Results 1 to 6 of 6

Thread: lsass.exe connecting to remote IP address

  1. #1
    thedillinger Guest

    Default lsass.exe connecting to remote IP address

    For some time now i have noticed the windows file lsass.exe connecting to remote IP's, without
    internet explorer open its the only
    process with remote IP address's listed... the below list is from opening "cmd" and typing "netstat -nab", without the quotes

    TCP


    MyIP:2406






    216.239.59.104:443



    TIME_WAIT





    0

    TCP


    MyIP:2412






    216.239.59.104:443



    TIME_WAIT





    0

    TCP


    MyIP:2426






    38.103.145.98:80





    TIME_WAIT





    0

    TCP


    MyIP:2427






    38.103.145.98:80





    TIME_WAIT





    0

    TCP


    MyIP:2429






    216.239.59.104:443



    TIME_WAIT





    0

    TCP


    MyIP:2433






    92.122.126.250:80




    TIME_WAIT





    0

    TCP


    MyIP:2434






    92.122.126.250:80




    TIME_WAIT





    0

    TCP


    MyIP:2435






    92.122.126.250:80




    TIME_WAIT





    0
    UDP


    0.0.0.0:500










    *:*


































    764

    [lsass.exe]

    UDP


    0.0.0.0:445










    *:*


































    4

    [System]

    UDP


    0.0.0.0:4500









    *:*


































    764

    [lsass.exe]
    the above is not the complete list, but it has all the lsass.exe info there...i have already set zonealarm to block internet and server access in program control with 4 red x marks in a row (this program has no need to connect out of my pc), although the program itself remains trusted- 3 green trust marks... so i decided enough is enough and set the trust level to "Ask", yes its on custom settings rather than system... then i done another "netstat -nab" and got (same as above i replaced my ip address with MyIP)...


    Proto
    Local Address








    Foreign Address






    State









    PID

    TCP


    MyIP:2433






    92.122.126.250:80




    TIME_WAIT





    0

    TCP


    MyIP:2434






    92.122.126.250:80




    TIME_WAIT





    0

    TCP


    MyIP:2435






    92.122.126.250:80




    TIME_WAIT





    0

    UDP


    0.0.0.0:500










    *:*


































    764

    [lsass.exe]

    UDP


    0.0.0.0:445










    *:*


































    4

    [System]

    UDP


    0.0.0.0:4500









    *:*


































    764

    [lsass.exe]
    I guess when i changed the rights of lsass.exe some of the connections dissapeared?, or was that an odd coincidence...
    done a netstat -nab again and found...



    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    thedillinger Guest

    Default Re: lsass.exe connecting to remote IP address


    sorry continued from above... then i found...


    TCP


    MyIP:2576






    216.239.59.103:443



    TIME_WAIT





    0

    TCP


    MyIP:2581






    216.239.59.103:443



    TIME_WAIT





    0

    UDP


    0.0.0.0:500










    *:*


































    764

    [lsass.exe]

    UDP


    0.0.0.0:4500









    *:*


































    764

    [lsass.exe]

    UDP


    0.0.0.0:445










    *:*


































    4

    [System]
    notice the ip addresses keep changing and also the ports
    so what are these websites/computers my pc is connecting to, lsass.exe being
    a microsoft windows process... well i used a site called whatsmyip to reverse dns the ip addresses...http://www.whatsmyip.org/whois/
    will post results of that below...

  3. #3
    thedillinger Guest

    Default Re: lsass.exe connecting to remote IP address


    results of reverse dns...
    216.239.59.104
    unknown
    38.103.145.98
    AILS4.dingloo.com
    216.239.59.104
    unknown
    92.122.126.250
    a92-122-126-250.deploy.akamaitechnologies.com
    216.239.59.103
    unknown
    i visited http://ails4.dingloo.com/and there is a message on the page...
    ------------------------------Great Success !
    Apache is working on your cPanel
    and WHM Server
    If you can see this page, then the people who manage this server have installed cPanel and WebHost Manager (WHM) which use the Apache Web server software and the Apache Interface to OpenSSL (mod_ssl) successfully. They now have to add content to this directory and replace this placeholder page, or else point the server at their real content.-------------------------------
    so why is my computer connecting to this website?, even better is this site, about cars *?*http://www.dingloo.com/
    for the other, i tried the dns and also...http://www.akamaitechnologies.com/no luck, link goes nowhere
    *my main question is what are these sites and why is zonealarm unable to block them?

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: lsass.exe connecting to remote IP address

    216.239.59.103 is google.com (216.239.58.0 thru to 216.239.59.255).
    Just used Gmail or some online function from google recently before making these discoveries? The odd numbered ports - 2576 and 2581 - are normal (falls within the 1024-500 port range).


    The address is still (0.0.0.0) a localhost address and it is not an actual internet connection.
    Basically these are services and daemons enabled in windows that uses the lsass.exe and the therefore the lsass.exe is listening (even though it is not actually doing anything or is really needed)

    Port 443 is for https (secure http).
    Port 500 is iskamp
    Port 4500 is ipsec for the
    Port 445 is SMB

    Other and complete lisitng of the port requirements for the lsass.exe :

    System service name: LSASSApplication protocol Protocol Ports
    Global Catalog Server TCP 3269
    Global Catalog Server TCP 3268
    LDAP Server TCP 389
    LDAP Server UDP 389
    LDAP SSL TCP 636
    LDAP SSL UDP 636
    IPsec ISAKMP UDP 500
    NAT-T UDP 4500
    RPC TCP 135
    RPC randomly allocated high TCP ports TCP 1024 - 65535*

    Oldsod.
    Best regards.
    oldsod

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: lsass.exe connecting to remote IP address

    Actually the lsass.exe running is determined in the window's services - for many things.
    Look at blackviper.com for a service breakdown and guide:

    http://www.blackviper.com/WinXP/servicecfg.htm

    and at the official windows guide (says server but this applies to both Windows XP Pro and HE)

    http://support.microsoft.com/kb/832017

    Nothing unusual seen in your netstat.
    Other than some thing not neccessarily needed or required.

    Oldsod.
    Best regards.
    oldsod

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: lsass.exe connecting to remote IP address

    216.239.59.104 google
    38.103.145.98 AILS4.dingloo.com
    216.239.59.104 google
    92.122.126.250 a92-122-126-250.deploy.akamaitechnologies.com
    216.239.59.103 google

    AILS4.dingloo.com:

    http://www.coolwhois.com/d/ails4.dingloo.com

    falls under the host server www.colo4jax.com/ which is a content and colocation network.

    akamaitechnologies.com:

    http://en.wikipedia.org/wiki/Akamai_Technologies

    The apache server blurb is from a web server that sends out files not the usual web contents for the browser.

    Actually the site dingloo.com/ is not using the same servers as the AILS4.dingloo.com. dingloo.com has an IP of 70.86.9.114 and is cached on the theplanet.com cached content servers. Where as the AILS4.dingloo.com is using the IP of 38.103.145.98 (which is part of the performance systems or just the CIDR for 38/8).

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •