lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Feb 2004 14:22:36 +0300
From: "Pavel Levshin" <flicker@...iinsky.ru>
To: <bugtraq@...urityfocus.com>
Subject: Remote Administrator 2.x: highly possible remote hole or backdoor


Hello!

There is ongoing DDOS attack against some websites in Russia, including
http://www.peterhost.ru. It has begun at 21, January, and has increased over
time. Actual flood is performed by little executables on "infected"
computers. These .exe files lie at the root directory of the drive C of each
computer. They vary in size, and are, in common, from 3072 to 5120 bytes in
size. Some of names of these executables are:

666.exe
rich.exe
ric1.exe
fich.exe
tcpf.exe
udpf.exe
tzpf.exe
tzpy.exe

This in not a real infection, though. Affected computers have different
versions of Windows installed. There are Windows 98 as well as Windows 2000
and XP. Most of these computers are somewhat protected with firewall. Other
software differs, too, but there is one common point between most of them:
they have Remote Administrator 2.x (http://www.famatech.com) installed and
reachable from the Internet.

It does not look like a simple issue with weak passwords. I did speak with a
owner of the affected PC, and he assured me that his RA password is strong
enough. Moreover, there is a thread on the same problem:

http://www.famatech.com/support/forum/read.php?PAGEN_1=1&FID=11&TID=5856#nav
_start

As of Feb, 12, most computers used for DDOS were located at IP networks with
following first octets:

200, 202, 203, 210-213, 217-220, 24, 61-69, 80-82.


With best regards, Pavel Levshin.  E-mail: flicker@...iinsky.ru



Powered by blists - more mailing lists