Security questions, Persistent Port Forwarding 'msmsgs' en..

[cris]

Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

I have a MN-500 which apparently has the latest updates:

Current Base Station Firmware Version
Version: V1.11.017
Date: 10-03-2003

Recently, I noticed the persistent port-forwarding has
SEVERAL entries that I didn't create. They're all of the
form:

msmsgs (192.168.2.30:x) y UDP

How are they getting into my router if I'm not setting
them? If Microsoft does this behind my back, why am I not
informed?

Are there any known/published security holes in the MN-500
router? Today, it seems that the firewall was deactivated,
even though it said it wasn't. I was able to activate a
P2P client, without enabling any port-forwarding. Once I
logged into the router to see if the firewall was
activated, and checked the settings for port-forwarding,
my P2P client stopped working, complaining of a disconnect.

I have changed my password in the past, and change it
usually once every few months. I have enabled MAC
filtering on the LAN side since almost a year.

My ISP is pretty rotten, but we don't have many choices
for cable-modem access in Montreal. I get HUNDREDS of
entries per day in my log of the following type:

2004/05/13 09:16:22 Connection attempt to base station
from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>

I suspect these are probes from worms (sasser, phatbot,
whatever) and are somewhat normal, given the chaos caused
by the exploitation of unpatched security holes in
Windows.

I'm trying to find out what holes my router has. Thanks,

Cris

 

[cris]

Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

More info about these entries -- I reset my MN-500 and saw
that the msmsgs entries got re-added by my XP machine.
Here's the evidence -- it happens even before the time is
sync'ed (hence the 1970 date):

1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
UDP, InternalPort:7043, InternalClient:192.168.2.x
1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
TCP, InternalPort:7431, InternalClient:192.168.2.x

The 'x' above is my windows XP machine, physically
connected via rj45 to the MN-500. I performed the reset
from a machine over wireless (different machine).

After inspecting the persistent port-forwarding tables,
indeed the two entries above were added and enabled. This
is very disturbing behavior, given that the security
(password) of my router is being compromised (back-door).
I saw that someone else has pointed out this hole in other
postings, even for link sys routers:

http://groups.google.ca/groups?
hl=en&lr=&safe=off&q=broadband+port+forwarding+msmsgs

It appears that if MS Messenger is set to automatically
logon, it will create those port forwards automatically
via UPnP (how this can't be exploited by a trojan or
virus, time will tell). I personally don't use it, and
that's why I'm shocked that these forwardings were
happening automatically.

I'm going to disable auto-logon of MS Messenger on the
offending XP machine and see if the problem goes away.

>-----Original Message-----
>I have a MN-500 which apparently has the latest updates:
>
>Current Base Station Firmware Version
> Version: V1.11.017
> Date: 10-03-2003
>
>Recently, I noticed the persistent port-forwarding has
>SEVERAL entries that I didn't create. They're all of the
>form:
>
>msmsgs (192.168.2.30:x) y UDP
>
>How are they getting into my router if I'm not setting
>them? If Microsoft does this behind my back, why am I not
>informed?
>
>Are there any known/published security holes in the MN-
500
>router? Today, it seems that the firewall was
deactivated,
>even though it said it wasn't. I was able to activate a
>P2P client, without enabling any port-forwarding. Once I
>logged into the router to see if the firewall was
>activated, and checked the settings for port-forwarding,
>my P2P client stopped working, complaining of a
disconnect.
>
>I have changed my password in the past, and change it
>usually once every few months. I have enabled MAC
>filtering on the LAN side since almost a year.
>
>My ISP is pretty rotten, but we don't have many choices
>for cable-modem access in Montreal. I get HUNDREDS of
>entries per day in my log of the following type:
>
>2004/05/13 09:16:22 Connection attempt to base station
>from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>
>
>I suspect these are probes from worms (sasser, phatbot,
>whatever) and are somewhat normal, given the chaos caused
>by the exploitation of unpatched security holes in
>Windows.
>
>I'm trying to find out what holes my router has. Thanks,
>
>Cris
>.
>

 

[Guest]

Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

Cris,

Yes, this happens to me as well. I just go to my WinXP
firewall settings and delete the entries. They arise
from Microsoft Messenger (that cute little teal icon that
is a pain to delete from the taskbar.) It apparently is
an "added feature" of Mircosoft Messenger from recent
updates.

I wouldn't call it a security question so much as a
nuisance avoidance question. As long as your Messenger
is not active, those UDP ports will not be operative.

The solution if you're really upset - which apprently you
seems to be - is shutdown Messenger completely. Easier
said than done, since a number of processes are
programmed to "utilize" it.

Good luck!


>-----Original Message-----
>More info about these entries -- I reset my MN-500 and
saw
>that the msmsgs entries got re-added by my XP machine.
>Here's the evidence -- it happens even before the time
is
>sync'ed (hence the 1970 date):
>
>1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
>UDP, InternalPort:7043, InternalClient:192.168.2.x
>1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
>TCP, InternalPort:7431, InternalClient:192.168.2.x
>
>The 'x' above is my windows XP machine, physically
>connected via rj45 to the MN-500. I performed the reset
>from a machine over wireless (different machine).
>
>After inspecting the persistent port-forwarding tables,
>indeed the two entries above were added and enabled.
This
>is very disturbing behavior, given that the security
>(password) of my router is being compromised (back-
door).
>I saw that someone else has pointed out this hole in
other
>postings, even for link sys routers:
>
>http://groups.google.ca/groups?
>hl=en&lr=&safe=off&q=broadband+port+forwarding+msmsgs
>
>It appears that if MS Messenger is set to automatically
>logon, it will create those port forwards automatically
>via UPnP (how this can't be exploited by a trojan or
>virus, time will tell). I personally don't use it, and
>that's why I'm shocked that these forwardings were
>happening automatically.
>
>I'm going to disable auto-logon of MS Messenger on the
>offending XP machine and see if the problem goes away.
>
>>-----Original Message-----
>>I have a MN-500 which apparently has the latest updates:
>>
>>Current Base Station Firmware Version
>> Version: V1.11.017
>> Date: 10-03-2003
>>
>>Recently, I noticed the persistent port-forwarding has
>>SEVERAL entries that I didn't create. They're all of
the
>>form:
>>
>>msmsgs (192.168.2.30:x) y UDP
>>
>>How are they getting into my router if I'm not setting
>>them? If Microsoft does this behind my back, why am I
not
>>informed?
>>
>>Are there any known/published security holes in the MN-
>500
>>router? Today, it seems that the firewall was
>deactivated,
>>even though it said it wasn't. I was able to activate a
>>P2P client, without enabling any port-forwarding. Once
I
>>logged into the router to see if the firewall was
>>activated, and checked the settings for port-
forwarding,
>>my P2P client stopped working, complaining of a
>disconnect.
>>
>>I have changed my password in the past, and change it
>>usually once every few months. I have enabled MAC
>>filtering on the LAN side since almost a year.
>>
>>My ISP is pretty rotten, but we don't have many choices
>>for cable-modem access in Montreal. I get HUNDREDS of
>>entries per day in my log of the following type:
>>
>>2004/05/13 09:16:22 Connection attempt to base station
>>from WAN blocked -- src:<24.203.x.y:z>
dst:<24.203.a.b:c>
>>
>>I suspect these are probes from worms (sasser, phatbot,
>>whatever) and are somewhat normal, given the chaos
caused
>>by the exploitation of unpatched security holes in
>>Windows.
>>
>>I'm trying to find out what holes my router has. Thanks,
>>
>>Cris
>>.
>>
>.
>

 

[Guest]

Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

Install Windows Messenger 5. It will not create all those Persistent port
forwards

--
Jason Tsang - Microsoft MVP

Find out about the MS MVP Program -
http://mvp.support.microsoft.com/default.aspx

"Cris" <fuhrman8or@yahoo.com> wrote in message
news:ca2701c43906$ad5c9790$a101280a@phx.gbl...
> More info about these entries -- I reset my MN-500 and saw
> that the msmsgs entries got re-added by my XP machine.
> Here's the evidence -- it happens even before the time is
> sync'ed (hence the 1970 date):
>
> 1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
> UDP, InternalPort:7043, InternalClient:192.168.2.x
> 1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
> TCP, InternalPort:7431, InternalClient:192.168.2.x
>
> The 'x' above is my windows XP machine, physically
> connected via rj45 to the MN-500. I performed the reset
> from a machine over wireless (different machine).
>
> After inspecting the persistent port-forwarding tables,
> indeed the two entries above were added and enabled. This
> is very disturbing behavior, given that the security
> (password) of my router is being compromised (back-door).
> I saw that someone else has pointed out this hole in other
> postings, even for link sys routers:
>
> http://groups.google.ca/groups?
> hl=en&lr=&safe=off&q=broadband+port+forwarding+msmsgs
>
> It appears that if MS Messenger is set to automatically
> logon, it will create those port forwards automatically
> via UPnP (how this can't be exploited by a trojan or
> virus, time will tell). I personally don't use it, and
> that's why I'm shocked that these forwardings were
> happening automatically.
>
> I'm going to disable auto-logon of MS Messenger on the
> offending XP machine and see if the problem goes away.
>
> >-----Original Message-----
> >I have a MN-500 which apparently has the latest updates:
> >
> >Current Base Station Firmware Version
> > Version: V1.11.017
> > Date: 10-03-2003
> >
> >Recently, I noticed the persistent port-forwarding has
> >SEVERAL entries that I didn't create. They're all of the
> >form:
> >
> >msmsgs (192.168.2.30:x) y UDP
> >
> >How are they getting into my router if I'm not setting
> >them? If Microsoft does this behind my back, why am I not
> >informed?
> >
> >Are there any known/published security holes in the MN-
> 500
> >router? Today, it seems that the firewall was
> deactivated,
> >even though it said it wasn't. I was able to activate a
> >P2P client, without enabling any port-forwarding. Once I
> >logged into the router to see if the firewall was
> >activated, and checked the settings for port-forwarding,
> >my P2P client stopped working, complaining of a
> disconnect.
> >
> >I have changed my password in the past, and change it
> >usually once every few months. I have enabled MAC
> >filtering on the LAN side since almost a year.
> >
> >My ISP is pretty rotten, but we don't have many choices
> >for cable-modem access in Montreal. I get HUNDREDS of
> >entries per day in my log of the following type:
> >
> >2004/05/13 09:16:22 Connection attempt to base station
> >from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>
> >
> >I suspect these are probes from worms (sasser, phatbot,
> >whatever) and are somewhat normal, given the chaos caused
> >by the exploitation of unpatched security holes in
> >Windows.
> >
> >I'm trying to find out what holes my router has. Thanks,
> >
> >Cris
> >.
> >