Hi - I've started noticing an entry in the event log on one of my Windows XP workstations. I've tried finding information regarding this on google (have seen others with the problem, but no answers) & have also contacted iana (but have yet to hear anything from them). The box is trying to make DNS requests to 'prisoner.iana.org'. This is what I see in the event log: ========================= Source: LSASRV Category: SPNEGO (Negotiator) The Security System could not establish a secured connection with the server DNS/prisoner.iana.org. No authentication protocol was available. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ========================= Ipconfig on the box looks like this: Windows IP Configuration Host Name . . . . . . . . . . . . : foo Primary Dns Suffix . . . . . . . : foo.local Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : foo.local Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Com plete PC Management NIC (3C905C-TX) Physical Address. . . . . . . . . : 02-01-76-DE-2A-AD Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.0.204 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1 DHCP Server . . . . . . . . . . . : 192.168.0.3 DNS Servers . . . . . . . . . . . : 192.168.0.3 Lease Obtained. . . . . . . . . . : Sunday, September 08, 2002 10:01:05 AM Lease Expires . . . . . . . . . . : Sunday, September 08, 2002 1:01:05 P M So far as I know, the LsaSrv process that is generating the error is tied to the protected storage service. This is the service that stores personal passwords, etc on the windows machine. Why would this need to query an outside dns server?? Just curious if anyone knows what this is - trojan? spyware? simple microsoft bloat? I've blackholed prisoner.iana.org (via lmhosts) on the local machine & have also blocked it on my firewall until I can figure out what this is. Thanks! __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 12:16:03 PDT