An outer IP addresses trying to communicate via UDP with lsass.exe

mahler · July 11, 2011, 2:07pm

Hi!

My firewall is saying that various IP-Addresses are trying to communicate with lsass.exe via UDP. Something to be concerned about?
Here is a pic…
Thx!

[attachment deleted by admin]

Radaghast · July 11, 2011, 2:12pm

Are you using a vpn of any kind, maybe pptp or l2tp?

mahler · July 11, 2011, 2:35pm

what are these? some kind of protocols?

Radaghast · July 11, 2011, 2:55pm

A VPN is a Virtual Private Network and the others are methods for creating these. I’d be most interested in L2TP (Layer 2 Transport Protocol) as it can be used with IPSec (IP Security)

In the image you posted, all of the connections are to UDP port 500, which is the port used for (ISAKMP) Internet Security Association and Key Management Protocol, which is used for authentication in IPSec. Lsass (Local Security Authority Subsystem Service) is the service use in the authentication process.

Basically, if you’re using IPSec, perhaps via a vpn, the log entries might make some sense. However, if you’re not using IPSec, we’d need to find out why these connections are being made.

mahler · July 11, 2011, 4:10pm

well how do I know if I am using it? I mean, I have two accounts, admin and a guest account on my comp. Is that what you mean?

Radaghast · July 11, 2011, 4:14pm

If you were using a vpn, I guess you’d know. Can you post screen shots of your Global and application firewall rules, please. Use the Additional Options at the bottom of the reply box to attach the images.

Edit: you appear to be behind a router, so you should check the router settings, for what is and what is not allowed through.

mahler · July 11, 2011, 4:45pm

here they are…

[attachment deleted by admin]

mahler · July 11, 2011, 5:03pm

here are my router settings (if I’m right):

[attachment deleted by admin]

Citizen_K · July 11, 2011, 5:14pm

Your logs show that port 500 must be open on your router. Usually you can’t see the ports opened by the Universal Plug and Play interface in the web interface.

Open the Universal Plug and Play interface under Network to see if the port 500 is opened. See attached image.

[attachment deleted by admin]

mahler · July 11, 2011, 5:21pm

Thx!
But where do I find these settings on XP?

rhgtyink · July 11, 2011, 7:54pm

Based on the traffic it almost look like the host is setup as a 'DMZ" host, it’s receiving traffic it should never see on a 'NAT" setup and it is destined to a Private IP so there should be NAT in the middle here. First secure the router then see what’s left to tweak on the PC(s).

Try to see if your Router setup page has a ‘Firewall’ or something like DMZ Host setup entry, if you don’t know where to look please post the make and model so we can see if we can find the manuals for it.

Citizen_K · July 11, 2011, 9:00pm

DMZ may also be called Exposed Host. Try Ronny’s angle first. I will when needed look up some info on how to enable uPnP in XP.

rhgtyink · July 11, 2011, 9:04pm

It’s default on.

mahler · July 12, 2011, 6:21pm

Hi guys,
Router model is Thomson TWG850-4U and it has a firewall. You can see some screenshots above.

Thx!

mahler · July 12, 2011, 7:03pm

should Windows FW be turne off if I use Comodo FW?

HeffeD · July 12, 2011, 9:41pm

Yes. It’s never recommended to run more than one software firewall on your system.

Radaghast · July 13, 2011, 2:27am

I had a look through the manual for your router and I noticed it has an option for IPSec passtrough, which seems to be enabled by default. It might be worth disabling this and observing the behaviour following a restart of the router. (see image)

It might also be interesting to see what ShieldsUP sees by way of open ports on your router. Just make sure the IP address identified before the test starts is that or your router. Post the results here.

[attachment deleted by admin]

mahler · July 13, 2011, 10:28am

Hi!

How do I restart the router? You mean, I should change these IPSec-thing and then restart the router?

However, here are the screenshots of ShieldsUp

[attachment deleted by admin]

Radaghast · July 13, 2011, 10:39am

Some routers have an option to reboot when changes to the configuration have been made. If you don’t see this, it may be unnecessary. If not just uncheck the box for IPSec.

The scan is showing a NetBIOS port (139) as open, which is not really what you need. Just to confirm, the IP address 62.178.37.165 is the IP address of the router? (open a command prompt and type ipconfig /all and post the screen shot)

What is the port being shown as closed?

mahler · July 13, 2011, 10:44am

GRC Port Authority Report created on UTC: 2011-07-13 at 10:44:30

Results from scan of ports: 0-1055

1 Ports Open
1 Ports Closed

1054 Ports Stealth

1056 Ports Tested

The port found to be OPEN was: 139

The port found to be CLOSED was: 1032

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

[attachment deleted by admin]