RE: Remote Administrator 2.x: highly possible remote hole or back door

LordInfidel_at_directionweb.com
Date: 02/18/04

  • Next message: Jared M Breland: "Re: Second critical mremap() bug found in all Linux kernels" 
    To: 'Pavel Levshin' <flicker@mariinsky.ru>, bugtraq@securityfocus.com
Date: Wed, 18 Feb 2004 13:58:58 -0500

    From reading the thread on famatech's site, this looks more like a weak
    password issue, which is true of "ANY" piece of software
    using simple password authentication.

    Basically, If Radmin is listening on it's default port tcp/4899, and you are
    not using the built in IP Filter and/or you are not using
    a firewall to restrict connections to that port, then you are susceptible to
    dictionary attacks. Plain and simple.

    This *does not* automatically mean that radmin is insecure.

    <snip>he assured me that his RA password is strong enough. </snip>

    Strong enough means absolutely nothing in the world of dictionary
    attacks......

    Ask more detailed questions like:

    1. Did they enable logging on the radmin service? settings for remote
    admin/options/logging (use event log , use logfile)
       If so, did they even bother looking at the logs? If not, then shame on
    them.

    2. Are they using the built in IP Filters? settings for remote
    admin/options/Use IP filter
        If not, are they using any other method such as a vpn/firewall/router
    acl to allow/block access to that service?
        If not then shame on them....

    3. Did they even think about running the service on another port other then
    4899?

    4. Did it ever occur to them not to use the "weak" password method, rather
    to use the integrated NT Permissions <recommended>

    I think this is more of a case of end user ignorance then a hole/backdoor in
    radmin.

    JMO

    LordInfidel

    -----Original Message-----
    From: Pavel Levshin [mailto:flicker@mariinsky.ru]
    Sent: Monday, February 16, 2004 6:23 AM
    To: bugtraq@securityfocus.com
    Subject: Remote Administrator 2.x: highly possible remote hole or backdoor

    Hello!

    There is ongoing DDOS attack against some websites in Russia, including
    http://www.peterhost.ru. It has begun at 21, January, and has increased over
    time. Actual flood is performed by little executables on "infected"
    computers. These .exe files lie at the root directory of the drive C of each
    computer. They vary in size, and are, in common, from 3072 to 5120 bytes in
    size. Some of names of these executables are:

    666.exe
    rich.exe
    ric1.exe
    fich.exe
    tcpf.exe
    udpf.exe
    tzpf.exe
    tzpy.exe

    This in not a real infection, though. Affected computers have different
    versions of Windows installed. There are Windows 98 as well as Windows 2000
    and XP. Most of these computers are somewhat protected with firewall. Other
    software differs, too, but there is one common point between most of them:
    they have Remote Administrator 2.x (http://www.famatech.com) installed and
    reachable from the Internet.

    It does not look like a simple issue with weak passwords. I did speak with a
    owner of the affected PC, and he assured me that his RA password is strong
    enough. Moreover, there is a thread on the same problem:

    http://www.famatech.com/support/forum/read.php?PAGEN_1=1&FID=11&TID=5856#nav
    _start

    As of Feb, 12, most computers used for DDOS were located at IP networks with
    following first octets:

    200, 202, 203, 210-213, 217-220, 24, 61-69, 80-82.

    With best regards, Pavel Levshin. E-mail: flicker@mariinsky.ru

  • Next message: Jared M Breland: "Re: Second critical mremap() bug found in all Linux kernels"

    Relevant Pages

    • Re: upgrading frm XP Home to Pro
      ... Why do you think you need Windows XP Professional? ... won't and we need to upgrade all the computers to Pro. ... You bought a server to 'network your computers' and so you can ... software) would give you the same abilities as 'Remote Desktop' ...
      (microsoft.public.windowsxp.general)
    • Re: upgrading frm XP Home to Pro
      ... Why do you think you need Windows XP Professional? ... upgrade all the computers to Pro. ... You bought a server to 'network your computers' and so you can 'access them ... as 'Remote Desktop' would in Windows XP Professional. ...
      (microsoft.public.windowsxp.general)
    • Re: upgrading frm XP Home to Pro
      ... Why do you think you need Windows XP Professional? ... upgrade all the computers to Pro. ... You bought a server to 'network your computers' and so you can ... software) would give you the same abilities as 'Remote Desktop' ...
      (microsoft.public.windowsxp.general)
    • Problem accessing remote EventLog: Access Denied
      ... I'm getting an error accessing a remote Event log in computers running ... Trying to connect from a computer running Windows 2000 ... customer uses and everything worked fine. ...
      (microsoft.public.win32.programmer.kernel)
    • Re: Is Remote Administrator(radmin) a trojon/virus itself or virus host? Any techniques to make it s
      ... remote admin itself is not a trojan nor is it particularly susceptible. ... Windows isn't rocket science! ... which did not report any virus/trojan about RADMIN. ... the security problem won't happen any more? ...
      (microsoft.public.windowsxp.security_admin)