REBOOTS - NT AUTHORITY LSASS

[lpM]

2000 SERVER HAS BEEN REBOOTING FOR PAST FOUR DAYS AND NOW
IS REBOOTING ALL THE TIME WITH THE ERROR:
SYSTEM IS SHUTTING DOWN DUE TO NT AUTHORITY ERORR SERVICE
LSASS.EXE CODE 128.

ANYONE NO WHY THIS IS HAPPENING AND HOW TO RESOLVE?

THANK YOU....

 

[Chuck]

2000 SERVER HAS BEEN REBOOTING FOR PAST FOUR DAYS AND NOW
IS REBOOTING ALL THE TIME WITH THE ERROR:
SYSTEM IS SHUTTING DOWN DUE TO NT AUTHORITY ERORR SERVICE
LSASS.EXE CODE 128.

ANYONE NO WHY THIS IS HAPPENING AND HOW TO RESOLVE?

THANK YOU....

Is it current on its updates? There are reports of malware exploiting the LSASS
exploit recently discovered.
http://securityresponse.symantec.com/avcenter/security/Content/10108.html
http://isc.sans.org/diary.php?date=2004-04-25
http://isc.sans.org/diary.php?date=2004-04-26

I would start by disconnecting it from the network.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Cindy]

I have been having computer problems the past
few days. It only happens when I am hooked up to my router and cable
modem at home. I ran all day at work (well until I had to leave to
get my crown in) today and yesterday with no problem. I assume work
has a much better firewall than is present in my router. Well it
appears theres yet another security leak in windows. BIG SUPRISE
(big eyeroll here). After 2 days of searching I found that I needed
an update. I applied and everything appears ok now. Before I
couldn't be on more than 20 minutes and have the computer shut down
with this message:



System Shutdown This system is shutting down. Please save
all work in progress and log off. Any unsaved changes will
be lost. This shutdown was initiated by \

Time before shutdown: 00:00:59

Message

The system process 'C:\WINNT\System32\Lsass.exe'
terminated unexpectedly with status code 128. The system
will now shut down and restart



This update from microsoft appears to have fixed it:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Heres some info on it:

http://www.eeye.com/html/Research/Advisories/AD20040413C.html
http://isc.sans.org/diary.php?date=2004-04-26

I would advise anyone running windows to go to the first link to get
the appropriate fix. It appears someone out there is taking
advantage of this security leak and trying to gain control of random
pcs.

Cindy

 

[Mike Perry]

Both of you, the original poster and the one who replied to them, need to
get an anti-virus program installed and up to date. You can obtain a
consistent connection by changing the setting for the failed service which
is currently set to shutdown the computer after the third failure, see your
event log to discover which service it is, I do not recall - that will keep
you online long enough to get your anti-virus stuff up to date although it
will be sluggish.

Then scan the disk(s) and remove the virus that is causing this behavior and
then reset the service to the original setting.

The person that replied first to the original poster is correct, there is
indeed "another" security issue that needs to be fixed or replaced and it is
the person in front of the screen that allowed a virus on their
computer/network in the first place as it is their job to be vigilant in
maintaining a secure system/network, not Microsoft's.

Mike