NSA backdoor at port 1025 in CPF3? [Merged Threads]

First of all, sorry for my English!

I made a clean install, Windows XP x64 SP2, drivers (x64), NOD32 (x64), CFP3 (x64), Diskeeper 2k8 (x64), no any other program.

When I finished all install, I tested on grc.com (ShieldsUp!). It shows port 1025 is open (used by lsass.exe), port 1033 is closed (used by diskeeper), other ports are stealth.

When I shutdown Diskeeper server, port 1033 is stealth.

What does lsass.exe make? How can I shutdown it? In Task Manager I can’t: “This is a critical system process. task Manager cannot end this process.”

I can’t find it (hidden files are showed), but in CFP3 → “View Active Connections” this is the path: c:\windows\system32\lsass.exe TCP, Listening: 1025, Bytes In 0 / Bytes Out 0

My internet connection is cable.


Yes Lsass is for the “Security Accounts Manager” - “The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.” - Microsoft…

Anyway if it bothers you you can disable it in the services snap-in in mmc … just type services.msc in the RUN window and scroll down to disable it… if other services depend on it make sure you dont need them and disable them also… Restart for Changes to occur…

after that test to see if the port is still open …

Thank you!

I couldn’t know lsass is responsible for SAM. I shutdown SAM, after that test it.

I disalbed SAM, but lsass.exe is still running.

Some search I’ve found another service which is using lsass.exe:

IPSEC Policy Agent: Manage IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

In Stealth ports wizard I use Blocking all incoming connections and finally all ports are stealth.

Lsass.exe is an integral part of Windows. DO NOT DISABLE IT, if you do you will not be able to log on.

Likewise The SAM should not be disabled, It’s fundamental to Windows, the Registry in particular.

Thanks Toggie!

I don’t disable it. Why is lsass.exe listening? How can I close port 1025?

CFP3 is a bit difficult for me.

This is interesting, we had some similar issues with V2, although I’m not sure they were totally resolved. It seems to affect some uses and not others…

As far as I remember, it’s Svchost.exe listening on port 1025 or port 1026. I guess you could block those and see what happens, but be prepared any problems.

Hows about manually configuring access for svchost and lsass, so it runs LAN only? :slight_smile:

Sensible suggestion :slight_smile:

shinobiteno: I made a rule in Network Security Policy as Blocked Aplication for lsass.exe, but doesn’t matter, port 1025 is still open.

Toggie: scvhost.exe doesn’t listening on port 1025


lsass.exe is a sub-component of winlogon.exe (that’s used to log you on to Windows) Do you have a LAN?

I don’t have LAN. I use cable for internet.

lsass.exe is responsible for Net Logon. I disable Net Logon, doesn’t matter.

For lsass/svchost , do you have “allow DNS/loopback ON”/ trusted in D+?! That can allow them to listen.

Also, sometimes scripted path, e.g. “%windir%\system32…” doesn’t work, you have to specify full path manually.

[attachment deleted by admin]

shinobiteno: I tried to follow your instuction, but (this is my fault) doesn’t work.

Finally I reinstalled CFP with “I wanna know everything” option, and when I check on grc.com CPF alert me: lsass.exe wamts to accept connections from internet. I denied, so it works fine!

Thanks shinobiteno and Toggie!

I’ll made more checks, but I think it’s ok now.

PC Flank returned string
1025 closed n/a n/a
Shields UP! returned
1025 Host Closed Your computer has responded that this port exists but is currently closed to connections.

CPF2 (latest)
Port 135 is closed!

[attachment deleted by admin]

Personally I do not have this port opened(i’ve tried the same test as you)

(Sorry for my english)

Yes, its not opened. But closed port and stealthed port is not really the same thing. Today its closed but exists and tells anyone about it. Sure it won’t open tomorrow? Note I used Stealth Ports Wizard but it didn’t help. Why NSA? It’s almost a joke ), but they are suspected to be spying ports 1024-1030:
Hope port will be stealthed ASAP. Thanks for CPF3, nice work.

Are you connected to a router?

No, just modem D-Link 200, and my ISP doesn’t filter anything.
In a pic PC FLANK Stealth Test results with CPF2, but now I’ve got 135 port being stealthed! So 135 was visible in a prev. version. Now its not.

[attachment deleted by admin]