We have experienced an unusually tenacious set of destructive attacks on very many machines here, in three waves over the last several weeks. Last month it was port 1433 SQL server blank admin password attacks, resulting in blasting of systems down to empty C: drives. Closely following by another set of attacks (method unknown) from the same set of hosts (in China), resulting in installation of the RemoteNC backdoor (usually listening on TCP ports 4 or 6), and often ending in destruction of the C: drive. This month, it looks like ping and port 524 probes, followed by a mix of port 21, 139, and 445 activity. Also including installation of RemoteNC and/or wiping of C: drive, or at least removal of kernel file. Disabling of port 524 traffic still resulted in successful attacks that apparently worked around lack of port 524 information leaks. We have known brute-force password attempts. We DON'T KNOW whether all entry is solely via weak passwords, or something else. I suspect they may be something called "Fluxay" which was published on the same Chinese site (netxeyes) that publishes RemoteNC. Last month it was not downloadable to me. Since then a few people have turned up some copies for me. RemoteNC is easy to detect, as a TCP connection to it gets a "RemoteNC password:" prompt. Executable file on compromised machines is usually "TCPMUX.EXE" or "TCPMX.EXE". ISS shows the "tcpmux" or "tcpmx" service running. Recent antivirus software detects it (since we submitted it to AV vendors last month). *** If anybody is experiencing the same, CAN COMPARE NOTES? *** Liudvikas Bukys University of Rochester bukysat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 11:46:27 PST