Ref WMF. Can somebody explain this kerio log?

I downloaded the patch this morning to disable the affected dll, and then the test to see if the patch was working. So, I don't know if the test program was stuck, or if someone was really trying to get into my machine. Here's my kerio ids log. I've removed some of the stuff from the last couple of days since it wasn't relevant. Since I've been back online, nothing like what you see below has happened.

[30/Dec/2005 19:43:55] "Ids" action = 'denied', raddr = '4.79.142.206', msg = 'BAD-TRAFFIC tcp port 0 traffic', url = '', direc = 'in', class = 'misc-activity', priority = low
[30/Dec/2005 19:43:56] "Ids" action = 'denied', raddr = '4.79.142.206', msg = 'BAD-TRAFFIC tcp port 0 traffic', url = '', direc = 'in', class = 'misc-activity', priority = low
[30/Dec/2005 19:43:56] "Ids" action = 'detected', raddr = '4.79.142.206', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan
[30/Dec/2005 19:43:56] "Ids" action = 'denied', raddr = '4.79.142.206', msg = 'BAD-TRAFFIC tcp port 0 traffic', url = '', direc = 'in', class = 'misc-activity', priority = low
[30/Dec/2005 19:44:02] Last message repeated 6 times
[30/Dec/2005 19:45:41] "Ids" action = 'detected', raddr = '4.79.142.206', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan
[30/Dec/2005 19:45:41] "Ids" action = 'denied', raddr = '4.79.142.206', msg = 'BAD-TRAFFIC tcp port 0 traffic', url = '', direc = 'in', class = 'misc-activity', priority = low
[30/Dec/2005 19:45:47] Last message repeated 20 times
[02/Jan/2006 10:41:18] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:41:21] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:41:22] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:41:28] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:41:39] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:41:45] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:41:47] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:41:52] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:41:58] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:42:02] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:42:11] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:42:41] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:42:50] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:43:36] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:44:20] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:45:26] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:46:11] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:46:16] Last message repeated 3 times
[02/Jan/2006 10:46:22] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:46:34] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:46:52] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:46:54] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:46:58] Last message repeated 3 times
[02/Jan/2006 10:47:03] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:47:13] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:47:16] Last message repeated 3 times
[02/Jan/2006 10:47:25] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:47:38] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:47:40] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:47:46] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:48:09] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:48:26] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:49:08] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:49:22] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:50:02] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high
[02/Jan/2006 10:51:07] "Ids" action = 'denied', raddr = '72.41.101.136', msg = 'EXPLOIT WMF Escape Record Exploit', url = 'http://www.frsirt.com/english/advisories/2005/3086', direc = 'in', class = 'attempted-user', priority = high

 

Did the test complete? It would appear running the test or something on the frsirt site triggered the IDS signature.

Regards,

CrazyM

 

The first few lines show that you were doing a test on GRC.com (Shields Up).

The next lines show that Kerio has detected and blocked the WMF-Exploit test file. If you want to download the test file, you'll need to disable Kerio. If you don't, it'll just keep blocking it

 

Okay, that explains it. I didn't disable kerio and the test wouldn't download. It never occurred to me, being technologically 'challenged' about such things that the test would keep trying to download.

I'll have to try again, with kerio disabled, although by blocking it maybe it's doing its job anyway.