Very Peculiar ZoneAlarm Alert!!!!!!

Discussion in 'other firewalls' started by rbw91, Jul 23, 2004.

Thread Status:
Not open for further replies.
  1. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Hi.

    For no reason whatsoever "lsass.exe" has just activated my Zonealarm firewall and wants to accept connections from the internet.

    I have AVG running and have avoided MSBlast and Sasser in the past but is this a new variant?

    I have not accepted nor denied access and do not know what to do.

    Source IP is 81.6.226.144 on port 500.

    I do not know what to do!!!!

    Is this a new Sasser type thing or a legitimate exercise?

    I have never had this happen before in the previous 12 months or so and am really concerned.

    Can you help?
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
  3. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Hi I have had a look and some say trojan other say OK.

    Is this normal?

    It is only because this has never happened before that I am nervous.

    Do I allow or block?
     
  4. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    When in doubt, deny. You can always make changes later. I can't see any reason for that process to be reaching out unless you login to remote networks/servers.
    A couple suggestions:
    You could try to lookup that IP add by using a whois query, this will give you some info on where the process wants to connect.
    Also perform an online virus scan (McAfee, FSecure,...) or download a free trojan scanner (Ewido, A2...). A second opinion never hurts.

    edit
    This might help:
    AnalogX WhoIs Ultra (freeware)
    http://www.analogx.com/contents/download/network/whois.htm
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Just to clarify, these are Inbound connection attempts? If so, you would want to block all unsolicited Inbound connections.

    Regards,

    CrazyM
     
  6. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Yes it was inbound attempts by the IP address I stated above.

    It asked me if I wanted "lsass.exe" to act as a server and accept connections from te internet.

    I denied access as it seemed very out-of-the-ordinary.

    All seems to be OK on the PC - just did not know if it was a new variant of a virus.

    Doesn't the Sasser worm infect via this process? Thought it may be new infection attempt, so thought I would share the info just in case it was.
     
  7. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    good idea to block it!!! I dont like the sound of it. As previously stated get EWIDO and check for trojans.
    Gordon
     
Loading...
Thread Status:
Not open for further replies.