Firewall alert ... is it a problem?????

TheMSsForum.com: The Microsoft Software Forum

I just got the following alert in my firewall:-

From: host217-43-126-184.range217-43.btcentralplus.com
IP: 217.43.126.184
Port: 500

To program: Isass.exe
Description: LSA Shell (Export Version)

Haven't had this one before. The firewall info on this is unhelpful (what else).

Anybody know whether this was actually legitimate or not?
(I refused the request).

What does port 500 get used for anyway?
All I could find were cryptic reference to "ISAKMP, pluto".

Many thanks.
Top

Re: Firewall alert ... is it a problem????? by relic

relic
Mon Jun 28 18:03:11 CDT 2004

Richard White wrote:
> I just got the following alert in my firewall:-
>
> From: host217-43-126-184.range217-43.btcentralplus.com
> IP: 217.43.126.184
> Port: 500
>
> To program: Isass.exe
> Description: LSA Shell (Export Version)
>
> Haven't had this one before. The firewall info on this is unhelpful
> (what else).
>
> Anybody know whether this was actually legitimate or not?
> (I refused the request).
>
> What does port 500 get used for anyway?
> All I could find were cryptic reference to "ISAKMP, pluto".

Probably:
http://www.google.com/search?hl=en&ie=UTF-8&q=sasser+worm

--
- relic -
Don't take life too seriously, You won't get out alive.

Top

Re: Firewall alert ... is it a problem????? by g-w

g-w
Mon Jun 28 18:29:36 CDT 2004

Richard White wrote:
> I just got the following alert in my firewall:-
>
> From: host217-43-126-184.range217-43.btcentralplus.com
> IP: 217.43.126.184
> Port: 500
>
> To program: Isass.exe
> Description: LSA Shell (Export Version)
>
> Haven't had this one before. The firewall info on this is unhelpful (what else).
>
> Anybody know whether this was actually legitimate or not?
> (I refused the request).
>
> What does port 500 get used for anyway?
> All I could find were cryptic reference to "ISAKMP, pluto".
>
> Many thanks.
>
>

If it was "blocked" then why worry. Sasser and other worms target a
variety of ports but if the attempt was blocked you have no problem.

g-w
Top

Firewall alert ... is it a problem????? by anonymous

anonymous
Mon Jun 28 20:18:49 CDT 2004

Process File: isass or isass.exe
Process Name: isass
Description: Virus added to the system as a result of
variant of the OPTIX PRO TROJAN that opens TCP port 3410
and allows a hacker to control an infected computer.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes

>-----Original Message-----
>I just got the following alert in my firewall:-
>
>From: host217-43-126-184.range217-43.btcentralplus.com
> IP: 217.43.126.184
> Port: 500
>
>To program: Isass.exe
> Description: LSA Shell (Export Version)
>
>Haven't had this one before. The firewall info on this
is unhelpful (what else).
>
>Anybody know whether this was actually legitimate or not?
>(I refused the request).
>
>What does port 500 get used for anyway?
>All I could find were cryptic reference to "ISAKMP,
pluto".
>
>Many thanks.
>
>
>.
>
Top

Re: Firewall alert ... is it a problem????? by DMan

DMan
Mon Jun 28 20:46:10 CDT 2004

g-w <zz@nospam.com> scribbled some garbage about a problem in
news:AR1Ec.156020$Gx4.39957@bgtnsc04-news.ops.worldnet.att.net: and Dman
answered with his usually drivel in the following manner!

> Richard White wrote:
>> I just got the following alert in my firewall:-
>>
>> From: host217-43-126-184.range217-43.btcentralplus.com
>> IP: 217.43.126.184
>> Port: 500
>>
>> To program: Isass.exe
>> Description: LSA Shell (Export Version)
>>
>> Haven't had this one before. The firewall info on this is unhelpful
>> (what else).
>>
>> Anybody know whether this was actually legitimate or not?
>> (I refused the request).
>>
>> What does port 500 get used for anyway?
>> All I could find were cryptic reference to "ISAKMP, pluto".
>>
>> Many thanks.
>>
>>
>
> If it was "blocked" then why worry. Sasser and other worms target a
> variety of ports but if the attempt was blocked you have no problem.
>
> g-w
>

DUH! because you have the worm in the first PLACE would be reason to
worry...one vulnerability usually means there are more...

--
( ,&&&.
) .,.&&
( ( \=__/
) ,'-'.
( ( ,, _.__|/ /|
) /\ -((------((_|___/ |
( // | (`' (( `'--|
_ -.;_/ \\--._ \\ \-._/.
(_;-// | \ \-'.\ <_,\_\`--'|
( `.__ _ ___,') <_,-'__,'
`'(_ )_)(_)_)'
Top

RE: Firewall alert ... is it a problem????? by wguimb

wguimb
Mon Jun 28 22:45:02 CDT 2004

lsass.exe is from Microsoft and is called Local Security Authority Service, which handles logon requests. It is not a virus, trojan, worm, spyware, adware or any thing malicious unless it was compromised by other malicious code, which would mean you are running your local account with Administrator rights or as "the" Administrator. Not a safe thing to do.

It was most likely invoked in response to an inbound VPN request to login using IPSec UDP port 500. You may have seen other ports or protocols attempting IKEKMP and encryption (protocol 50 and protocol 51) in the firewall log as well.

"anonymous" wrote:

> Process File: isass or isass.exe
> Process Name: isass
> Description: Virus added to the system as a result of
> variant of the OPTIX PRO TROJAN that opens TCP port 3410
> and allows a hacker to control an infected computer.
> Company: N/A
> System Process: No
> Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
>
> >-----Original Message-----
> >I just got the following alert in my firewall:-
> >
> >From: host217-43-126-184.range217-43.btcentralplus.com
> > IP: 217.43.126.184
> > Port: 500
> >
> >To program: Isass.exe
> > Description: LSA Shell (Export Version)
> >
> >Haven't had this one before. The firewall info on this
> is unhelpful (what else).
> >
> >Anybody know whether this was actually legitimate or not?
> >(I refused the request).
> >
> >What does port 500 get used for anyway?
> >All I could find were cryptic reference to "ISAKMP,
> pluto".
> >
> >Many thanks.
> >
> >
> >.
> >
>
Top

RE: Firewall alert ... is it a problem????? by anonymous

anonymous
Mon Jun 28 23:33:21 CDT 2004

Yes, lsass.exe is from Microsoft, but read closely:
original poster typed in "Isass.exe" (capital I, not small
L) which is "isass.exe," the malicious one. I don't know
if the original poster meant lsass.exe, or isass.exe in
typing Isass.exe, but I copy and pasted it and it
was "isass.exe", get it?

Hopefully, he comes back to clear the confusion so he will
indeed know if he has something to worry about or not.

>-----Original Message-----
>lsass.exe is from Microsoft and is called Local Security
Authority Service, which handles logon requests. It is
not a virus, trojan, worm, spyware, adware or any thing
malicious unless it was compromised by other malicious
code, which would mean you are running your local account
with Administrator rights or as "the" Administrator. Not
a safe thing to do.
>
>It was most likely invoked in response to an inbound VPN
request to login using IPSec UDP port 500. You may have
seen other ports or protocols attempting IKEKMP and
encryption (protocol 50 and protocol 51) in the firewall
log as well.
>
>"anonymous" wrote:
>
>> Process File: isass or isass.exe
>> Process Name: isass
>> Description: Virus added to the system as a result of
>> variant of the OPTIX PRO TROJAN that opens TCP port
3410
>> and allows a hacker to control an infected computer.
>> Company: N/A
>> System Process: No
>> Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
>>
>> >-----Original Message-----
>> >I just got the following alert in my firewall:-
>> >
>> >From: host217-43-126-184.range217-43.btcentralplus.com
>> > IP: 217.43.126.184
>> > Port: 500
>> >
>> >To program: Isass.exe
>> > Description: LSA Shell (Export Version)
>> >
>> >Haven't had this one before. The firewall info on
this
>> is unhelpful (what else).
>> >
>> >Anybody know whether this was actually legitimate or
not?
>> >(I refused the request).
>> >
>> >What does port 500 get used for anyway?
>> >All I could find were cryptic reference to "ISAKMP,
>> pluto".
>> >
>> >Many thanks.
>> >
>> >
>> >.
>> >
>>
>.
>
Top

Re: Firewall alert ... is it a problem????? by anonymous

anonymous
Mon Jun 28 23:46:50 CDT 2004

I agree with you! "If it was 'blocked' then why worry.
Sasser and other worms target a variety of ports but if
the attempt was blocked you have no problem."

Lousy advice.

>-----Original Message-----
>g-w <zz@nospam.com> scribbled some garbage about a
problem in
>news:AR1Ec.156020$Gx4.39957@bgtnsc04-
news.ops.worldnet.att.net: and Dman
>answered with his usually drivel in the following manner!
>
>> Richard White wrote:
>>> I just got the following alert in my firewall:-
>>>
>>> From: host217-43-126-184.range217-43.btcentralplus.com
>>> IP: 217.43.126.184
>>> Port: 500
>>>
>>> To program: Isass.exe
>>> Description: LSA Shell (Export Version)
>>>
>>> Haven't had this one before. The firewall info on
this is unhelpful
>>> (what else).
>>>
>>> Anybody know whether this was actually legitimate or
not?
>>> (I refused the request).
>>>
>>> What does port 500 get used for anyway?
>>> All I could find were cryptic reference to "ISAKMP,
pluto".
>>>
>>> Many thanks.
>>>
>>>
>>
>> If it was "blocked" then why worry. Sasser and other
worms target a
>> variety of ports but if the attempt was blocked you
have no problem.
>>
>> g-w
>>
>
>DUH! because you have the worm in the first PLACE would
be reason to
>worry...one vulnerability usually means there are more...
>
>--
> ( ,&&&.
> ) .,.&&
> ( ( \=__/
> ) ,'-'.
> ( ( ,, _.__|/ /|
> ) /\ -((------((_|___/ |
> ( // | (`' (( `'--|
> _ -.;_/ \\--._ \\ \-._/.
> (_;-// | \ \-'.\ <_,\_\`--'|
> ( `.__ _ ___,') <_,-'__,'
> `'(_ )_)(_)_)'
>.
>
Top

Re: Firewall alert ... is it a problem????? by N

N
Tue Jun 29 14:26:16 CDT 2004

In article <Xns9516D591BFEDADMan@205.188.138.161>, DMan says...

> DUH! because you have the worm in the first PLACE would be reason to
> worry...one vulnerability usually means there are more...

And MSFT software is riddled with them...vulnerabilities, that is.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
Top