We help IT Professionals succeed at work.

unusual port 500 IPSEC traffic

drake100
drake100 asked
on
Greetings,

I have 2 windows xp (professional, sp3 all patched up, IE8 on a 2003 AD domain) that the firewall logs show a couple of attempts to connect on port 500 udp to every website the browser visits.  The only problem I see this causes is that it slows the initial loading of a page down.  If I stop IPSEC Services, the problem stops.  I have run several types of avscans and compared config to several machines that do not have the problem and I can find nothing unusual. These machines are always on the inside and there are no vpn's in use.

I know this must be obvious, but I sure can't see it.  Any help would be appreciated.

mike
Comment
Watch Question

Commented:
UDP Port 500 Uses

I would be concerned with this type of behaviour.  It is not the type of behaviour that would be expected from a browser.  The fact that it is going to port 500 on every website you visit seems to indicate that it is attempting to find a VPN connection to a compromised webserver.  

It would seem that you have a trojan despite your avscans.  Particularly if you have other identical configurations that do not show this behaviour.
Commented:
Found it.  Both computers had pelco dx8000 security camera software loaded on them at one time.  Although the software had been "uninstalled" there was still a widgy called "DX8000 IPSec Policy" that, when disabled, stops the port 500 traffic.  I knew it was right in front of me, good night's sleep and it jumped out at me!
I could have easily re-imaged these machines, but, it puts my mind at ease knowing the cause.  Sweetfa2-thank you for your comment and quick post.

Author

Commented:
self solved