lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200209021521.g82FLJD84089@scanner.secnap.net>
From: scheidell at secnap.net (Michael Scheidell)
Subject: SECNAP Security Alert: Radmin Default install options vulnerability

Radmin is a very fast, very powerful remote administrator server available
on Win95 and above.  Radmin is used by help desks and fortune 500 clients
worldwide.

This software gives the user the ability to remotely monitor, control and
transfer files to and from his remote client via a password protected,
encrypted TCP connection.  Option include remote Telnet (on WinNt and
above) and fast, encrypted explorer like file transfers.

Recently, we picked up a large increase in probes for radmin default port.
(Tcp port 4899) from several networks, targeting many of our clients who
have never run radmin.  This activity suggests an increasing frequency of
port scans for this service.

If you have installed radmin using the default installation options,
please read this:

By default, radmin uses a know port, TCP port 4899 for remote access.
Also, if you are using password authentication only, a remote user only
has to find an open TCP port 4899 and guess one word: your password.  

There could also be the possibility of an unknown exploit in radmin that
could allow access without a password.

We discussed this with FamaTech (creators of radmin) and asked if they
knew of any exploits that might explain this increase in scanning.  They
indicated that they had no reports of remote exploits at this time.

With no other evidence to go by, we have concluded that this is either an
attempt to find remotely controllable systems with weak passwords, or some
trojan has an embedded radmin server in it.

If you have evidence of an exploit, please contact scheidell@...nap.net
and support@...min.com

For more information, you can visit FamaTech's user forum:
http://forum.radmin.com/

or their FAQ: "how safe is it to use Radmin" at:
http://www.radmin.com/support/faq.html#1_1

Suggestions to increase security on radmin include:
Change default port from 4899 to something else
   (change it on the REMOTE first so you can still access client)

Use ip address filtering to limit the host range if possible.
  (If you know the ip address range of your remote clients you can use
   that to limit access)

If radmin is running on NT, Win2k or XP PRO, use WinNT options
 (requires a username AND password) or use STRONG passwords

Enable the log file and look for unknown addresses attempting to access
your server.

Put radmin behind a Firewall and access via VPN.

---------
SECNAP will continue to monitor this activity and release more information
when available.

More information on current trojan/port scanning activity can be found at:

http://www.mynetwatchman.com/tp.asp (select radmin list)
or directly at:

http://www.mynetwatchman.com/myNetWatchman/incidentsbyport.asp?Range=2&SID=115237

More information on radmin can be found at www.radmin.com

This Security Bulletin is Copyright(c) 2002 SECNAP Network Security, LLC,
and can only be copied or forwarded without modification.

-- 
Michael Scheidell,
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ