RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files

[bukys () rochester edu]

We have experienced an unusually tenacious set of destructive attacks
on very many machines here, in three waves over the last several weeks.

Last month it was port 1433 SQL server blank admin password attacks,
resulting in blasting of systems down to empty C: drives. Closely
following by another set of attacks (method unknown) from the same set
of hosts (in China), resulting in installation of the RemoteNC backdoor
(usually listening on TCP ports 4 or 6), and often ending in
destruction of the C: drive.

This month, it looks like ping and port 524 probes, followed by a mix
of port 21, 139, and 445 activity.  Also including installation of
RemoteNC and/or wiping of C: drive, or at least removal of kernel
file.  Disabling of port 524 traffic still resulted in successful
attacks that apparently worked around lack of port 524 information
leaks.  We have known brute-force password attempts.  We DON'T KNOW
whether all entry is solely via weak passwords, or something else.

I suspect they may be something called "Fluxay" which was published on
the same Chinese site (netxeyes) that publishes RemoteNC.  Last month
it was not downloadable to me.  Since then a few people have turned up
some copies for me.

RemoteNC is easy to detect, as a TCP connection to it gets a "RemoteNC
password:" prompt.  Executable file on compromised machines is usually
"TCPMUX.EXE" or "TCPMX.EXE".  ISS shows the "tcpmux" or "tcpmx" service
running.  Recent antivirus software detects it (since we submitted it
to AV vendors last month).


*** If anybody is experiencing the same, CAN COMPARE NOTES? ***


Liudvikas Bukys
University of Rochester
bukys () rochester edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com