Intrusion Attempt From TDS Update Site?

Discussion in 'Trojan Defence Suite' started by Little Mike, Mar 6, 2004.

Thread Status:
Not open for further replies.
  1. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    While attempting to perform an automatic update of TDS-3, using the latest update.cfg file, I received an intrusion alert from Norton Internet Security 2004, the details of which are:

    Details: The user has created a rule to "block" communications
    Inbound UDP packet
    Local address,service is (0.0.0.0,isakmp(500))
    Remote address,service is (www.zeylstra.nl(213.84.177.136),isakmp(500))
    Process name is "C:\WINDOWS\system32\lsass.exe"

    The other update sites do not generate this alert.
    Is this a feature of TDS-3? Or is something amiss?

    Best regards,
    Little Mike
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Little Mike, Probably just looking to see if you are still there, many servers do that, especially if the connection is unexpectedly broken.
     
  3. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Thanks for the reply; I've had quite few intrusion attempts lately and I'm somewhat suspicious of inbound access attempt.

    Best regards,
    Little Mike
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You might like to check your firewall at GRC shieldsup! and other check places; and Port Explorer will show you if there would be anything special the matter which applications could be responsible for them.
    And it can't harm to do some extra scans, online as well.
    any special ports more frequently then before knocked on?
    If you don't trust your system you can always post an AutostartViewer log or HJT in the autostarts forum to be checked too.
     
  5. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Jooske,

    Thanks for the reply and advice.

    Shieldsup! shows my NIS 2004 firewall locked down, all ports stealthed; everything in the green. Same-same Norton online security scan.

    I'll post my AutoStartViewer results as per your suggestion, over in the other hijack logs forum; and also the HiJackThis result.

    When connected to the Internet (dial-up through an ISP), the intrusion attempts come about 2-3 per hour, from all over the world ("...all the usual suspects."); NIS seems to catch all of these.

    However, on computer boot-up, svchost.exe attempts to connect inbound to an IP address in New York state, USA (half a continent away); and also through port 5000 (UPNP).

    Also, when the daily scheduled incremental backup runs, C:\WINDOWS\System32\msdtc.exe attempts an inbound connection to the same IP address. Note that there is no modem connection at the time for either of these; and they occur everytime. I notified Norton/Symantec early last week, but have not heard back from them, other than an automated acknowledgement of the trouble report.

    I've built rules in NIS to block these, until I can determine what's happening.

    As you may well imagine, these attempts to connect at boot-up and backup have raised all kinds of suspicions. As a result, I've been installing lots of tools (referenced in this forum) in an attempt to determine what is occuring; but, subsequent to correcting some initial items, all tools report no problems for the past several days. Yet the inbound connection attempts continue.

    Anyway, thanks for the help; I'll post the logs on the other forum.

    Best regards,
    Little Mke
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You are on XP? Microsoft testing the legallity of your key?
    Do you use Port Explorer to see right-clicking on the svchost where it is located and what it is?
    Maybe you run some protective shields or firewalls trying to detect their correct updates etc?
    Other auto-updates available?
    Going to look at your logs.
     
  7. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Anyway the mirrorsite you mentioned, doesn't use any "tricks". I know, because I manage it. ;)
    Dolf
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Quite so - and have a well deserved kharma cookie for providing the bandwidth, Dolf :cool:

    regards.

    paul
     
  9. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Yes; XP Pro. It looks like something "checking in". This occurs with "No User" during bootup, which I interpreted as the XP services attempting connections prior to my log in. I've looked at the various XP services that are running, and have disabled those that have been recommended to be disabled (by GRC.com). The thing that really perplexed me was the inbound nature of the connection attempts.

    Port Explorer typically displays eight instances of svchost.exe and one instance of lsass.exe, "listening" after bootup, while disconnected.

    Anyway, the NIS firewall appears to stop all unauthorized connections from the outside world; and I've put very tight rules in place for all apps requiring outbound connections..

    My guess at this point is that the XP services are trying to "check in", although why a particular address in New York State, I do not know.

    I continue to run a wide variety of security programs (Diamondcs and otherwise), and the results continue to be negative (no problems found).

    So thanks you for your advice; I'll watch for any suggestions that may result form posting the logs in the other forum.

    Best regards,
    Little Mike
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Little Mike,

    From what you posted above....

    Norton Internet Security 2004, the details of which are:

    Details: The user has created a rule to "block" communications
    Inbound UDP packet
    Local address,service is (0.0.0.0,isakmp(500))
    Remote address,service is (www.zeylstra.nl(213.84.177.136),isakmp(500))
    Process name is "C:\WINDOWS\system32\lsass.exe"



    When connected to the Internet (dial-up through an ISP), the intrusion attempts come about 2-3 per hour, from all over the world ("...all the usual suspects."); NIS seems to catch all of these.

    However, on computer boot-up, svchost.exe attempts to connect inbound to an IP address in New York state, USA (half a continent away); and also through port 5000 (UPNP).



    I would like to suggest that NIS2004 has a good firewall which is letting you know some things that are happening with your WinXP OS but it still appears to me in this thread and the hijack logs you posted in another..that you can still disable some services that XP is offering to you that you will never need and they will continue to drive your crazy and paranoid.


    I suggest then you download this program and set it up..it will go a long ways to stop thinks from running .




    http://www.xp-antispy.org/

    What is XP-AntiSpy?

    XP-AntiSpy is a little utility that let's you disable some built-in update and authetication 'features' in WindowsXP.
    For example, there's a service running in the background wich is called 'Automatic Updates'. I don't know what this service transfers from my machine to other machines on the internet, especially the MS ones. So I play it safe and disable such functions. If you like, you can even disable these function manually, by going through the System and checking or unchecking some checkboxes. This will take you approximately half an hour. But why wasting time when a little neat utility can do the same in 1 minute? This utility was successfully tested by lots of users, and was found to disable all the known 'Suspicious' Functions in WindowsXP. It's customizeable, but comes up with the Default settings, which are recommended. If you like to get more information about those 'functions',read THIS.

    This utility is FREEWARE! This means, you dont have to pay anything for this program and you can give it to anyone who's interested in, as long as you don't sell it. If you find this tool useful, and wanna gimme something back, then click on my sponsors.
    Thanks.




    Important information: The Domains www.xp-antispy.de und www.xpantispy.de do not belong to the project xp-AntiSpy anymore. The new owner offers only a dialer to download.
    Please update any links and your bookmarks to www.xp-antispy.org
    Greetings, -chris-

    *********************
    This site is also very good...

    How to secure Windows2000 / XP
    http://www.markusjansson.net/exp.html
    http://www.markusjansson.net/esecuring.html

    ***************************

    LSASS.exe and port 500


    http://www.dslreports.com/forum/remark,2831538~mode=flat?hilite=lsass.exe


    Lsass.exe Incoming Connection?
    http://www.dslreports.com/forum/remark,8739932~mode=flat




    ***********************************

    If you do those things..you will spend less time making rules for that firewall.
     
  11. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Primrose has given some great info there and if I may add to the little freebies to help secure XP's "bells and whistles" is SafeXP

    This is similiar to XP-AntiSpy he mentioned.

    http://www.theorica.tk/

    I attached a pic [these were default settings, as I have already disabled a lot via previous methods and did not want to 'double up' in case of problems].

    hth along with the other great replies.
     

    Attached Files:

  12. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Tassie_Devils,
    I have not been able to access many of those .tk domains for a long time..but you can get that program here.

    http://theorica.webspace4free.biz/safexp.htm


    The main features of the program are:

    Take control of your PC.
    Make Windows XP to run faster and more secure.
    Protect your computer and strength Internet protection.
    Disable Spyware-like activities of Windows XP (also 2000&ME&9:cool: Operating System, Media Player, Internet Explorer and Outlook.
    Disable unnecessary Windows services like System updates, error reporting and much more...
    Prevent Internet attacks.
    It does not need any DLL or another file(s). It is just a single "EXE" file: SafeXP.exe
    No installation necessary.
    System Requirements
    Windows 95/98/Me/2000/XP

    What's New
    Version 1.03.12.27 - December 27, 2003

    Added Status bar with short help when the user moves mouse over the options.
    Redesigned the behaviour of disabling DCOM support.
    Many improvements in the Improving Active Scripting (arbitrary commands) security issues like:
    - Eliminated Activex bug which is found in the Internet Explorer and Adobe Browser Utility (Adobe SVG Viewer).
    - Added protection of vulnerability of HTML-applications (.HTA) and MHTML.
    Added option to disable Java JIT compiler in the Internet Explorer.
    Enhanced the TCP/IP Stack Security to Protect Against Denial of Service Attacks.
    Help file updated.
     
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Primrose...

    Gee, that is strange.. because when I posted that earlier this arvo, I got the site addy from the 'About' in the program itself and actually clicked on it and went straight to it...

    But, just tried again now, and no go..

    Now, to make matters even stranger, I realised that when I went to the site earlier on, I did NOT have any browsers open and it opened IE by default and it worked.

    This time trying it, I was using MYIE2 [IE engine core based anyway] and it got the Action Cancelled banner... tried copy/paste no go...

    So I opened IE itself, clicked the link and it went straight to the site within IE... very strange..

    Thanks for the alternative link btw for those not using IE

    Cheers, Adrian.
     

    Attached Files:

  14. Little Mike

    Little Mike Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    29
    Tassie_Devils, Primrose,

    Thank you for the pointers to those utilities. I've got them and have been shutting down unneeded services, etc; also have tightened up the firewall rules.

    Best regards,
    Little Mike
     
Thread Status:
Not open for further replies.