[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000e01c3f47f$2f67c6a0$0f1fa8c0@squirrel>
Date: Mon, 16 Feb 2004 14:22:36 +0300
From: "Pavel Levshin" <flicker@...iinsky.ru>
To: <bugtraq@...urityfocus.com>
Subject: Remote Administrator 2.x: highly possible remote hole or backdoor
Hello!
There is ongoing DDOS attack against some websites in Russia, including
http://www.peterhost.ru. It has begun at 21, January, and has increased over
time. Actual flood is performed by little executables on "infected"
computers. These .exe files lie at the root directory of the drive C of each
computer. They vary in size, and are, in common, from 3072 to 5120 bytes in
size. Some of names of these executables are:
666.exe
rich.exe
ric1.exe
fich.exe
tcpf.exe
udpf.exe
tzpf.exe
tzpy.exe
This in not a real infection, though. Affected computers have different
versions of Windows installed. There are Windows 98 as well as Windows 2000
and XP. Most of these computers are somewhat protected with firewall. Other
software differs, too, but there is one common point between most of them:
they have Remote Administrator 2.x (http://www.famatech.com) installed and
reachable from the Internet.
It does not look like a simple issue with weak passwords. I did speak with a
owner of the affected PC, and he assured me that his RA password is strong
enough. Moreover, there is a thread on the same problem:
http://www.famatech.com/support/forum/read.php?PAGEN_1=1&FID=11&TID=5856#nav
_start
As of Feb, 12, most computers used for DDOS were located at IP networks with
following first octets:
200, 202, 203, 210-213, 217-220, 24, 61-69, 80-82.
With best regards, Pavel Levshin. E-mail: flicker@...iinsky.ru
Powered by blists - more mailing lists