Very Peculiar ZoneAlarm Alert!!!!!!

Discussion in 'other firewalls' started by rbw91, Jul 23, 2004.

Thread Status:
Not open for further replies.
  1. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Hi.

    For no reason whatsoever "lsass.exe" has just activated my Zonealarm firewall and wants to accept connections from the internet.

    I have AVG running and have avoided MSBlast and Sasser in the past but is this a new variant?

    I have not accepted nor denied access and do not know what to do.

    Source IP is 81.6.226.144 on port 500.

    I do not know what to do!!!!

    Is this a new Sasser type thing or a legitimate exercise?

    I have never had this happen before in the previous 12 months or so and am really concerned.

    Can you help?
     
  2. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,100
    Location:
    SouthCentral PA
  3. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Hi I have had a look and some say trojan other say OK.

    Is this normal?

    It is only because this has never happened before that I am nervous.

    Do I allow or block?
     
  4. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    When in doubt, deny. You can always make changes later. I can't see any reason for that process to be reaching out unless you login to remote networks/servers.
    A couple suggestions:
    You could try to lookup that IP add by using a whois query, this will give you some info on where the process wants to connect.
    Also perform an online virus scan (McAfee, FSecure,...) or download a free trojan scanner (Ewido, A2...). A second opinion never hurts.

    edit
    This might help:
    AnalogX WhoIs Ultra (freeware)
    http://www.analogx.com/contents/download/network/whois.htm
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Just to clarify, these are Inbound connection attempts? If so, you would want to block all unsolicited Inbound connections.

    Regards,

    CrazyM
     
  6. rbw91

    rbw91 Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    57
    Yes it was inbound attempts by the IP address I stated above.

    It asked me if I wanted "lsass.exe" to act as a server and accept connections from te internet.

    I denied access as it seemed very out-of-the-ordinary.

    All seems to be OK on the PC - just did not know if it was a new variant of a virus.

    Doesn't the Sasser worm infect via this process? Thought it may be new infection attempt, so thought I would share the info just in case it was.
     
  7. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    833
    Location:
    UK
    good idea to block it!!! I dont like the sound of it. As previously stated get EWIDO and check for trojans.
    Gordon
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.