Author Topic: NSA backdoor at port 1025 in CPF3? [Merged Threads]  (Read 11181 times)

Offline trash

  • Comodo Member
  • **
  • Posts: 32
NSA backdoor at port 1025 in CPF3? [Merged Threads]
« on: November 21, 2007, 08:35:58 AM »
First of all, sorry for my English!

I made a clean install, Windows XP x64 SP2, drivers (x64), NOD32 (x64), CFP3 (x64), Diskeeper 2k8 (x64), no any other program.

When I finished all install, I tested on grc.com (ShieldsUp!). It shows port 1025 is open (used by lsass.exe), port 1033 is closed (used by diskeeper), other ports are stealth.

When I shutdown Diskeeper server, port 1033 is stealth.

What does lsass.exe make? How can I shutdown it? In Task Manager I can't: "This is a critical system process. task Manager cannot end this process."

I can't find it (hidden files are showed), but in CFP3 --> "View Active Connections" this is the path: c:\windows\system32\lsass.exe TCP, Listening: 1025, Bytes In 0 / Bytes Out 0

My internet connection is cable.

Thx!
« Last Edit: November 22, 2007, 04:26:36 PM by LeoniAquila »

Offline mindlessmissy

  • Comodo Member
  • **
  • Posts: 45
Re: [HELP] Port 1025 is open
« Reply #1 on: November 21, 2007, 10:15:04 AM »
Yes Lsass is for the "Security Accounts Manager" - "The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests.  Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly.  This service should not be disabled." - Microsoft..

Anyway if it bothers you you can disable it in the services snap-in in mmc ...  just type services.msc in the RUN window and scroll down to disable it..  if other services depend on it make sure you dont need them and disable them also..  Restart for Changes to occur..

after that test to see if the port is still open .....
« Last Edit: November 21, 2007, 10:21:01 AM by mindlessmissy »

Offline trash

  • Comodo Member
  • **
  • Posts: 32
Re: [HELP] Port 1025 is open
« Reply #2 on: November 21, 2007, 12:12:01 PM »
Thank you!

I couldn't know lsass is responsible for SAM. I shutdown SAM, after that test it.

Offline trash

  • Comodo Member
  • **
  • Posts: 32
Re: [HELP] Port 1025 is open
« Reply #3 on: November 22, 2007, 12:52:44 AM »
I disalbed SAM, but lsass.exe is still running.

Some search I've found another service which is using lsass.exe:

IPSEC Policy Agent: Manage IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

In Stealth ports wizard I use Blocking all incoming connections and finally all ports are stealth.

Toggie

  • Guest
Re: [HELP] Port 1025 is open
« Reply #4 on: November 22, 2007, 01:20:00 AM »
Lsass.exe is an integral part of Windows. DO NOT DISABLE IT, if you do you will not be able to log on.

Likewise The SAM should not be disabled, It's fundamental to Windows, the Registry in particular. 

Offline trash

  • Comodo Member
  • **
  • Posts: 32
Re: [HELP] Port 1025 is open
« Reply #5 on: November 22, 2007, 01:38:34 AM »
Thanks Toggie!

I don't disable it. Why is lsass.exe listening? How can I close port 1025?

CFP3 is a bit difficult for me.

Toggie

  • Guest
Re: [HELP] Port 1025 is open
« Reply #6 on: November 22, 2007, 01:54:29 AM »
This is interesting, we had some similar issues with V2, although I'm not sure they were totally resolved. It seems to affect some uses and not others...

As far as I remember, it's Svchost.exe listening on port 1025 or port 1026. I guess you could block those and see what happens, but be prepared any problems.

Offline shinobiteno

  • Comodo Family Member
  • ***
  • Posts: 54
Re: [HELP] Port 1025 is open
« Reply #7 on: November 22, 2007, 02:21:17 AM »
Hows about manually configuring access for svchost and lsass, so it runs LAN only? :)

Toggie

  • Guest
Re: [HELP] Port 1025 is open
« Reply #8 on: November 22, 2007, 02:33:50 AM »
Hows about manually configuring access for svchost and lsass, so it runs LAN only? :)

Sensible suggestion :)

Offline trash

  • Comodo Member
  • **
  • Posts: 32
Re: [HELP] Port 1025 is open
« Reply #9 on: November 22, 2007, 02:44:13 AM »
shinobiteno: I made a rule in Network Security Policy as Blocked Aplication for lsass.exe, but doesn't matter, port 1025 is still open.

Offline trash

  • Comodo Member
  • **
  • Posts: 32
Re: [HELP] Port 1025 is open
« Reply #10 on: November 22, 2007, 02:48:35 AM »
Toggie: scvhost.exe doesn't listening on port 1025


Toggie

  • Guest
Re: [HELP] Port 1025 is open
« Reply #11 on: November 22, 2007, 03:05:28 AM »
lsass.exe is a sub-component of winlogon.exe (that's used to log you on to Windows) Do you have a LAN?

Offline trash

  • Comodo Member
  • **
  • Posts: 32
Re: [HELP] Port 1025 is open
« Reply #12 on: November 22, 2007, 03:11:54 AM »
I don't have LAN. I use cable for internet.

lsass.exe is responsible for Net Logon. I disable Net Logon, doesn't matter.

Offline shinobiteno

  • Comodo Family Member
  • ***
  • Posts: 54
Re: [HELP] Port 1025 is open
« Reply #13 on: November 22, 2007, 04:07:42 AM »
For lsass/svchost , do you have "allow DNS/loopback ON"/ trusted in D+?! That can allow them to listen.

Also, sometimes scripted path, e.g. "%windir%\system32\..." doesn't work, you have to specify full path manually.


Offline trash

  • Comodo Member
  • **
  • Posts: 32
Re: [HELP] Port 1025 is open
« Reply #14 on: November 22, 2007, 07:38:50 AM »
shinobiteno: I tried to follow your instuction, but (this is my fault) doesn't work.

Finally I reinstalled CFP with "I wanna know everything" option, and when I check on grc.com CPF alert me: lsass.exe wamts to accept connections from internet. I denied, so it works fine!

Thanks shinobiteno and Toggie!

I'll made more checks, but I think it's ok now.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek