Win.MSFP2000SE.exploit!

Discussion in 'other firewalls' started by RanT2, Nov 16, 2007.

Thread Status:
Not open for further replies.
  1. RanT2

    RanT2 Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    6
    Hi everyone;

    Kaspersky Internet Security (KIS) keeps informing me once every two-three days or so of an intrusion attempt on my PC reported as--

    "Intrusion.Win.MSFP2000SE.exploit! Attacker's IP address: 76.170.254.118. Protocol/service: TCP on local port 80." (with the time/day stamp appended of course)

    to which KIS then goes on to state was sucessfully blocked. However after several attenpts at googling this "exploit" over the days for more infomation as to its specific nature, all I recieve are a few foreign language web-sites (mainly in Russian) discussing it. o_O

    Therefore has anyone else experienced this "exploit," or have any information on it? And is there something that I may be unknowingly doing which is leaving me exposed to it?

    Thanks for any assistence;

    RanT2
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    MSFP2000SE may refer to Microsoft FrontPage Server Extensions. See:

    Microsoft Security Bulletin MS03-051
    Buffer Overrun in Microsoft FrontPage Server Extensions
    http://www.microsoft.com/technet/security/Bulletin/MS03-051.mspx
    All recent verisions of MSFPSE are patched for this exploit. My ISP uses this on his server for his web hosting.

    ----
    rich
     
  3. RanT2

    RanT2 Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    6
    Thank you Rich;

    However, I'm not running a server here. This is essentially a wireless home/office PC using Windows XP Home edition (SP2) that connects to the internet through a wireless router. All my ports are closed and stealthed (to my knowledge) with the exception of a few port ranges located in the 40,000-60,000 number region which I had to forward for the purpose of a couple of bittorent file sharing clients. Azureus and Bitcomet.

    So do you (or anyone else) have any idea why I continue to recieve these "exploit" intrusion attempts on port 80?.

    RanT2 :doubt:
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You don't have to be running a sever to get probed.

    You might see if you can get this thread moved to the firewall forum.

    Some questions:

    --> What does your Router log show?

    --> do you have a static IP address?

    --> did this start following any changes to your networking setup?


    ----
    rich
     
  5. RanT2

    RanT2 Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    6
    Hi Rich;

    You asked:

    << What does your Router log show? >>

    Call me stupid, but I just checked and unfortunately my router logging happened to be turned off, great... :mad: It is on now, however it is sort of like trying to close the barndoor after the horse has already escaped. :(

    << do you have a static IP address? >>

    Yes, because I had to open static ports for my bittorrent file sharing clients and could not have the DHCP possibly changing my IP after every reboot.

    << did this start following any changes to your networking setup? >>

    Not to the network specifically. However the attacks began a while after I started using the Azureus 3.0.3.4 bittorent client. And according to the KIS firewall monitor I notice that port 80 is listed on the "open ports" list, as being a TCP connection used by "Azureus.exe."

    Could this be a clue to the intruder? Attempting to exploit a vulnerability in the Azureus program maybe?

    RanT2
     
  6. RanT2

    RanT2 Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    6
    Addendum;

    Rich;

    If you meant is my ISP assigned IP address static, then "yes" as far as I'm aware. Cable modem service provided by Time-Warner Inc.'s Road Runner Hi Speed Internet.

    RanT2
     
    Last edited: Nov 16, 2007
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hopefully, someone familiar with your setup might have some suggestions.

    Regarding having a static IP: How long have you had that IP address?

    ----
    rich
     
  8. RanT2

    RanT2 Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    6
    To my knowledge ever since the aqusition and conversion by TWI of the Southern California franchise formally owned by Comcast sometime in late 2006 to early 2007 IIRC.

    RanT2
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Until someone else has a suggestion: I would monitor the router log. Probes to Port 80 are not uncommon. I checked back in my firewall logs and found many:

    Code:
    Rule 'Deny All Remaining Protocols < Any': Blocked: In TCP, 63.93.75.212:4571->localhost:80
    
    Regarding a static IP: I would think that if it were a targeted attack, it would be more frequent. This particular exploit, though, seems strange, if it were targeted.


    ----
    rich
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The IP is from your own ISP range:-

    OrgName: Road Runner HoldCo LLC
    OrgID: RRWE
    Address: 13241 Woodland Park Road
    City: Herndon
    StateProv: VA
    PostalCode: 20171
    Country: US

    ReferralServer: rwhois://ipmt.rr.com:4321

    NetRange: 76.168.0.0 - 76.175.255.255
    CIDR: 76.168.0.0/13
    NetName: RRACI


    You are running a server:-

    I dont see why this program should use such a port. Check your port settings in "Azureus" to ensure you have not selected this for the user ports. You then need to check the "Azureus" settings to ensure any option to allow "uPnP" is disable (to stop the program opening ports in your router).

    The "Attack" could be an actual exploit attempt, but as KIS is blocking this, it is not successful. It could be a false possitive from KIS, or actually a scan from your ISP that is seen as this exploit (I know many ISP will scan server ports (FTP/ HTTP etc) to check the users are not running servers (and possibly abusing the service from the ISP).

    I would first check the settings in "Azureus", and make sure of the ports used, and make sure uPnP is disable. (these scans/attacks should not be passing through your router)
     
  11. RanT2

    RanT2 Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    6
    Thanks Stem;

    Just to clarify. When I stated previously that I was not running a "server" (To my knowledge at the time. See why next). I meant a standard web-page HTTP port 80 type. Not a "server" in the broad technical sense in which the Azureus client could also be viewed as a type of "server" as well, for file-sharing that is.

    However, and ironically enough, after following your suggestions for checking the settings in Azureus, I found that I was apparently acting as a web server in the sense that I unknowingly had the "HTTP seeding" feature enabled which caused Azureus to open port 80 in my router's firewall through UPnP.

    So given that this supposed exploit is apparently coming from within my own ISP range. It may be simply a routine port 80 scan from them being wrongly interpreted by KIS as an "exploit" attack of type "Win.MSFP2000SE."

    I will keep my eye on the situation to see for sure however.

    BTW, I couldn't find any option to turn UPnP on or off in the Azureus client. So I had to disable the UPnP function as a whole in the router.

    RanT2
     
    Last edited: Nov 18, 2007
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi RanT2,

    Nice find on the "HTTP seeding". (one to note) Well done.
    I do use some torrent clients, for checking firewalls ability to handle multi-connections, but do not use "Azureus",... only because of the need for Java.

    You should now be OK, just ensure that port 80 is now closed in your router.


    Please let the forum know if you do have any more problems,.. or even if you are now OK.
     
Thread Status:
Not open for further replies.