Intrusion Attempt From TDS Update Site?

While attempting to perform an automatic update of TDS-3, using the latest update.cfg file, I received an intrusion alert from Norton Internet Security 2004, the details of which are:

Details: The user has created a rule to "block" communications
Inbound UDP packet
Local address,service is (0.0.0.0,isakmp(500))
Remote address,service is (www.zeylstra.nl(213.84.177.136),isakmp(500))
Process name is "C:\WINDOWS\system32\lsass.exe"

The other update sites do not generate this alert.
Is this a feature of TDS-3? Or is something amiss?

Best regards,
Little Mike

 

Hi Little Mike, Probably just looking to see if you are still there, many servers do that, especially if the connection is unexpectedly broken.

 

Thanks for the reply; I've had quite few intrusion attempts lately and I'm somewhat suspicious of inbound access attempt.

Best regards,
Little Mike

 

You might like to check your firewall at GRC shieldsup! and other check places; and Port Explorer will show you if there would be anything special the matter which applications could be responsible for them.
And it can't harm to do some extra scans, online as well.
any special ports more frequently then before knocked on?
If you don't trust your system you can always post an AutostartViewer log or HJT in the autostarts forum to be checked too.

 

Jooske,

Thanks for the reply and advice.

Shieldsup! shows my NIS 2004 firewall locked down, all ports stealthed; everything in the green. Same-same Norton online security scan.

I'll post my AutoStartViewer results as per your suggestion, over in the other hijack logs forum; and also the HiJackThis result.

When connected to the Internet (dial-up through an ISP), the intrusion attempts come about 2-3 per hour, from all over the world ("...all the usual suspects."); NIS seems to catch all of these.

However, on computer boot-up, svchost.exe attempts to connect inbound to an IP address in New York state, USA (half a continent away); and also through port 5000 (UPNP).

Also, when the daily scheduled incremental backup runs, C:\WINDOWS\System32\msdtc.exe attempts an inbound connection to the same IP address. Note that there is no modem connection at the time for either of these; and they occur everytime. I notified Norton/Symantec early last week, but have not heard back from them, other than an automated acknowledgement of the trouble report.

I've built rules in NIS to block these, until I can determine what's happening.

As you may well imagine, these attempts to connect at boot-up and backup have raised all kinds of suspicions. As a result, I've been installing lots of tools (referenced in this forum) in an attempt to determine what is occuring; but, subsequent to correcting some initial items, all tools report no problems for the past several days. Yet the inbound connection attempts continue.

Anyway, thanks for the help; I'll post the logs on the other forum.

Best regards,
Little Mke

 

You are on XP? Microsoft testing the legallity of your key?
Do you use Port Explorer to see right-clicking on the svchost where it is located and what it is?
Maybe you run some protective shields or firewalls trying to detect their correct updates etc?
Other auto-updates available?
Going to look at your logs.

 

Anyway the mirrorsite you mentioned, doesn't use any "tricks". I know, because I manage it.
Dolf

 

Yes; XP Pro. It looks like something "checking in". This occurs with "No User" during bootup, which I interpreted as the XP services attempting connections prior to my log in. I've looked at the various XP services that are running, and have disabled those that have been recommended to be disabled (by GRC.com). The thing that really perplexed me was the inbound nature of the connection attempts.

Port Explorer typically displays eight instances of svchost.exe and one instance of lsass.exe, "listening" after bootup, while disconnected.

Anyway, the NIS firewall appears to stop all unauthorized connections from the outside world; and I've put very tight rules in place for all apps requiring outbound connections..

My guess at this point is that the XP services are trying to "check in", although why a particular address in New York State, I do not know.

I continue to run a wide variety of security programs (Diamondcs and otherwise), and the results continue to be negative (no problems found).

So thanks you for your advice; I'll watch for any suggestions that may result form posting the logs in the other forum.

Best regards,
Little Mike

 

Hi Little Mike,

From what you posted above....

Norton Internet Security 2004, the details of which are:

Details: The user has created a rule to "block" communications
Inbound UDP packet
Local address,service is (0.0.0.0,isakmp(500))
Remote address,service is (www.zeylstra.nl(213.84.177.136),isakmp(500))
Process name is "C:\WINDOWS\system32\lsass.exe"



When connected to the Internet (dial-up through an ISP), the intrusion attempts come about 2-3 per hour, from all over the world ("...all the usual suspects."); NIS seems to catch all of these.

However, on computer boot-up, svchost.exe attempts to connect inbound to an IP address in New York state, USA (half a continent away); and also through port 5000 (UPNP).


I would like to suggest that NIS2004 has a good firewall which is letting you know some things that are happening with your WinXP OS but it still appears to me in this thread and the hijack logs you posted in another..that you can still disable some services that XP is offering to you that you will never need and they will continue to drive your crazy and paranoid.


I suggest then you download this program and set it up..it will go a long ways to stop thinks from running .




http://www.xp-antispy.org/

What is XP-AntiSpy?

XP-AntiSpy is a little utility that let's you disable some built-in update and authetication 'features' in WindowsXP.
For example, there's a service running in the background wich is called 'Automatic Updates'. I don't know what this service transfers from my machine to other machines on the internet, especially the MS ones. So I play it safe and disable such functions. If you like, you can even disable these function manually, by going through the System and checking or unchecking some checkboxes. This will take you approximately half an hour. But why wasting time when a little neat utility can do the same in 1 minute? This utility was successfully tested by lots of users, and was found to disable all the known 'Suspicious' Functions in WindowsXP. It's customizeable, but comes up with the Default settings, which are recommended. If you like to get more information about those 'functions',read THIS.

This utility is FREEWARE! This means, you dont have to pay anything for this program and you can give it to anyone who's interested in, as long as you don't sell it. If you find this tool useful, and wanna gimme something back, then click on my sponsors.
Thanks.




Important information: The Domains www.xp-antispy.de und www.xpantispy.de do not belong to the project xp-AntiSpy anymore. The new owner offers only a dialer to download.
Please update any links and your bookmarks to www.xp-antispy.org
Greetings, -chris-

*********************
This site is also very good...

How to secure Windows2000 / XP
http://www.markusjansson.net/exp.html
http://www.markusjansson.net/esecuring.html

***************************

LSASS.exe and port 500


http://www.dslreports.com/forum/remark,2831538~mode=flat?hilite=lsass.exe


Lsass.exe Incoming Connection?
http://www.dslreports.com/forum/remark,8739932~mode=flat




***********************************

If you do those things..you will spend less time making rules for that firewall.

 

Primrose has given some great info there and if I may add to the little freebies to help secure XP's "bells and whistles" is SafeXP

This is similiar to XP-AntiSpy he mentioned.

http://www.theorica.tk/

I attached a pic [these were default settings, as I have already disabled a lot via previous methods and did not want to 'double up' in case of problems].

hth along with the other great replies.

 

Hi Tassie_Devils,
I have not been able to access many of those .tk domains for a long time..but you can get that program here.

http://theorica.webspace4free.biz/safexp.htm


The main features of the program are:

Take control of your PC.
Make Windows XP to run faster and more secure.
Protect your computer and strength Internet protection.
Disable Spyware-like activities of Windows XP (also 2000&ME&9 Operating System, Media Player, Internet Explorer and Outlook.
Disable unnecessary Windows services like System updates, error reporting and much more...
Prevent Internet attacks.
It does not need any DLL or another file(s). It is just a single "EXE" file: SafeXP.exe
No installation necessary.
System Requirements
Windows 95/98/Me/2000/XP

What's New
Version 1.03.12.27 - December 27, 2003

Added Status bar with short help when the user moves mouse over the options.
Redesigned the behaviour of disabling DCOM support.
Many improvements in the Improving Active Scripting (arbitrary commands) security issues like:
- Eliminated Activex bug which is found in the Internet Explorer and Adobe Browser Utility (Adobe SVG Viewer).
- Added protection of vulnerability of HTML-applications (.HTA) and MHTML.
Added option to disable Java JIT compiler in the Internet Explorer.
Enhanced the TCP/IP Stack Security to Protect Against Denial of Service Attacks.
Help file updated.

 

Hi Primrose...

Gee, that is strange.. because when I posted that earlier this arvo, I got the site addy from the 'About' in the program itself and actually clicked on it and went straight to it...

But, just tried again now, and no go..

Now, to make matters even stranger, I realised that when I went to the site earlier on, I did NOT have any browsers open and it opened IE by default and it worked.

This time trying it, I was using MYIE2 [IE engine core based anyway] and it got the Action Cancelled banner... tried copy/paste no go...

So I opened IE itself, clicked the link and it went straight to the site within IE... very strange..

Thanks for the alternative link btw for those not using IE

Cheers, Adrian.

 

Tassie_Devils, Primrose,

Thank you for the pointers to those utilities. I've got them and have been shutting down unneeded services, etc; also have tightened up the firewall rules.

Best regards,
Little Mike