 225)
      Destination:       02-08-a1-01-33-7f
      Source:       02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
      Version: 4
      Header Length: 20 bytes
      Flags:
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
      Fragment offset:185
      Time to live: 52
      Protocol: 0x11 (UDP - User Datagram Protocol)
      Header checksum: 0x6c55 (Correct)
      Source: 63.236.3.19
      Destination: 207.136.232.33
User Datagram Protocol
      Source port: 134
      Destination port: 500
      Length: 8
      Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)

Binary dump of the packet:
0000:  02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010:  00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020:  E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030:  43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040:  BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050:  8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060:  ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070:  BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080:  14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090:  F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0:  2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0:  4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0:  40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0:  EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0:  54                      :                         | T              
0
Comment
Question by:dan_allen_dot_com
  • 2
  • 2
8 Comments
 
LVL 7

Expert Comment

by:Robing66066
ID: 9900769
Port 500 is used for VPN.  Unless you are doing VPN, you don't need to allow that traffic.
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 30 total points
ID: 9902088
You're not alone:
http://isc.incidents.org/port_details.html?port=500
This port might be used by vulnerability CAN-2003-0108 (affects tcpdump) and CAN-2002-1103 (affects the Cisco VPN concentrator)

There seems to be increasing scanning in this port (as described in http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00374.html) which might be related to the release of a new tool (ike-scan, see http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00354.html)
see also
http://www.kb.cert.org/vuls/id/761651
http://www.kb.cert.org/vuls/id/677337
http://www.kb.cert.org/vuls/id/287771
0
 

Author Comment

by:dan_allen_dot_com
ID: 9916194
Thank you chicagoan.

I don't really understand what this is about yet though.  Is someone trying to do something malicious to my machine?  What would happen if I allowed this traffic and the attacker was successful?

0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9916251
If you are running a VPN device or software, then you might be at risk.  Check the articles that Chicagoan mentioned.  If you're not, you are likely not at risk.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9916419
>I don't really understand what this is about yet though.
THese are people (or zombie machines) probing for a vulnerability.

> Is someone trying to do something malicious to my machine?  
Yes

>What would happen if I allowed this traffic and the attacker was successful?
THis particular probe reboots a Cisco Remote Access Concentrator, a device that allows remote workers to access their corporate network through a VPN, as you likely don't have one of these, it would just be shrugged off.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 95
AD self service password reset -  how do they work? 4 85
2 routers, one cable modem 10 86
How can I know if to trust a tool offered on a site 6 88
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now