RE: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files

["James McGee" <jm () mindless com>]

Fluxay contains a trojan, make sure you scan it for viruses "twice!"

Port 524, do you need this open.

Time and time again, I find many a system exposed to the world with a
ridiculous number of ports open.

Only let in through whatever firewall you use, the ports that are absolutely
necessary for the servers functionality.

Surely you could place your SQL server inside your network, and pass traffic
through to it from a secure machine?  If not, the people/services using SQl
must be reasonably trusted, put them on a separated connection?

Cheers

JM

 -----Original Message-----
From:   bukys () rochester edu [mailto:bukys () rochester edu]
Sent:   13 March 2002 18:07
To:     incidents () securityfocus com
Cc:     bukys () rochester edu
Subject:        RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21,
destroyed files

We have experienced an unusually tenacious set of destructive attacks
on very many machines here, in three waves over the last several weeks.

Last month it was port 1433 SQL server blank admin password attacks,
resulting in blasting of systems down to empty C: drives. Closely
following by another set of attacks (method unknown) from the same set
of hosts (in China), resulting in installation of the RemoteNC backdoor
(usually listening on TCP ports 4 or 6), and often ending in
destruction of the C: drive.

This month, it looks like ping and port 524 probes, followed by a mix
of port 21, 139, and 445 activity.  Also including installation of
RemoteNC and/or wiping of C: drive, or at least removal of kernel
file.  Disabling of port 524 traffic still resulted in successful
attacks that apparently worked around lack of port 524 information
leaks.  We have known brute-force password attempts.  We DON'T KNOW
whether all entry is solely via weak passwords, or something else.

I suspect they may be something called "Fluxay" which was published on
the same Chinese site (netxeyes) that publishes RemoteNC.  Last month
it was not downloadable to me.  Since then a few people have turned up
some copies for me.

RemoteNC is easy to detect, as a TCP connection to it gets a "RemoteNC
password:" prompt.  Executable file on compromised machines is usually
"TCPMUX.EXE" or "TCPMX.EXE".  ISS shows the "tcpmux" or "tcpmx" service
running.  Recent antivirus software detects it (since we submitted it
to AV vendors last month).


*** If anybody is experiencing the same, CAN COMPARE NOTES? ***


Liudvikas Bukys
University of Rochester
bukys () rochester edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.336 / Virus Database: 188 - Release Date: 11/03/2002

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.336 / Virus Database: 188 - Release Date: 11/03/2002


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com