prisoner.iana.org

From: Diver8 (diver_8_iamat_private)
Date: Sun Sep 08 2002 - 07:28:04 PDT

Next message: Bernt Lervik: "Re: Q328691 ?"

Previous message: Nick FitzGerald: "Re: Q328691 ?"
Next in thread: David Vincent: "RE: prisoner.iana.org"
Reply: David Vincent: "RE: prisoner.iana.org"
Reply: Carey, Steve T ISD: "RE: prisoner.iana.org"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi -

I've started noticing an entry in the event log on one
of my Windows XP workstations.  I've tried finding
information regarding this on google (have seen others
with the problem, but no answers) & have also
contacted iana (but have yet to hear anything from
them).

The box is trying to make DNS requests to
'prisoner.iana.org'.  This is what I see in the event
log:

=========================
Source:  LSASRV
Category:  SPNEGO (Negotiator)

The Security System could not establish a secured
connection with the server DNS/prisoner.iana.org.  No
authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=========================

Ipconfig on the box looks like this:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : foo
        Primary Dns Suffix  . . . . . . . : foo.local
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : foo.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com
EtherLink XL 10/100 PCI For Com
plete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . :
02-01-76-DE-2A-AD
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . :
192.168.0.204
        Subnet Mask . . . . . . . . . . . :
255.255.255.0
        Default Gateway . . . . . . . . . :
192.168.0.1
        DHCP Server . . . . . . . . . . . :
192.168.0.3
        DNS Servers . . . . . . . . . . . :
192.168.0.3
        Lease Obtained. . . . . . . . . . : Sunday,
September 08, 2002 10:01:05
AM
        Lease Expires . . . . . . . . . . : Sunday,
September 08, 2002 1:01:05 P
M

So far as I know, the LsaSrv process that is
generating the error is tied to the protected storage
service.  This is the service that stores personal
passwords, etc on the windows machine.  Why would this
need to query an outside dns server??

Just curious if anyone knows what this is - trojan?
spyware? simple microsoft bloat?  I've blackholed
prisoner.iana.org (via lmhosts) on the local machine &
have also blocked it on my firewall until I can figure
out what this is.

Thanks!

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bernt Lervik: "Re: Q328691 ?"
Previous message: Nick FitzGerald: "Re: Q328691 ?"
Next in thread: David Vincent: "RE: prisoner.iana.org"
Reply: David Vincent: "RE: prisoner.iana.org"
Reply: Carey, Steve T ISD: "RE: prisoner.iana.org"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 12:16:03 PDT