| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Feb 2004 14:22:36 +0300 From: "Pavel Levshin" <flicker@...iinsky.ru> To: <bugtraq@...urityfocus.com> Subject: Remote Administrator 2.x: highly possible remote hole or backdoor Hello! There is ongoing DDOS attack against some websites in Russia, including http://www.peterhost.ru. It has begun at 21, January, and has increased over time. Actual flood is performed by little executables on "infected" computers. These .exe files lie at the root directory of the drive C of each computer. They vary in size, and are, in common, from 3072 to 5120 bytes in size. Some of names of these executables are: 666.exe rich.exe ric1.exe fich.exe tcpf.exe udpf.exe tzpf.exe tzpy.exe This in not a real infection, though. Affected computers have different versions of Windows installed. There are Windows 98 as well as Windows 2000 and XP. Most of these computers are somewhat protected with firewall. Other software differs, too, but there is one common point between most of them: they have Remote Administrator 2.x (http://www.famatech.com) installed and reachable from the Internet. It does not look like a simple issue with weak passwords. I did speak with a owner of the affected PC, and he assured me that his RA password is strong enough. Moreover, there is a thread on the same problem: http://www.famatech.com/support/forum/read.php?PAGEN_1=1&FID=11&TID=5856#nav _start As of Feb, 12, most computers used for DDOS were located at IP networks with following first octets: 200, 202, 203, 210-213, 217-220, 24, 61-69, 80-82. With best regards, Pavel Levshin. E-mail: flicker@...iinsky.ru
Powered by blists - more mailing lists