Security issue
My firewall picked up something coming into my compuyter. I am trying to find out what it is, and whether it is an attempted hack on my system.
Here is the info given by my firewall.... I want to know what is going on with this, and whether I should allow this network traffic onto my system:
File Version : 5.1.2600.1106 (xpsp1.020828-1920)
File Description : LSA Shell (Export Version)
File Path : C:\WINDOWS\system32\lsass.exe
Process ID : 200 (Heximal) 512 (Decimal)
Connection origin : remote initiated
Protocol : UDP
Local Address : 207.136.232.33
Local Port : 500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :
Remote Address : 63.236.3.19
Remote Port : 134
Ethernet packet details:
Ethernet II (Packet Length: 225)
Destination: 02-08-a1-01-33-7f
Source: 02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:185
Time to live: 52
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x6c55 (Correct)
Source: 63.236.3.19
Destination: 207.136.232.33
User Datagram Protocol
Source port: 134
Destination port: 500
Length: 8
Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)
Binary **** of the packet:
0000: 02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010: 00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020: E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030: 43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040: BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050: 8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060: ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070: BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080: 14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090: F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0: 2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0: 4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0: 40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0: EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0: 54 : | T
Running on XP Home,Sygate firewall....
Here is the info given by my firewall.... I want to know what is going on with this, and whether I should allow this network traffic onto my system:
File Version : 5.1.2600.1106 (xpsp1.020828-1920)
File Description : LSA Shell (Export Version)
File Path : C:\WINDOWS\system32\lsass.exe
Process ID : 200 (Heximal) 512 (Decimal)
Connection origin : remote initiated
Protocol : UDP
Local Address : 207.136.232.33
Local Port : 500 (ISAKMP - Internet Security Association and Key Management/IPSEC Key Exchange)
Remote Name :
Remote Address : 63.236.3.19
Remote Port : 134
Ethernet packet details:
Ethernet II (Packet Length: 225)
Destination: 02-08-a1-01-33-7f
Source: 02-60-58-24-0a-28
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:185
Time to live: 52
Protocol: 0x11 (UDP - User Datagram Protocol)
Header checksum: 0x6c55 (Correct)
Source: 63.236.3.19
Destination: 207.136.232.33
User Datagram Protocol
Source port: 134
Destination port: 500
Length: 8
Checksum: 0x9924 (Incorrect - Checksum should be 0x7d83)
Data (37449 Bytes)
Binary **** of the packet:
0000: 02 08 A1 01 33 7F 02 60 : 58 24 0A 28 08 00 45 00 | ....3..`X$.(..E.
0010: 00 D3 35 4C 00 B9 34 11 : 55 6C 3F EC 03 13 CF 88 | ..5L..4.Ul?.....
0020: E8 21 00 86 01 F4 92 49 : 24 99 20 98 FA A0 80 31 | .!.....I$. ....1
0030: 43 54 55 D1 34 BB DB 79 : 92 49 3A 3B 06 55 78 79 | CTU.4..y.I:;.Uxy
0040: BB 5F 78 A4 22 34 4C AF : C5 FD 34 3E 7F 4D 05 25 | ._x."4L...4>.M.%
0050: 8D 31 0B 12 04 16 11 71 : F7 9F 54 A7 AD 9D E3 E0 | .1.....q..T.....
0060: ED E8 45 29 7C 16 D3 3A : 9D 1A 80 8D DF 0F 5B 13 | ..E)|..:......[.
0070: BA 5A 0D 05 66 97 E5 85 : 63 DB A8 E3 42 D6 03 5B | .Z..f...c...B..[
0080: 14 36 0C 10 C4 9A 12 90 : EB 15 91 4B C7 BA DD A8 | .6.........K....
0090: F4 90 88 29 36 BF 04 41 : 49 B5 FA AB 88 BF AF DD | ...)6..AI.......
00A0: 2E 96 A6 DF 94 2D 71 82 : 18 C8 21 9C 7C 46 DF 4A | .....-q...!.|F.J
00B0: 4D 0B 03 4A D2 DA D9 64 : 0C 6D C1 BA BD 05 9F 04 | M..J...d.m......
00C0: 40 00 00 B7 BD 6C 4F 2E : 52 6D F6 F7 E6 08 02 E6 | @....lO.Rm......
00D0: EC AF DE C9 69 BD B3 0C : 1A E6 5B 11 B6 92 A0 22 | ....i.....[...."
00E0: 54 : | T
Running on XP Home,Sygate firewall....
Mess with the best,Die like the rest!
Comments
-
/usr Member Posts: 1,768 ■■■□□□□□□□"The Sasser worm is the most recent, and one of the most virulent, viruses to impact Windows based systems. Unlike previous outbreaks, Sasser doesn't even need you to use email or, for that matter, even be at your machine, to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE."
Taken from http://ask-leo.com/archives/000114.html
In short, I would say no, but let someone else give you an answer as well. -
RussS Member Posts: 2,068 ■■■□□□□□□□The valid Microsoft Lsass.exe file is present only in Windows NT4/2k/XP/2003 ... it is the Local Security Authentication Server, and verifies user logons.
The proper path of this executable is C:\WinNT\System32\LSASS.exe (Win2k) or C:\Windows\System32\LSASS.exe (XP/2003). It is an essential piece of your OS ... leave it alone.
If the path is anything other than above ... you may have a virus.
If you have Lsasss.exe (note the mis-spelling), you have the W32.Sasser.E.Worm.
As for Lsass.exe, if the full path is not C:\WinNT\System32\LSASS.exe (Win2k) or C:\Windows\System32\LSASS.exe (XP, 2003), then you have one of several viruses.
Plan of attack
1. Windows ME or XP - disable system restore.
2. Run Online Scan - http://www.pandasoftware.com/activescan/
http://housecall.trendmicro.com/
3. Download removal tool for anything found @ http://www.bitdefender.com/html/free_tools.php
4. Run Microsoft Updates and install critical patches
[/url]www.supercross.com
FIM website of the year 2007 -
rono Member Posts: 121 ■■■□□□□□□□No sasser virus present on my pc!
The strange thing is that, who should login?my pc is not in a network.I'm the only user on this pc.I connect to the Net,but IP that I get on my firewall warning is not the one,of my ISP?
However,thank you,guys!Mess with the best,Die like the rest! -
seek Member Posts: 44 ■■□□□□□□□□Port 500 UDP.
Somone trying to make an IPSec connection to you?
Seek