-
November 23rd, 2004, 11:58 PM
#1
Member
netstat -aon
Running netstat -aon
Summary
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 476
I have lsass.exe starting at 1025 all the time does that seem normal... I do know what lsass is...
Another thing i look at the task manager i cant see any of the users that started the processes except for the system idle process.
And usually if you look at the users tab in the task manager you should seee the user you are logged in as there. i dont see any entries...
Im not sure if all these are realated since lsass deals with verifying the user logon on the PC
Thanks in advance
By the way "Security task manager" seems like a nice tool
-
November 24th, 2004, 12:16 AM
#2
isass - isass.exe - Process Information
Process File: isass or isass.exe
Process Name: Optix.Pro virus
Description:
isass.exe is registered as the Optix.Pro virus which carries in it's payload, the ability to disable firewalls and local security protections, and a backdoor capability.
For More Detailed Process Information Get WinTasks 5 Pro
Author: n/a
Part Of: Optix.Pro virus
System Process: No
Background Process: No
Uses Network: No
Hardware Related: No
Common Errors: N/A
Security Risk (0-5): 4
Virus: No ( Remove )
Spyware: No ( Remove )
Trojan: Yes ( Remove )
Remove/Block Process: Use WinTasks
it's a virus, update your AV, boot into safe mode and do a deep system scan...
http://www.liutilities.com/products/...library/isass/
edit: my bad, Issas and lssas look kinda the same
-
November 24th, 2004, 12:19 AM
#3
Member
Thanks for the response Copyright but im the Process im talking about is LSASS.exe " Local Security Authentication Server"
-
November 24th, 2004, 12:31 AM
#4
I thought that port 135 was indicative of the messenger process (not MSN but Messenger service)? And I believe Scheduler does things on 1025? But I could be mistaken... lack of sleep and all that..
Both of those would be started by the System itself (hence the reason why you wouldn't see any users)
-
November 24th, 2004, 01:49 AM
#5
Port 135 is RPC
Port 1025 is the Scheduler service
LSASS is the local security authentication service
All are normal W32 processes.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 24th, 2004, 02:34 AM
#6
Member
Sorry if im not explainning right, let me try and clarify,
I know that 135 is RPC, however the process that is listenning on port 1025 is with PID 476 and when i check the task manager LSASS is with PID 476. Now when you usually open the task manager you see the user coloumb and the different processes that are running. The user coloumb which usually shows LOCAL SERVICE, NETWORK SERVICE, ADMININSTATOR, "What ever you are logged in as" , SYSTEM is empty the only one shown is the system idle with a user SYSTEM which is normal. And the user tab is empty as well.
Sorry if this seems vague again.
-
November 24th, 2004, 03:58 AM
#7
The bloody Little L and the Capital I problem.
Has any one bothered to do Google on these services?
You would have found this first
http://www.liutilities.com/products/...library/lsass/
http://www.neuber.com/taskmanager/pr...lsass.exe.html
The lsass.exe file is located in the c:\windows\System32 folder. In other cases, lsass.exe is a virus, spyware, trojan or worm!
so where is the file executeing from?
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
November 24th, 2004, 04:22 AM
#8
Member
Und3ertak3r i have already seen these too links if you notice my first post i pointed out the security task manager tool but what i was wondering about is the fact that LSASS.exe is listenning on port 1025, and if that is normal.
Again if anyone can point out why they think i cant see anything in the user coloumb of the taskmanager thanks
-
November 24th, 2004, 07:51 AM
#9
Junior Member
Cheers
There is nothing to worry with port 1025..if u are concerned with sasser ....it uses TCP port 445,9996,5554
Iz that wat you meant ?
-Siddhs
-
November 24th, 2004, 09:04 AM
#10
Hi
Actually, I am a bit wondering why lsass is listening on
port 135 (RpcSs) and 1025 (Scheduler). Shouldn't this be
the svchost.exe[1]? Svchost.exe checks at startup services
which it must load. Svchost is thus a generic host process name.
The services running under svchost can be checked using
Crosscheck the given PIDs there (and given services) with the PID/Port
obtained by
Code:
rem get listening ports
netstat -ano
rem get listing service (based on your dump)
tasklist | findstr 696
tasklist | findstr 476
Comparing with the output of "tasklist /SVC" you should see that PID 696
corresponds to svchost.exe (RpcSs) and 476 to a couple of services, like
Dhcp, ..., Schedule, ... running under svchost.exe.
Lsass.exe should listen to Port 500 only, on a "virginal" system.
Cheers
[1] http://support.microsoft.com/kb/314056/EN-US/
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|