NSA backdoor at port 1025 in CPF3? [Merged Threads]

trash · November 21, 2007, 1:35pm

First of all, sorry for my English!

I made a clean install, Windows XP x64 SP2, drivers (x64), NOD32 (x64), CFP3 (x64), Diskeeper 2k8 (x64), no any other program.

When I finished all install, I tested on grc.com (ShieldsUp!). It shows port 1025 is open (used by lsass.exe), port 1033 is closed (used by diskeeper), other ports are stealth.

When I shutdown Diskeeper server, port 1033 is stealth.

What does lsass.exe make? How can I shutdown it? In Task Manager I can’t: “This is a critical system process. task Manager cannot end this process.”

I can’t find it (hidden files are showed), but in CFP3 → “View Active Connections” this is the path: c:\windows\system32\lsass.exe TCP, Listening: 1025, Bytes In 0 / Bytes Out 0

My internet connection is cable.

Thx!

mindlessmissy · November 21, 2007, 3:15pm

Yes Lsass is for the “Security Accounts Manager” - “The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.” - Microsoft…

Anyway if it bothers you you can disable it in the services snap-in in mmc … just type services.msc in the RUN window and scroll down to disable it… if other services depend on it make sure you dont need them and disable them also… Restart for Changes to occur…

after that test to see if the port is still open …

trash · November 21, 2007, 5:12pm

Thank you!

I couldn’t know lsass is responsible for SAM. I shutdown SAM, after that test it.

trash · November 22, 2007, 5:52am

I disalbed SAM, but lsass.exe is still running.

Some search I’ve found another service which is using lsass.exe:

IPSEC Policy Agent: Manage IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

In Stealth ports wizard I use Blocking all incoming connections and finally all ports are stealth.

system · November 22, 2007, 6:20am

Lsass.exe is an integral part of Windows. DO NOT DISABLE IT, if you do you will not be able to log on.

Likewise The SAM should not be disabled, It’s fundamental to Windows, the Registry in particular.

trash · November 22, 2007, 6:38am

Thanks Toggie!

I don’t disable it. Why is lsass.exe listening? How can I close port 1025?

CFP3 is a bit difficult for me.

system · November 22, 2007, 6:54am

This is interesting, we had some similar issues with V2, although I’m not sure they were totally resolved. It seems to affect some uses and not others…

As far as I remember, it’s Svchost.exe listening on port 1025 or port 1026. I guess you could block those and see what happens, but be prepared any problems.

shinobiteno · November 22, 2007, 7:21am

Hows about manually configuring access for svchost and lsass, so it runs LAN only?

system · November 22, 2007, 7:33am

Sensible suggestion

trash · November 22, 2007, 7:44am

shinobiteno: I made a rule in Network Security Policy as Blocked Aplication for lsass.exe, but doesn’t matter, port 1025 is still open.

trash · November 22, 2007, 7:48am

Toggie: scvhost.exe doesn’t listening on port 1025

http://trashweb.extra.hu/lsass.jpg

system · November 22, 2007, 8:05am

lsass.exe is a sub-component of winlogon.exe (that’s used to log you on to Windows) Do you have a LAN?

trash · November 22, 2007, 8:11am

I don’t have LAN. I use cable for internet.

lsass.exe is responsible for Net Logon. I disable Net Logon, doesn’t matter.

shinobiteno · November 22, 2007, 9:07am

For lsass/svchost , do you have “allow DNS/loopback ON”/ trusted in D+?! That can allow them to listen.

Also, sometimes scripted path, e.g. “%windir%\system32.…” doesn’t work, you have to specify full path manually.

[attachment deleted by admin]

trash · November 22, 2007, 12:38pm

shinobiteno: I tried to follow your instuction, but (this is my fault) doesn’t work.

Finally I reinstalled CFP with “I wanna know everything” option, and when I check on grc.com CPF alert me: lsass.exe wamts to accept connections from internet. I denied, so it works fine!

Thanks shinobiteno and Toggie!

I’ll made more checks, but I think it’s ok now.

uh1 · November 25, 2007, 4:09pm

CPF3
PC Flank returned string
1025 closed n/a n/a
Shields UP! returned
1025 Host Closed Your computer has responded that this port exists but is currently closed to connections.

CPF2 (latest)
Port 135 is closed!

[attachment deleted by admin]

Joss · November 25, 2007, 4:55pm

Personally I do not have this port opened(i’ve tried the same test as you)

(Sorry for my english)

uh1 · November 25, 2007, 11:46pm

Yes, its not opened. But closed port and stealthed port is not really the same thing. Today its closed but exists and tells anyone about it. Sure it won’t open tomorrow? Note I used Stealth Ports Wizard but it didn’t help. Why NSA? It’s almost a joke ), but they are suspected to be spying ports 1024-1030:
http://cryptome.org/nsa-ip-update11.htm
Hope port will be stealthed ASAP. Thanks for CPF3, nice work.

system · November 26, 2007, 12:07am

Are you connected to a router?

uh1 · November 26, 2007, 12:21am

No, just modem D-Link 200, and my ISP doesn’t filter anything.
In a pic PC FLANK Stealth Test results with CPF2, but now I’ve got 135 port being stealthed! So 135 was visible in a prev. version. Now its not.

[attachment deleted by admin]