Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Remote Administrator 2.x: highly possible remote hole or back door

From: LordInfidel () directionweb com
Date: Wed, 18 Feb 2004 13:58:58 -0500
From reading the thread on famatech's site, this looks more like a weak

password issue, which is true of "ANY" piece of software
using simple password authentication.

Basically, If Radmin is listening on it's default port tcp/4899, and you are
not using the built in IP Filter and/or you are not using
a firewall to restrict connections to that port, then you are susceptible to
dictionary attacks. Plain and simple.

This *does not* automatically mean that radmin is insecure.

<snip>he assured me that his RA password is strong enough. </snip>

Strong enough means absolutely nothing in the world of dictionary
attacks......

Ask more detailed questions like:

1. Did they enable logging on the radmin service?  settings for remote
admin/options/logging  (use event log , use logfile)
   If so, did they even bother looking at the logs?  If not, then shame on
them.

2.  Are they using the built in IP Filters?  settings for remote
admin/options/Use IP filter
    If not, are they using any other method such as a vpn/firewall/router
acl to allow/block access to that service?
    If not then shame on them....

3. Did they even think about running the service on another port other then
4899?

4. Did it ever occur to them not to use the "weak" password method, rather
to use the integrated NT Permissions <recommended>

I think this is more of a case of end user ignorance then a hole/backdoor in
radmin.

JMO

LordInfidel

-----Original Message-----
From: Pavel Levshin [mailto:flicker () mariinsky ru]
Sent: Monday, February 16, 2004 6:23 AM
To: bugtraq () securityfocus com
Subject: Remote Administrator 2.x: highly possible remote hole or backdoor


Hello!

There is ongoing DDOS attack against some websites in Russia, including
http://www.peterhost.ru. It has begun at 21, January, and has increased over
time. Actual flood is performed by little executables on "infected"
computers. These .exe files lie at the root directory of the drive C of each
computer. They vary in size, and are, in common, from 3072 to 5120 bytes in
size. Some of names of these executables are:

666.exe
rich.exe
ric1.exe
fich.exe
tcpf.exe
udpf.exe
tzpf.exe
tzpy.exe

This in not a real infection, though. Affected computers have different
versions of Windows installed. There are Windows 98 as well as Windows 2000
and XP. Most of these computers are somewhat protected with firewall. Other
software differs, too, but there is one common point between most of them:
they have Remote Administrator 2.x (http://www.famatech.com) installed and
reachable from the Internet.

It does not look like a simple issue with weak passwords. I did speak with a
owner of the affected PC, and he assured me that his RA password is strong
enough. Moreover, there is a thread on the same problem:

http://www.famatech.com/support/forum/read.php?PAGEN_1=1&FID=11&TID=5856#nav
_start

As of Feb, 12, most computers used for DDOS were located at IP networks with
following first octets:

200, 202, 203, 210-213, 217-220, 24, 61-69, 80-82.


With best regards, Pavel Levshin.  E-mail: flicker () mariinsky ru
Previous By Date Next
Previous By Thread Next

Current thread: