Security questions, Persistent Port Forwarding 'msmsgs' en..

Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

I have a MN-500 which apparently has the latest updates:

Current Base Station Firmware Version
Version: V1.11.017
Date: 10-03-2003

Recently, I noticed the persistent port-forwarding has
SEVERAL entries that I didn't create. They're all of the
form:

msmsgs (192.168.2.30:x) y UDP

How are they getting into my router if I'm not setting
them? If Microsoft does this behind my back, why am I not
informed?

Are there any known/published security holes in the MN-500
router? Today, it seems that the firewall was deactivated,
even though it said it wasn't. I was able to activate a
P2P client, without enabling any port-forwarding. Once I
logged into the router to see if the firewall was
activated, and checked the settings for port-forwarding,
my P2P client stopped working, complaining of a disconnect.

I have changed my password in the past, and change it
usually once every few months. I have enabled MAC
filtering on the LAN side since almost a year.

My ISP is pretty rotten, but we don't have many choices
for cable-modem access in Montreal. I get HUNDREDS of
entries per day in my log of the following type:

2004/05/13 09:16:22 Connection attempt to base station
from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>

I suspect these are probes from worms (sasser, phatbot,
whatever) and are somewhat normal, given the chaos caused
by the exploitation of unpatched security holes in
Windows.

I'm trying to find out what holes my router has. Thanks,

Cris
3 answers Last reply
More about security questions persistent port forwarding msmsgs
  1. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    More info about these entries -- I reset my MN-500 and saw
    that the msmsgs entries got re-added by my XP machine.
    Here's the evidence -- it happens even before the time is
    sync'ed (hence the 1970 date):

    1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
    UDP, InternalPort:7043, InternalClient:192.168.2.x
    1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
    TCP, InternalPort:7431, InternalClient:192.168.2.x

    The 'x' above is my windows XP machine, physically
    connected via rj45 to the MN-500. I performed the reset
    from a machine over wireless (different machine).

    After inspecting the persistent port-forwarding tables,
    indeed the two entries above were added and enabled. This
    is very disturbing behavior, given that the security
    (password) of my router is being compromised (back-door).
    I saw that someone else has pointed out this hole in other
    postings, even for link sys routers:

    http://groups.google.ca/groups?
    hl=en&lr=&safe=off&q=broadband+port+forwarding+msmsgs

    It appears that if MS Messenger is set to automatically
    logon, it will create those port forwards automatically
    via UPnP (how this can't be exploited by a trojan or
    virus, time will tell). I personally don't use it, and
    that's why I'm shocked that these forwardings were
    happening automatically.

    I'm going to disable auto-logon of MS Messenger on the
    offending XP machine and see if the problem goes away.

    >-----Original Message-----
    >I have a MN-500 which apparently has the latest updates:
    >
    >Current Base Station Firmware Version
    > Version: V1.11.017
    > Date: 10-03-2003
    >
    >Recently, I noticed the persistent port-forwarding has
    >SEVERAL entries that I didn't create. They're all of the
    >form:
    >
    >msmsgs (192.168.2.30:x) y UDP
    >
    >How are they getting into my router if I'm not setting
    >them? If Microsoft does this behind my back, why am I not
    >informed?
    >
    >Are there any known/published security holes in the MN-
    500
    >router? Today, it seems that the firewall was
    deactivated,
    >even though it said it wasn't. I was able to activate a
    >P2P client, without enabling any port-forwarding. Once I
    >logged into the router to see if the firewall was
    >activated, and checked the settings for port-forwarding,
    >my P2P client stopped working, complaining of a
    disconnect.
    >
    >I have changed my password in the past, and change it
    >usually once every few months. I have enabled MAC
    >filtering on the LAN side since almost a year.
    >
    >My ISP is pretty rotten, but we don't have many choices
    >for cable-modem access in Montreal. I get HUNDREDS of
    >entries per day in my log of the following type:
    >
    >2004/05/13 09:16:22 Connection attempt to base station
    >from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>
    >
    >I suspect these are probes from worms (sasser, phatbot,
    >whatever) and are somewhat normal, given the chaos caused
    >by the exploitation of unpatched security holes in
    >Windows.
    >
    >I'm trying to find out what holes my router has. Thanks,
    >
    >Cris
    >.
    >
  2. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    Cris,

    Yes, this happens to me as well. I just go to my WinXP
    firewall settings and delete the entries. They arise
    from Microsoft Messenger (that cute little teal icon that
    is a pain to delete from the taskbar.) It apparently is
    an "added feature" of Mircosoft Messenger from recent
    updates.

    I wouldn't call it a security question so much as a
    nuisance avoidance question. As long as your Messenger
    is not active, those UDP ports will not be operative.

    The solution if you're really upset - which apprently you
    seems to be - is shutdown Messenger completely. Easier
    said than done, since a number of processes are
    programmed to "utilize" it.

    Good luck!


    >-----Original Message-----
    >More info about these entries -- I reset my MN-500 and
    saw
    >that the msmsgs entries got re-added by my XP machine.
    >Here's the evidence -- it happens even before the time
    is
    >sync'ed (hence the 1970 date):
    >
    >1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
    >UDP, InternalPort:7043, InternalClient:192.168.2.x
    >1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
    >TCP, InternalPort:7431, InternalClient:192.168.2.x
    >
    >The 'x' above is my windows XP machine, physically
    >connected via rj45 to the MN-500. I performed the reset
    >from a machine over wireless (different machine).
    >
    >After inspecting the persistent port-forwarding tables,
    >indeed the two entries above were added and enabled.
    This
    >is very disturbing behavior, given that the security
    >(password) of my router is being compromised (back-
    door).
    >I saw that someone else has pointed out this hole in
    other
    >postings, even for link sys routers:
    >
    >http://groups.google.ca/groups?
    >hl=en&lr=&safe=off&q=broadband+port+forwarding+msmsgs
    >
    >It appears that if MS Messenger is set to automatically
    >logon, it will create those port forwards automatically
    >via UPnP (how this can't be exploited by a trojan or
    >virus, time will tell). I personally don't use it, and
    >that's why I'm shocked that these forwardings were
    >happening automatically.
    >
    >I'm going to disable auto-logon of MS Messenger on the
    >offending XP machine and see if the problem goes away.
    >
    >>-----Original Message-----
    >>I have a MN-500 which apparently has the latest updates:
    >>
    >>Current Base Station Firmware Version
    >> Version: V1.11.017
    >> Date: 10-03-2003
    >>
    >>Recently, I noticed the persistent port-forwarding has
    >>SEVERAL entries that I didn't create. They're all of
    the
    >>form:
    >>
    >>msmsgs (192.168.2.30:x) y UDP
    >>
    >>How are they getting into my router if I'm not setting
    >>them? If Microsoft does this behind my back, why am I
    not
    >>informed?
    >>
    >>Are there any known/published security holes in the MN-
    >500
    >>router? Today, it seems that the firewall was
    >deactivated,
    >>even though it said it wasn't. I was able to activate a
    >>P2P client, without enabling any port-forwarding. Once
    I
    >>logged into the router to see if the firewall was
    >>activated, and checked the settings for port-
    forwarding,
    >>my P2P client stopped working, complaining of a
    >disconnect.
    >>
    >>I have changed my password in the past, and change it
    >>usually once every few months. I have enabled MAC
    >>filtering on the LAN side since almost a year.
    >>
    >>My ISP is pretty rotten, but we don't have many choices
    >>for cable-modem access in Montreal. I get HUNDREDS of
    >>entries per day in my log of the following type:
    >>
    >>2004/05/13 09:16:22 Connection attempt to base station
    >>from WAN blocked -- src:<24.203.x.y:z>
    dst:<24.203.a.b:c>
    >>
    >>I suspect these are probes from worms (sasser, phatbot,
    >>whatever) and are somewhat normal, given the chaos
    caused
    >>by the exploitation of unpatched security holes in
    >>Windows.
    >>
    >>I'm trying to find out what holes my router has. Thanks,
    >>
    >>Cris
    >>.
    >>
    >.
    >
  3. Archived from groups: microsoft.public.broadbandnet.hardware (More info?)

    Install Windows Messenger 5. It will not create all those Persistent port
    forwards

    --
    Jason Tsang - Microsoft MVP

    Find out about the MS MVP Program -
    http://mvp.support.microsoft.com/default.aspx

    "Cris" <fuhrman8or@yahoo.com> wrote in message
    news:ca2701c43906$ad5c9790$a101280a@phx.gbl...
    > More info about these entries -- I reset my MN-500 and saw
    > that the msmsgs entries got re-added by my XP machine.
    > Here's the evidence -- it happens even before the time is
    > sync'ed (hence the 1970 date):
    >
    > 1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
    > UDP, InternalPort:7043, InternalClient:192.168.2.x
    > 1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
    > TCP, InternalPort:7431, InternalClient:192.168.2.x
    >
    > The 'x' above is my windows XP machine, physically
    > connected via rj45 to the MN-500. I performed the reset
    > from a machine over wireless (different machine).
    >
    > After inspecting the persistent port-forwarding tables,
    > indeed the two entries above were added and enabled. This
    > is very disturbing behavior, given that the security
    > (password) of my router is being compromised (back-door).
    > I saw that someone else has pointed out this hole in other
    > postings, even for link sys routers:
    >
    > http://groups.google.ca/groups?
    > hl=en&lr=&safe=off&q=broadband+port+forwarding+msmsgs
    >
    > It appears that if MS Messenger is set to automatically
    > logon, it will create those port forwards automatically
    > via UPnP (how this can't be exploited by a trojan or
    > virus, time will tell). I personally don't use it, and
    > that's why I'm shocked that these forwardings were
    > happening automatically.
    >
    > I'm going to disable auto-logon of MS Messenger on the
    > offending XP machine and see if the problem goes away.
    >
    > >-----Original Message-----
    > >I have a MN-500 which apparently has the latest updates:
    > >
    > >Current Base Station Firmware Version
    > > Version: V1.11.017
    > > Date: 10-03-2003
    > >
    > >Recently, I noticed the persistent port-forwarding has
    > >SEVERAL entries that I didn't create. They're all of the
    > >form:
    > >
    > >msmsgs (192.168.2.30:x) y UDP
    > >
    > >How are they getting into my router if I'm not setting
    > >them? If Microsoft does this behind my back, why am I not
    > >informed?
    > >
    > >Are there any known/published security holes in the MN-
    > 500
    > >router? Today, it seems that the firewall was
    > deactivated,
    > >even though it said it wasn't. I was able to activate a
    > >P2P client, without enabling any port-forwarding. Once I
    > >logged into the router to see if the firewall was
    > >activated, and checked the settings for port-forwarding,
    > >my P2P client stopped working, complaining of a
    > disconnect.
    > >
    > >I have changed my password in the past, and change it
    > >usually once every few months. I have enabled MAC
    > >filtering on the LAN side since almost a year.
    > >
    > >My ISP is pretty rotten, but we don't have many choices
    > >for cable-modem access in Montreal. I get HUNDREDS of
    > >entries per day in my log of the following type:
    > >
    > >2004/05/13 09:16:22 Connection attempt to base station
    > >from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>
    > >
    > >I suspect these are probes from worms (sasser, phatbot,
    > >whatever) and are somewhat normal, given the chaos caused
    > >by the exploitation of unpatched security holes in
    > >Windows.
    > >
    > >I'm trying to find out what holes my router has. Thanks,
    > >
    > >Cris
    > >.
    > >
Ask a new question

Read More

Routers Port Forwarding Security Networking