Security Incidents mailing list archives

RE: prisoner.iana.org

From: "Carey, Steve T ISD" <steve.carey () redstone army mil>
Date: Mon, 9 Sep 2002 15:59:16 -0500
It is a Microsoft default for a misconfigured desktop on DHCP.  The DNS server
information was placed in manually and there the DNS Server is a 'bogus' host.
When the DHCP server tries to resolve the DNS Server, it will use
prisoner.iana.org instead.

Steve Carey

-----Original Message-----
From: Diver8 [mailto:diver_8_iam () yahoo com]
Sent: Sunday, September 08, 2002 9:28 AM
To: incidents () securityfocus com
Subject: prisoner.iana.org


Hi -

I've started noticing an entry in the event log on one
of my Windows XP workstations.  I've tried finding
information regarding this on google (have seen others
with the problem, but no answers) & have also
contacted iana (but have yet to hear anything from
them).

The box is trying to make DNS requests to
'prisoner.iana.org'.  This is what I see in the event
log:

=========================
Source:  LSASRV
Category:  SPNEGO (Negotiator)

The Security System could not establish a secured
connection with the server DNS/prisoner.iana.org.  No
authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
=========================

Ipconfig on the box looks like this:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : foo
        Primary Dns Suffix  . . . . . . . : foo.local
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : foo.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com
EtherLink XL 10/100 PCI For Com
plete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . :
02-01-76-DE-2A-AD
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . :
192.168.0.204
        Subnet Mask . . . . . . . . . . . :
255.255.255.0
        Default Gateway . . . . . . . . . :
192.168.0.1
        DHCP Server . . . . . . . . . . . :
192.168.0.3
        DNS Servers . . . . . . . . . . . :
192.168.0.3
        Lease Obtained. . . . . . . . . . : Sunday,
September 08, 2002 10:01:05
AM
        Lease Expires . . . . . . . . . . : Sunday,
September 08, 2002 1:01:05 P
M

So far as I know, the LsaSrv process that is
generating the error is tied to the protected storage
service.  This is the service that stores personal
passwords, etc on the windows machine.  Why would this
need to query an outside dns server??

Just curious if anyone knows what this is - trojan?
spyware? simple microsoft bloat?  I've blackholed
prisoner.iana.org (via lmhosts) on the local machine &
have also blocked it on my firewall until I can figure
out what this is.

Thanks!

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

prisoner.iana.org Diver8 (Sep 09)
- <Possible follow-ups>
- RE: prisoner.iana.org David Vincent (Sep 09)
- RE: prisoner.iana.org Carey, Steve T ISD (Sep 09)
  - Re: prisoner.iana.org kent (Sep 10)