Win.MSFP2000SE.exploit!

Hi everyone;

Kaspersky Internet Security (KIS) keeps informing me once every two-three days or so of an intrusion attempt on my PC reported as--

"Intrusion.Win.MSFP2000SE.exploit! Attacker's IP address: 76.170.254.118. Protocol/service: TCP on local port 80." (with the time/day stamp appended of course)

to which KIS then goes on to state was sucessfully blocked. However after several attenpts at googling this "exploit" over the days for more infomation as to its specific nature, all I recieve are a few foreign language web-sites (mainly in Russian) discussing it.

Therefore has anyone else experienced this "exploit," or have any information on it? And is there something that I may be unknowingly doing which is leaving me exposed to it?

Thanks for any assistence;

RanT2

 

MSFP2000SE may refer to Microsoft FrontPage Server Extensions. See:

Microsoft Security Bulletin MS03-051
Buffer Overrun in Microsoft FrontPage Server Extensions
http://www.microsoft.com/technet/security/Bulletin/MS03-051.mspx

All recent verisions of MSFPSE are patched for this exploit. My ISP uses this on his server for his web hosting.

----
rich

 

Thank you Rich;

However, I'm not running a server here. This is essentially a wireless home/office PC using Windows XP Home edition (SP2) that connects to the internet through a wireless router. All my ports are closed and stealthed (to my knowledge) with the exception of a few port ranges located in the 40,000-60,000 number region which I had to forward for the purpose of a couple of bittorent file sharing clients. Azureus and Bitcomet.

So do you (or anyone else) have any idea why I continue to recieve these "exploit" intrusion attempts on port 80?.

RanT2

 

You don't have to be running a sever to get probed.

You might see if you can get this thread moved to the firewall forum.

Some questions:

--> What does your Router log show?

--> do you have a static IP address?

--> did this start following any changes to your networking setup?


----
rich

 

Hi Rich;

You asked:

<< What does your Router log show? >>

Call me stupid, but I just checked and unfortunately my router logging happened to be turned off, great... It is on now, however it is sort of like trying to close the barndoor after the horse has already escaped.

<< do you have a static IP address? >>

Yes, because I had to open static ports for my bittorrent file sharing clients and could not have the DHCP possibly changing my IP after every reboot.

<< did this start following any changes to your networking setup? >>

Not to the network specifically. However the attacks began a while after I started using the Azureus 3.0.3.4 bittorent client. And according to the KIS firewall monitor I notice that port 80 is listed on the "open ports" list, as being a TCP connection used by "Azureus.exe."

Could this be a clue to the intruder? Attempting to exploit a vulnerability in the Azureus program maybe?

RanT2

 

Addendum;

Rich;

If you meant is my ISP assigned IP address static, then "yes" as far as I'm aware. Cable modem service provided by Time-Warner Inc.'s Road Runner Hi Speed Internet.

RanT2

 

Hopefully, someone familiar with your setup might have some suggestions.

Regarding having a static IP: How long have you had that IP address?

----
rich

 

To my knowledge ever since the aqusition and conversion by TWI of the Southern California franchise formally owned by Comcast sometime in late 2006 to early 2007 IIRC.

RanT2

 

Until someone else has a suggestion: I would monitor the router log. Probes to Port 80 are not uncommon. I checked back in my firewall logs and found many:

Code:

Rule 'Deny All Remaining Protocols < Any': Blocked: In TCP, 63.93.75.212:4571->localhost:80

Regarding a static IP: I would think that if it were a targeted attack, it would be more frequent. This particular exploit, though, seems strange, if it were targeted.


----
rich

 

The IP is from your own ISP range:-

OrgName: Road Runner HoldCo LLC
OrgID: RRWE
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange: 76.168.0.0 - 76.175.255.255
CIDR: 76.168.0.0/13
NetName: RRACI

You are running a server:-

I dont see why this program should use such a port. Check your port settings in "Azureus" to ensure you have not selected this for the user ports. You then need to check the "Azureus" settings to ensure any option to allow "uPnP" is disable (to stop the program opening ports in your router).

The "Attack" could be an actual exploit attempt, but as KIS is blocking this, it is not successful. It could be a false possitive from KIS, or actually a scan from your ISP that is seen as this exploit (I know many ISP will scan server ports (FTP/ HTTP etc) to check the users are not running servers (and possibly abusing the service from the ISP).

I would first check the settings in "Azureus", and make sure of the ports used, and make sure uPnP is disable. (these scans/attacks should not be passing through your router)

 

Thanks Stem;

Just to clarify. When I stated previously that I was not running a "server" (To my knowledge at the time. See why next). I meant a standard web-page HTTP port 80 type. Not a "server" in the broad technical sense in which the Azureus client could also be viewed as a type of "server" as well, for file-sharing that is.

However, and ironically enough, after following your suggestions for checking the settings in Azureus, I found that I was apparently acting as a web server in the sense that I unknowingly had the "HTTP seeding" feature enabled which caused Azureus to open port 80 in my router's firewall through UPnP.

So given that this supposed exploit is apparently coming from within my own ISP range. It may be simply a routine port 80 scan from them being wrongly interpreted by KIS as an "exploit" attack of type "Win.MSFP2000SE."

I will keep my eye on the situation to see for sure however.

BTW, I couldn't find any option to turn UPnP on or off in the Azureus client. So I had to disable the UPnP function as a whole in the router.

RanT2

 

Hi RanT2,

Nice find on the "HTTP seeding". (one to note) Well done.
I do use some torrent clients, for checking firewalls ability to handle multi-connections, but do not use "Azureus",... only because of the need for Java.

You should now be OK, just ensure that port 80 is now closed in your router.


Please let the forum know if you do have any more problems,.. or even if you are now OK.