Ref WMF. Can somebody explain this kerio log?

Discussion in 'other firewalls' started by Chuck57, Jan 2, 2006.

Thread Status:
Not open for further replies.
  1. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I downloaded the patch this morning to disable the affected dll, and then the test to see if the patch was working. So, I don't know if the test program was stuck, or if someone was really trying to get into my machine. Here's my kerio ids log. I've removed some of the stuff from the last couple of days since it wasn't relevant. Since I've been back online, nothing like what you see below has happened.

    [30/Dec/2005 19:43:55] "Ids" action = 'denied', raddr = '4.79.142.206', msg = 'BAD-TRAFFIC tcp port 0 traffic', url = '', direc = 'in', class = 'misc-activity', priority = low
    [30/Dec/2005 19:43:56] "Ids" action = 'denied', raddr = '4.79.142.206', msg = 'BAD-TRAFFIC tcp port 0 traffic', url = '', direc = 'in', class = 'misc-activity', priority = low
    [30/Dec/2005 19:43:56] "Ids" action = 'detected', raddr = '4.79.142.206', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan
    [30/Dec/2005 19:43:56] "Ids" action = 'denied', raddr = '4.79.142.206', msg = 'BAD-TRAFFIC tcp port 0 traffic', url = '', direc = 'in', class = 'misc-activity', priority = low
    [30/Dec/2005 19:44:02] Last message repeated 6 times
    [30/Dec/2005 19:45:41] "Ids" action = 'detected', raddr = '4.79.142.206', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan
    [30/Dec/2005 19:45:41] "Ids" action = 'denied', raddr = '4.79.142.206', msg = 'BAD-TRAFFIC tcp port 0 traffic', url = '', direc = 'in', class = 'misc-activity', priority = low
    [30/Dec/2005 19:45:47] Last message repeated 20 times
    [02/Jan/2006 10:41:18] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:41:21] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:41:22] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:41:28] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:41:39] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:41:45] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:41:47] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:41:52] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:41:58] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:42:02] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:42:11] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:42:41] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:42:50] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:43:36] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:44:20] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:45:26] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:46:11] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:46:16] Last message repeated 3 times
    [02/Jan/2006 10:46:22] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:46:34] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:46:52] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:46:54] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:46:58] Last message repeated 3 times
    [02/Jan/2006 10:47:03] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:47:13] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:47:16] Last message repeated 3 times
    [02/Jan/2006 10:47:25] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:47:38] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:47:40] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:47:46] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:48:09] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:48:26] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:49:08] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:49:22] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:50:02] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
    [02/Jan/2006 10:51:07] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Did the test complete? It would appear running the test or something on the frsirt site triggered the IDS signature.

    Regards,

    CrazyM
     
  3. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    The first few lines show that you were doing a test on GRC.com (Shields Up).

    The next lines show that Kerio has detected and blocked the WMF-Exploit test file. If you want to download the test file, you'll need to disable Kerio. If you don't, it'll just keep blocking it ;)
     
  4. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Okay, that explains it. I didn't disable kerio and the test wouldn't download. It never occurred to me, being technologically 'challenged' about such things that the test would keep trying to download.

    I'll have to try again, with kerio disabled, although by blocking it maybe it's doing its job anyway.
     
Thread Status:
Not open for further replies.