2 Replies Latest reply on May 8, 2018 10:17 AM by kingfish

    Why "tbaseprovisioning" service is making my pc accessible to the internet ? Malware ? Backdoor ?

    1stn00b

      After installing AMD Chipset Drivers on Windows 7 x64 for my new Ryzen 7 1700 MSI x370 32GB ram build last week i started getting firewall warnings of incoming connections to local port 8732 on my pc. After some digging i found out that the port is opened by the tbaseprovisioning service.

       

      The tbaseprovisioning service doesn't have any description beside Copyright 2013-2014 AMD (???) and it was installed with the AMD PSP 3.0 Device driver from :AMD Chipset Drivers Folder\Packages\Drivers\AMD PSP\

       

      From what i seen there it has a tbaseprovisioning.exe.config that specify a local and remote accessible address if localhost is changed to my PC IP address (I've attached a screenshot of firewall warning after giving the web address to a friend)

      <baseAddresses>
                  <add baseAddress="http://localhost:8732/Design_Time_Addresses/RootPA/Service1/" />
      </baseAddresses>
      

       

      and also a strangely behavior CustomerDeskOperationsBehavior witch to me looks like spyware keylogger etc from the name.

      <behavior name="CustomerDeskOperationsBehavior">
                <serviceMetadata httpGetEnabled="true" />
                <serviceDebug includeExceptionDetailInFaults="true" />
      </behavior>
      .
      

       

      This looks like the discovered Intel remote execution backdoor

       

      UPDATE 27.05.2017 : Used a digitalocean linux droplet to access the service on my windows pc