Whirlpool

Hey Guys,
I'm wondering if anyone can give me any decisive information on what's happening to my laptop at the mo...

I have an alert presenting on my firewall & the details are;

--------------------------------------------------------------------
Description;
An Internet user tried to access a Port 4500 (TCP) service on your computer; the connection was attempted in high firewall mode.

'LSA Shell (Export Version)' would usually have handled this traffic.

Traffic Type;
TCP traffic to port 4500

Source Computer;
74.125.5.17[could not resolve host name]

---------------------------------------------------------------------

From my research so far, I haven't been able to work out much, nothing conclusive anyways...

The IP address, goes to what "looks like" a Google page...
Please note I use "google.com.au", that's my home page, not just "google.com".
Is this page a mirrored site? Is it spoof??

Isn't "74.125.blah.blah" BigPond?

Cheeseball81 on techguy.org writes;
"LSA (Local Security Authority) is a valid process but when it shows up as LSA Shell (export version) it's a worm."

Most discussions reference the Sasser Worm...

PC HELL says this about the Sasser Worm;

Q.What is the Sasser worm?
A.The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.

Is it possible that BigPond have infected me & a million other users with this worm? It has happened before, a couple of years ago...major drama.

I've trawled through forum after forum online, I've called ALL the tech-heads I know & I'm still no wiser to what's going on.

Can anyone shed any further light on this for me?

Thanks in advance.

Cheers, R.K.

So, I ring BigPond Tech Support [who are currently experiencing several outages] & request transfer to BigPonD Security...

After a short wait, my consultant Alex tells me that due to "storms", the Security Centre is unavailable...WTF?
It's a glorious day, even here in Melbourne!

And I had to ask, where are the storms?

All she says is that there are some "overseas" centres & they're currently experiencing severe weather, with "flooding up to the tops of the houses".

Vague & detailed. Impressive.

"You mean the Phillipines?" I questioned further.
"Yes, our Security Centre is in the Phillipines."

I already knew this, I just wanted to hear it again...

Unable to advise when the Security Centre would be contactable again, Alex has "promised" to record a note on my account stating that I called to speak with the Security Centre & that my enquiry relates to a possible worm in the network...

I'll keep calling every few hours & see if I can get through...

R.K.

Rock Kitten writes...

The IP address, goes to what "looks like" a Google page...

Please note I use "google.com.au", that's my home page, not just "google.com".

Is this page a mirrored site? Is it spoof??

Isn't "74.125.blah.blah" BigPond?

http://ip-lookup.net/?ip=74.125.5.17

Comes back with it being in the US

whois on that page says – Google Inc. as the owner.

Thanks MiracleMuz...I appreciate your efforts.

A friend emailed me that too & I've checked it all out myself as well, but also said to be extremely wary of the traffic...

I've set all my software permissions/safe sites, including Google Updater etc. My firewall always manages to resolve the host name for Google access...

I could just be over-paranoid. The other forums really freaked me out.

R.K.

whois 74.125.5.17
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

NetRange: 74.125.0.0 – 74.125.255.255
CIDR: 74.125.0.0/16
NetName: GOOGLE
NetHandle: NET-74-125-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
NameServer: NS3.GOOGLE.COM
NameServer: NS4.GOOGLE.COM
Comment:
RegDate: 2007-03-13
Updated: 2007-05-22

OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc.
OrgTechPhone: +1-650-318-0200
OrgTechEmail: arin-contact@google.com

Looks ok!

Cheers, tbw!

I know, it ALL looks fine...
But ALL those other sites say the LSA "(Export Version)" thing is dodgy.

I thought it might of been a Dell thing, I drive an Inspiron, but it has also occurred on a HP that I know of...still unresolved the on HP.

If I could find a "reputable" site that said the traffic was ok, I would relax...a bit.

The address might be ok. But, could that be faked? Masked?

Trawling & I found this on PChelpforum.com;

http://www.pchelpforum.com/fixed-hijackthis-logs/53093-lsa-shell-export-version-worm-my-pc.html

=S

Still trawling;

http://ask-leo.com/what_is_lsa_shell_and_why_is_it_an_export_version.html

This seems to be a reasonable explanation. As even in the U.S. users like Leo, have the export version too.

*I should also add, the firewall alert was only a green/low-level alert.

However, after reviewing the links I have submitted above, what the heck does the IP address for Google.Inc have to do with LSA, an apparently legitimate Windows component??

R.K.

After the comments so far, thanks to those that have contributed, I was beginning to feel a bit more at ease. I was thinking about allowing the initial firewall request & thought that this paranoid episode was finally over.

So, today I have another alert on my firewall...

-------------------------------------------------------------
Severity;
Yellow

Description;
LSA Shell (Export Version) tried to access a remote HTTP service; the connection was attempted in high firewall mode.

Traffic Type;
HTTP

Target Computer;
74.125.5.17[Could not resolve host name]

-------------------------------------------------------------

I understand what LSA does, that part is all cool. I don't really understand why I have never seen these type of alerts before...I've been on the net & using Google for 10years & have used a host of different security suites, I have never seen these before.

Back to the initial alert, for a moment...
"An Internet user" attempted to connect via TCP with my computer & my firewall identified the IP address 74.125.5.17, which appears to be Google.Inc as the originating Source? Yes?

Then today, LSA itself has tried to connect via HTTP with that same IP address? Why?

Is it checking up on me?

R.K.

Slighly Off-Topic, I had to give search.encarta.com permission to update via FTP this arvo, so my firewall is definitely very active & that makes me very happy. I'm a bit of a security freak. lol

Is it in any way possible & I'm talking absolute worst case scenario, that the IP address was spoofed & that responding to the incoming TCP request would launch some sort of SYN flood* against Google? [Assuming I was NOT the only one who received such a request, of course!]

I only ask because I do try to stay up to date with the goings on in the cyber-community & I am aware of the recent large-scale attacks on many popular sites like Google, Facebook, Twitter etc.

I've been back through my firewall settings & I already have already allowed Google Installer [GoogleUpdate.exe]...

I would find that highly doubtful since to start a TCP connection there needs to be a three way handshake between the client and server (IIRC it goes: SYN-SENT, SYN-ACK (From Your Computer), SYN-ACK (From the server))

If say the attacker wants to attach google in this fashon, they would send a TCP packet to you SYN-SENT. They would mask their IP with the google IP. When your computer recieves the first packet (SYN-SENT), it will send back a SYN-ACK pack packet, but since the google server has no record of sending the SYN-SENT packet to your IP, they it would just disreguard the SYN-ACK packet