Security questions, Persistent Port Forwarding 'msmsgs' entries

I have a MN-500 which apparently has the latest updates:

Current Base Station Firmware Version
Version: V1.11.017
Date: 10-03-2003

Recently, I noticed the persistent port-forwarding has
SEVERAL entries that I didn't create. They're all of the
form:

msmsgs (192.168.2.30:x) y UDP

How are they getting into my router if I'm not setting
them? If Microsoft does this behind my back, why am I not
informed?

Are there any known/published security holes in the MN-500
router? Today, it seems that the firewall was deactivated,
even though it said it wasn't. I was able to activate a
P2P client, without enabling any port-forwarding. Once I
logged into the router to see if the firewall was
activated, and checked the settings for port-forwarding,
my P2P client stopped working, complaining of a disconnect.

I have changed my password in the past, and change it
usually once every few months. I have enabled MAC
filtering on the LAN side since almost a year.

My ISP is pretty rotten, but we don't have many choices
for cable-modem access in Montreal. I get HUNDREDS of
entries per day in my log of the following type:

2004/05/13 09:16:22 Connection attempt to base station
from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>

I suspect these are probes from worms (sasser, phatbot,
whatever) and are somewhat normal, given the chaos caused
by the exploitation of unpatched security holes in
Windows.

I'm trying to find out what holes my router has. Thanks,

Cris


Cris

More info about these entries -- I reset my MN-500 and saw
that the msmsgs entries got re-added by my XP machine.
Here's the evidence -- it happens even before the time is
sync'ed (hence the 1970 date):

1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
UDP, InternalPort:7043, InternalClient:192.168.2.x
1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
TCP, InternalPort:7431, InternalClient:192.168.2.x

The 'x' above is my windows XP machine, physically
connected via rj45 to the MN-500. I performed the reset
from a machine over wireless (different machine).

After inspecting the persistent port-forwarding tables,
indeed the two entries above were added and enabled. This
is very disturbing behavior, given that the security
(password) of my router is being compromised (back-door).
I saw that someone else has pointed out this hole in other
postings, even for link sys routers:

http://groups.google.ca/groups?
hl=en&lr=&safe=off&q=broadband+port+forwarding+msm sgs

It appears that if MS Messenger is set to automatically
logon, it will create those port forwards automatically
via UPnP (how this can't be exploited by a trojan or
virus, time will tell). I personally don't use it, and
that's why I'm shocked that these forwardings were
happening automatically.

I'm going to disable auto-logon of MS Messenger on the
offending XP machine and see if the problem goes away.

>-----Original Message-----
>I have a MN-500 which apparently has the latest updates:
>
>Current Base Station Firmware Version
> Version: V1.11.017
> Date: 10-03-2003
>
>Recently, I noticed the persistent port-forwarding has
>SEVERAL entries that I didn't create. They're all of the
>form:
>
>msmsgs (192.168.2.30:x) y UDP
>
>How are they getting into my router if I'm not setting
>them? If Microsoft does this behind my back, why am I not
>informed?
>
>Are there any known/published security holes in the MN-
500
>router? Today, it seems that the firewall was
deactivated,
>even though it said it wasn't. I was able to activate a
>P2P client, without enabling any port-forwarding. Once I
>logged into the router to see if the firewall was
>activated, and checked the settings for port-forwarding,
>my P2P client stopped working, complaining of a
disconnect.
>
>I have changed my password in the past, and change it
>usually once every few months. I have enabled MAC
>filtering on the LAN side since almost a year.
>
>My ISP is pretty rotten, but we don't have many choices
>for cable-modem access in Montreal. I get HUNDREDS of
>entries per day in my log of the following type:
>
>2004/05/13 09:16:22 Connection attempt to base station
>from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>
>
>I suspect these are probes from worms (sasser, phatbot,
>whatever) and are somewhat normal, given the chaos caused
>by the exploitation of unpatched security holes in
>Windows.
>
>I'm trying to find out what holes my router has. Thanks,
>
>Cris
>.
>

Cris,

Yes, this happens to me as well. I just go to my WinXP
firewall settings and delete the entries. They arise
from Microsoft Messenger (that cute little teal icon that
is a pain to delete from the taskbar.) It apparently is
an "added feature" of Mircosoft Messenger from recent
updates.

I wouldn't call it a security question so much as a
nuisance avoidance question. As long as your Messenger
is not active, those UDP ports will not be operative.

The solution if you're really upset - which apprently you
seems to be - is shutdown Messenger completely. Easier
said than done, since a number of processes are
programmed to "utilize" it.

Good luck!


>-----Original Message-----
>More info about these entries -- I reset my MN-500 and
saw
>that the msmsgs entries got re-added by my XP machine.
>Here's the evidence -- it happens even before the time
is
>sync'ed (hence the 1970 date):
>
>1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
>UDP, InternalPort:7043, InternalClient:192.168.2.x
>1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
>TCP, InternalPort:7431, InternalClient:192.168.2.x
>
>The 'x' above is my windows XP machine, physically
>connected via rj45 to the MN-500. I performed the reset
>from a machine over wireless (different machine).
>
>After inspecting the persistent port-forwarding tables,
>indeed the two entries above were added and enabled.
This
>is very disturbing behavior, given that the security
>(password) of my router is being compromised (back-
door).
>I saw that someone else has pointed out this hole in
other
>postings, even for link sys routers:
>
>http://groups.google.ca/groups?
>hl=en&lr=&safe=off&q=broadband+port+forwarding+ms msgs
>
>It appears that if MS Messenger is set to automatically
>logon, it will create those port forwards automatically
>via UPnP (how this can't be exploited by a trojan or
>virus, time will tell). I personally don't use it, and
>that's why I'm shocked that these forwardings were
>happening automatically.
>
>I'm going to disable auto-logon of MS Messenger on the
>offending XP machine and see if the problem goes away.
>
>>-----Original Message-----
>>I have a MN-500 which apparently has the latest updates:
>>
>>Current Base Station Firmware Version
>> Version: V1.11.017
>> Date: 10-03-2003
>>
>>Recently, I noticed the persistent port-forwarding has
>>SEVERAL entries that I didn't create. They're all of
the
>>form:
>>
>>msmsgs (192.168.2.30:x) y UDP
>>
>>How are they getting into my router if I'm not setting
>>them? If Microsoft does this behind my back, why am I
not
>>informed?
>>
>>Are there any known/published security holes in the MN-
>500
>>router? Today, it seems that the firewall was
>deactivated,
>>even though it said it wasn't. I was able to activate a
>>P2P client, without enabling any port-forwarding. Once
I
>>logged into the router to see if the firewall was
>>activated, and checked the settings for port-
forwarding,
>>my P2P client stopped working, complaining of a
>disconnect.
>>
>>I have changed my password in the past, and change it
>>usually once every few months. I have enabled MAC
>>filtering on the LAN side since almost a year.
>>
>>My ISP is pretty rotten, but we don't have many choices
>>for cable-modem access in Montreal. I get HUNDREDS of
>>entries per day in my log of the following type:
>>
>>2004/05/13 09:16:22 Connection attempt to base station
>>from WAN blocked -- src:<24.203.x.y:z>
dst:<24.203.a.b:c>
>>
>>I suspect these are probes from worms (sasser, phatbot,
>>whatever) and are somewhat normal, given the chaos
caused
>>by the exploitation of unpatched security holes in
>>Windows.
>>
>>I'm trying to find out what holes my router has. Thanks,
>>
>>Cris
>>.
>>
>.
>

Yep -- it's definitely Windows Messenger on my XP box
that's doing those port-forwards. I saw that when you do
manage to shut it down, it deletes them as well from the
MN-500.

I'd guess that there were a whole bunch of entries due to
times when my PC crashed (yes, XP can crash!) and the
clean-up wasn't able to take place. Nice design.

I was able to disactivate Windows Messenger on my XP Home
(I'm not running Pro) by Opening the application (right-
click icon, Open), choosing Options (I think) and
deselecting "Allow to run in background" --
Disabling "automatically connect to windows messenger" in
Outlook Express -> Options -> General seemed to be needed
as well. I can't remember the exact steps, but the icon
isn't there anymore when I launch Outlook Express.

Thanks for the feedback. I wonder how long it will be
before a worm/virus/trojan is developed that is able to
open ports on a firewall the same way Windows Messenger
does.

>-----Original Message-----
>Cris,
>
>Yes, this happens to me as well. I just go to my WinXP
>firewall settings and delete the entries. They arise
>from Microsoft Messenger (that cute little teal icon
that
>is a pain to delete from the taskbar.) It apparently is
>an "added feature" of Mircosoft Messenger from recent
>updates.
>
>I wouldn't call it a security question so much as a
>nuisance avoidance question. As long as your Messenger
>is not active, those UDP ports will not be operative.
>
>The solution if you're really upset - which apprently
you
>seems to be - is shutdown Messenger completely. Easier
>said than done, since a number of processes are
>programmed to "utilize" it.
>
>Good luck!
>
>
>>-----Original Message-----
>>More info about these entries -- I reset my MN-500 and
>saw
>>that the msmsgs entries got re-added by my XP machine.
>>Here's the evidence -- it happens even before the time
>is
>>sync'ed (hence the 1970 date):
>>
>>1970/01/01 00:00:33 AddPortMapping:
ExternalPort:13785,
>>UDP, InternalPort:7043, InternalClient:192.168.2.x
>>1970/01/01 00:00:33 AddPortMapping:
ExternalPort:45535,
>>TCP, InternalPort:7431, InternalClient:192.168.2.x
>>
>>The 'x' above is my windows XP machine, physically
>>connected via rj45 to the MN-500. I performed the reset
>>from a machine over wireless (different machine).
>>
>>After inspecting the persistent port-forwarding tables,
>>indeed the two entries above were added and enabled.
>This
>>is very disturbing behavior, given that the security
>>(password) of my router is being compromised (back-
>door).
>>I saw that someone else has pointed out this hole in
>other
>>postings, even for link sys routers:
>>
>>http://groups.google.ca/groups?
>>hl=en&lr=&safe=off&q=broadband+port+forwarding+m smsgs
>>
>>It appears that if MS Messenger is set to automatically
>>logon, it will create those port forwards automatically
>>via UPnP (how this can't be exploited by a trojan or
>>virus, time will tell). I personally don't use it, and
>>that's why I'm shocked that these forwardings were
>>happening automatically.
>>
>>I'm going to disable auto-logon of MS Messenger on the
>>offending XP machine and see if the problem goes away.
>>
>>>-----Original Message-----
>>>I have a MN-500 which apparently has the latest
updates:
>>>
>>>Current Base Station Firmware Version
>>> Version: V1.11.017
>>> Date: 10-03-2003
>>>
>>>Recently, I noticed the persistent port-forwarding has
>>>SEVERAL entries that I didn't create. They're all of
>the
>>>form:
>>>
>>>msmsgs (192.168.2.30:x) y UDP
>>>
>>>How are they getting into my router if I'm not setting
>>>them? If Microsoft does this behind my back, why am I
>not
>>>informed?
>>>
>>>Are there any known/published security holes in the MN-
>>500
>>>router? Today, it seems that the firewall was
>>deactivated,
>>>even though it said it wasn't. I was able to activate
a
>>>P2P client, without enabling any port-forwarding. Once
>I
>>>logged into the router to see if the firewall was
>>>activated, and checked the settings for port-
>forwarding,
>>>my P2P client stopped working, complaining of a
>>disconnect.
>>>
>>>I have changed my password in the past, and change it
>>>usually once every few months. I have enabled MAC
>>>filtering on the LAN side since almost a year.
>>>
>>>My ISP is pretty rotten, but we don't have many
choices
>>>for cable-modem access in Montreal. I get HUNDREDS of
>>>entries per day in my log of the following type:
>>>
>>>2004/05/13 09:16:22 Connection attempt to base station
>>>from WAN blocked -- src:<24.203.x.y:z>
>dst:<24.203.a.b:c>
>>>
>>>I suspect these are probes from worms (sasser,
phatbot,
>>>whatever) and are somewhat normal, given the chaos
>caused
>>>by the exploitation of unpatched security holes in
>>>Windows.
>>>
>>>I'm trying to find out what holes my router has.
Thanks,
>>>
>>>Cris
>>>.
>>>
>>.
>>
>.
>

Install Windows Messenger 5. It will not create all those Persistent port
forwards

--
Jason Tsang - Microsoft MVP

Find out about the MS MVP Program -
http://mvp.support.microsoft.com/default.aspx

"Cris" <(E-Mail Removed)> wrote in message
news:ca2701c43906$ad5c9790$(E-Mail Removed)...
> More info about these entries -- I reset my MN-500 and saw
> that the msmsgs entries got re-added by my XP machine.
> Here's the evidence -- it happens even before the time is
> sync'ed (hence the 1970 date):
>
> 1970/01/01 00:00:33 AddPortMapping: ExternalPort:13785,
> UDP, InternalPort:7043, InternalClient:192.168.2.x
> 1970/01/01 00:00:33 AddPortMapping: ExternalPort:45535,
> TCP, InternalPort:7431, InternalClient:192.168.2.x
>
> The 'x' above is my windows XP machine, physically
> connected via rj45 to the MN-500. I performed the reset
> from a machine over wireless (different machine).
>
> After inspecting the persistent port-forwarding tables,
> indeed the two entries above were added and enabled. This
> is very disturbing behavior, given that the security
> (password) of my router is being compromised (back-door).
> I saw that someone else has pointed out this hole in other
> postings, even for link sys routers:
>
> http://groups.google.ca/groups?
> hl=en&lr=&safe=off&q=broadband+port+forwarding+msm sgs
>
> It appears that if MS Messenger is set to automatically
> logon, it will create those port forwards automatically
> via UPnP (how this can't be exploited by a trojan or
> virus, time will tell). I personally don't use it, and
> that's why I'm shocked that these forwardings were
> happening automatically.
>
> I'm going to disable auto-logon of MS Messenger on the
> offending XP machine and see if the problem goes away.
>
> >-----Original Message-----
> >I have a MN-500 which apparently has the latest updates:
> >
> >Current Base Station Firmware Version
> > Version: V1.11.017
> > Date: 10-03-2003
> >
> >Recently, I noticed the persistent port-forwarding has
> >SEVERAL entries that I didn't create. They're all of the
> >form:
> >
> >msmsgs (192.168.2.30:x) y UDP
> >
> >How are they getting into my router if I'm not setting
> >them? If Microsoft does this behind my back, why am I not
> >informed?
> >
> >Are there any known/published security holes in the MN-
> 500
> >router? Today, it seems that the firewall was
> deactivated,
> >even though it said it wasn't. I was able to activate a
> >P2P client, without enabling any port-forwarding. Once I
> >logged into the router to see if the firewall was
> >activated, and checked the settings for port-forwarding,
> >my P2P client stopped working, complaining of a
> disconnect.
> >
> >I have changed my password in the past, and change it
> >usually once every few months. I have enabled MAC
> >filtering on the LAN side since almost a year.
> >
> >My ISP is pretty rotten, but we don't have many choices
> >for cable-modem access in Montreal. I get HUNDREDS of
> >entries per day in my log of the following type:
> >
> >2004/05/13 09:16:22 Connection attempt to base station
> >from WAN blocked -- src:<24.203.x.y:z> dst:<24.203.a.b:c>
> >
> >I suspect these are probes from worms (sasser, phatbot,
> >whatever) and are somewhat normal, given the chaos caused
> >by the exploitation of unpatched security holes in
> >Windows.
> >
> >I'm trying to find out what holes my router has. Thanks,
> >
> >Cris
> >.
> >

Think hardware firewall; no UDP allowed....

>-----Original Message-----
>Yep -- it's definitely Windows Messenger on my XP box
>that's doing those port-forwards. I saw that when you do
>manage to shut it down, it deletes them as well from the
>MN-500.
>
>I'd guess that there were a whole bunch of entries due
to
>times when my PC crashed (yes, XP can crash!) and the
>clean-up wasn't able to take place. Nice design.
>
>I was able to disactivate Windows Messenger on my XP
Home
>(I'm not running Pro) by Opening the application (right-
>click icon, Open), choosing Options (I think) and
>deselecting "Allow to run in background" --
>Disabling "automatically connect to windows messenger"
in
>Outlook Express -> Options -> General seemed to be
needed
>as well. I can't remember the exact steps, but the icon
>isn't there anymore when I launch Outlook Express.
>
>Thanks for the feedback. I wonder how long it will be
>before a worm/virus/trojan is developed that is able to
>open ports on a firewall the same way Windows Messenger
>does.
>
>>-----Original Message-----
>>Cris,
>>
>>Yes, this happens to me as well. I just go to my WinXP
>>firewall settings and delete the entries. They arise
>>from Microsoft Messenger (that cute little teal icon
>that
>>is a pain to delete from the taskbar.) It apparently
is
>>an "added feature" of Mircosoft Messenger from recent
>>updates.
>>
>>I wouldn't call it a security question so much as a
>>nuisance avoidance question. As long as your Messenger
>>is not active, those UDP ports will not be operative.
>>
>>The solution if you're really upset - which apprently
>you
>>seems to be - is shutdown Messenger completely. Easier
>>said than done, since a number of processes are
>>programmed to "utilize" it.
>>
>>Good luck!
>>
>>
>>>-----Original Message-----
>>>More info about these entries -- I reset my MN-500 and
>>saw
>>>that the msmsgs entries got re-added by my XP machine.
>>>Here's the evidence -- it happens even before the time
>>is
>>>sync'ed (hence the 1970 date):
>>>
>>>1970/01/01 00:00:33 AddPortMapping:
>ExternalPort:13785,
>>>UDP, InternalPort:7043, InternalClient:192.168.2.x
>>>1970/01/01 00:00:33 AddPortMapping:
>ExternalPort:45535,
>>>TCP, InternalPort:7431, InternalClient:192.168.2.x
>>>
>>>The 'x' above is my windows XP machine, physically
>>>connected via rj45 to the MN-500. I performed the
reset
>>>from a machine over wireless (different machine).
>>>
>>>After inspecting the persistent port-forwarding
tables,
>>>indeed the two entries above were added and enabled.
>>This
>>>is very disturbing behavior, given that the security
>>>(password) of my router is being compromised (back-
>>door).
>>>I saw that someone else has pointed out this hole in
>>other
>>>postings, even for link sys routers:
>>>
>>>http://groups.google.ca/groups?
>>>hl=en&lr=&safe=off&q=broadband+port+forwarding+ msmsgs
>>>
>>>It appears that if MS Messenger is set to
automatically
>>>logon, it will create those port forwards
automatically
>>>via UPnP (how this can't be exploited by a trojan or
>>>virus, time will tell). I personally don't use it, and
>>>that's why I'm shocked that these forwardings were
>>>happening automatically.
>>>
>>>I'm going to disable auto-logon of MS Messenger on the
>>>offending XP machine and see if the problem goes away.
>>>
>>>>-----Original Message-----
>>>>I have a MN-500 which apparently has the latest
>updates:
>>>>
>>>>Current Base Station Firmware Version
>>>> Version: V1.11.017
>>>> Date: 10-03-2003
>>>>
>>>>Recently, I noticed the persistent port-forwarding
has
>>>>SEVERAL entries that I didn't create. They're all of
>>the
>>>>form:
>>>>
>>>>msmsgs (192.168.2.30:x) y UDP
>>>>
>>>>How are they getting into my router if I'm not
setting
>>>>them? If Microsoft does this behind my back, why am I
>>not
>>>>informed?
>>>>
>>>>Are there any known/published security holes in the
MN-
>>>500
>>>>router? Today, it seems that the firewall was
>>>deactivated,
>>>>even though it said it wasn't. I was able to activate
>a
>>>>P2P client, without enabling any port-forwarding.
Once
>>I
>>>>logged into the router to see if the firewall was
>>>>activated, and checked the settings for port-
>>forwarding,
>>>>my P2P client stopped working, complaining of a
>>>disconnect.
>>>>
>>>>I have changed my password in the past, and change it
>>>>usually once every few months. I have enabled MAC
>>>>filtering on the LAN side since almost a year.
>>>>
>>>>My ISP is pretty rotten, but we don't have many
>choices
>>>>for cable-modem access in Montreal. I get HUNDREDS of
>>>>entries per day in my log of the following type:
>>>>
>>>>2004/05/13 09:16:22 Connection attempt to base
station
>>>>from WAN blocked -- src:<24.203.x.y:z>
>>dst:<24.203.a.b:c>
>>>>
>>>>I suspect these are probes from worms (sasser,
>phatbot,
>>>>whatever) and are somewhat normal, given the chaos
>>caused
>>>>by the exploitation of unpatched security holes in
>>>>Windows.
>>>>
>>>>I'm trying to find out what holes my router has.
>Thanks,
>>>>
>>>>Cris
>>>>.
>>>>
>>>.
>>>
>>.
>>
>.
>