Radmin is a very fast, very powerful remote administrator server available on Win95 and above. Radmin is used by help desks and fortune 500 clients worldwide. This software gives the user the ability to remotely monitor, control and transfer files to and from his remote client via a password protected, encrypted TCP connection. Option include remote Telnet (on WinNt and above) and fast, encrypted explorer like file transfers. Recently, we picked up a large increase in probes for radmin default port. (Tcp port 4899) from several networks, targeting many of our clients who have never run radmin. This activity suggests an increasing frequency of port scans for this service. If you have installed radmin using the default installation options, please read this: By default, radmin uses a know port, TCP port 4899 for remote access. Also, if you are using password authentication only, a remote user only has to find an open TCP port 4899 and guess one word: your password. There could also be the possibility of an unknown exploit in radmin that could allow access without a password. We discussed this with FamaTech (creators of radmin) and asked if they knew of any exploits that might explain this increase in scanning. They indicated that they had no reports of remote exploits at this time. With no other evidence to go by, we have concluded that this is either an attempt to find remotely controllable systems with weak passwords, or some trojan has an embedded radmin server in it. If you have evidence of an exploit, please contact scheidellat_private and supportat_private For more information, you can visit FamaTech's user forum: http://forum.radmin.com/ or their FAQ: "how safe is it to use Radmin" at: http://www.radmin.com/support/faq.html#1_1 Suggestions to increase security on radmin include: Change default port from 4899 to something else (change it on the REMOTE first so you can still access client) Use ip address filtering to limit the host range if possible. (If you know the ip address range of your remote clients you can use that to limit access) If radmin is running on NT, Win2k or XP PRO, use WinNT options (requires a username AND password) or use STRONG passwords Enable the log file and look for unknown addresses attempting to access your server. Put radmin behind a Firewall and access via VPN. --------- SECNAP will continue to monitor this activity and release more information when available. More information on current trojan/port scanning activity can be found at: http://www.mynetwatchman.com/tp.asp (select radmin list) or directly at: http://www.mynetwatchman.com/myNetWatchman/incidentsbyport.asp?Range=2&SID=115237 More information on radmin can be found at www.radmin.com This Security Bulletin is Copyright(c) 2002 SECNAP Network Security, LLC, and can only be copied or forwarded without modification. -- Michael Scheidell, SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/
This archive was generated by hypermail 2b30 : Mon Sep 02 2002 - 09:30:33 PDT