The Real Deal?

Mariner · Posted: Sun Jan 18, 2004 11:43 am Post subject: The Real Deal?

Within minutes of logging on today, my firewall alerted me to the fact that a genuine(?) Microsoft program or part thereof, was attempting to make an inbound connection, details as follows:

Time 14.59
Date 18/01/2004
Program C:\WINDOWS\System32\lsass.exe
Protocol UDP (inbound)
Remote Address 217.16.64.207: 65336
Local Address All local network adapters : isakmp (500)

My suspicions aroused, l denied access, then traced the connection, it coming from a dialup connection in Macedonia. Details below.

inetnum: 217.16.64.0 - 217.16.79.255
netname: MK-ONNET
descr: Provider
descr: MACEDONIA
country: MK
admin-c: PTC
tech-c: GGON-RIPE
tech-c: RK5232-RIPE
tech-c: GS1763-RIPE
status: ASSIGNED PA
notify:
notify:
notify:
notify:
mnt-by: ON-MNT
changed: 20011106
changed: 20040108
source: RIPE

Can anyone here shed any light on this incident and tell me what C:\WINDOWS\System32\lsass.exe is, please?

I may appear paranoid, but when, if at all, did MS start trying to connect using dialup from Macedonia?

Is this yet another hijack attempt or what?

Sorry for all the questions but, this just does not seem right to me. Apologies if i've posted in wrong forum but to me, it's a security issue.

tia

SilentSeven · Lieutenant Joined: Jan 13, 2004 Posts: 160 Location: USA

Hi Mariner,

I don't know the awnsers to all your questions, but lsass.exe (according to Pacman's Startup List) Is a Virus. (I also have lsass.exe runing on my computer)

However, a program (Whats happening here) I have that tells me what the processes are, that are running on my system, and it says lsass.exe is a Microsoft Corp. Windows Operating System.

I tried to terminate lsass.exe from Alt+Ctrl+Del, but it says, it is a critical system process and cannot end this process.

So I'm not quite sure what it is, but hopefully someone else will, becuase I'd like to know also.

You can visit this site, to download a program, that tells you what the processes are that are running on your machine, here:
http://www.turboware.com/WhatsHappening.htm

And Pacman's Startup guide is here: (Information on lsass.exe)
http://www.sysinfo.org/startuplist.php?...unt=&type=

*smiles* Smile

Mariner · Posted: Mon Jan 19, 2004 11:25 am Post subject:

Thanks Silent Seven. Have mailed MS with this -personal details removed.
Hopefully, this will yield a result.

SilentSeven · Lieutenant Joined: Jan 13, 2004 Posts: 160 Location: USA

Hey,

Yea, sounds good, please post the results! Very Happy

Thanks.

*smiles* Smile

mariner · Guest

Initially used 'phone support. Did not yield much, other than MS do not route through Macedonia using dialup. They (MS) didn't really appear too concerned. "Your problem, mate". Thanks, MS.

Bill-on-the-Hill got too much cash and not enough interest. Couple a Laws 66mm would rock him...not that l should...i'm a very bad person just for thinking such a thing....

SilentSeven · Lieutenant Joined: Jan 13, 2004 Posts: 160 Location: USA

Hey,

lol

hmmmmmmm Surprised

, rats

I use Zone Alarm for a firewall, and they have a geo mapping thingy, that traces the IP address to the users Pc location.

I think it is different than the ARIN WHOIS info becuase, it shows a different location than the WHOIS data base.

But Zone Alarm does'nt allow the user to put a IP address in, it only lets you trace the connections that were attempted on your computer only.

I was looking for a different way to trace it, becuase I can't trace it with Zone Alarm, becuse I did not recieve the connection, so I'll let you know if I come up with anything.

I'm going to try and contact Zone Alarm, and see if they can get a mapping on it.

(correct me if I'm wrong) I'm not sure but I think the ARIN WHOIS Information is a trace on the users ISP, ( Example: The ISP is in macidonia?) but the Geo Map traces directly to the users house. (I think)

I dont know for sure though.

TTYL

*smiles* Smile

k027 · Posted: Mon Jan 19, 2004 2:28 pm Post subject:

The best you can do with those tools is trace back to a server, either the originator's ISP or perhaps an "anonymous" proxy server. You would then have to contact the owner of the server to find out who was assigned the IP at the time of the event. Sad

SilentSeven · Lieutenant Joined: Jan 13, 2004 Posts: 160 Location: USA

Hey,

Thank you for the info k027.

However mariner the Zone Alarm Lab, may take a day to reply to my email.

I did find this site which allows you to, submitt a suspicious hacker related things.

Check it out:
http://www.dshield.org/

Try and see if you can post it there, I think they will investigate for free, and get all the info you need about it.

Hope it works!

I'll post when I get the email back.

*smiles* Smile

Mariner · Posted: Tue Jan 20, 2004 7:18 am Post subject:

This is what it is and is legit, but it is not accessed by MS through a dialup connection. Can only surmise that it was carrying "something extra" in view of the attempted means of entry.

C:\WINDOWS\system32\lsass.exe
Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description: The Windows Local Security Authority Server Process Handles Windows Security Mechanisms

lsass - lsass.exe - Process Information
Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description: The Windows Local Security Authority Server Process Handles Windows Security Mechanisms. It verifies the validity of user logons to your PC/Server .Technically it generates the process that is responsible for authenticating users for the Winlogon service.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A

Had e-mail from MS generated by autoresponder promising a personal response. Still awaiting this.

SilentSeven · Lieutenant Joined: Jan 13, 2004 Posts: 160 Location: USA

Hey Mariner, Smile

Yea that looks right.

Just curious, what program source, did that info come from? (Not that it does'nt look right, just wondering, incase we have another problem like that.) Laughing

Glad you got that figured out. Cool

If you could post that MS response, your waiting for, I'd appreciate it. Wink

I'll post the response from Zone Alarm. (When I get it.)

*smiles* Smile

Mariner · Posted: Tue Jan 20, 2004 8:55 pm Post subject:

Will dig out source later and post MS response when received.

SilentSeven · Lieutenant Joined: Jan 13, 2004 Posts: 160 Location: USA

Thank you, Mariner. Smile

I still haven't heard from Zone Alarm, but I will post, when I do.

*smiles* Smile

SilentSeven · Lieutenant Joined: Jan 13, 2004 Posts: 160 Location: USA

Hello Mariner,

I got a reply from Zone Alarm today, but they where not at all helpfull. Sad

The person who replied, must not have known what he was talking about, becuase he said he's never heard of geo mapping.(Yet it is right on there site.) And he closed the case. Confused

So I guess it's kind of in the air.

Well TTYL.

*smiles* Smile

Mariner · Posted: Thu Jan 22, 2004 7:21 pm Post subject:

Still awaiting reply from MS. Have not yet dug out source, been bogged down with another matter. Will do though. Smile

SilentSeven · Lieutenant Joined: Jan 13, 2004 Posts: 160 Location: USA

Ok Mariner Smile

Thanks

*smiles*


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1199 pages served in previous 5 minutes. Page Rendered: 0.488 seconds.