Recently I found 12 or so machines that had fluxray on them and I don't know how they got there... But interestingly enough there was a file called "Project1" on each machine ( I don't remember the extension ). All the machines were Windows 2000 SP1 but I am unsure of the Hotfixes, etc. that were applied to each. I believe Fluxray was installed in C:\WINDOWS\SYSTEM32\IPCSVC and was running as ipcsvc.exe. ----- Original Message ----- From: <bukysat_private> To: <incidentsat_private> Cc: <bukysat_private> Sent: Wednesday, March 13, 2002 12:07 PM Subject: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files > We have experienced an unusually tenacious set of destructive attacks > on very many machines here, in three waves over the last several weeks. > > Last month it was port 1433 SQL server blank admin password attacks, > resulting in blasting of systems down to empty C: drives. Closely > following by another set of attacks (method unknown) from the same set > of hosts (in China), resulting in installation of the RemoteNC backdoor > (usually listening on TCP ports 4 or 6), and often ending in > destruction of the C: drive. > > This month, it looks like ping and port 524 probes, followed by a mix > of port 21, 139, and 445 activity. Also including installation of > RemoteNC and/or wiping of C: drive, or at least removal of kernel > file. Disabling of port 524 traffic still resulted in successful > attacks that apparently worked around lack of port 524 information > leaks. We have known brute-force password attempts. We DON'T KNOW > whether all entry is solely via weak passwords, or something else. > > I suspect they may be something called "Fluxay" which was published on > the same Chinese site (netxeyes) that publishes RemoteNC. Last month > it was not downloadable to me. Since then a few people have turned up > some copies for me. > > RemoteNC is easy to detect, as a TCP connection to it gets a "RemoteNC > password:" prompt. Executable file on compromised machines is usually > "TCPMUX.EXE" or "TCPMX.EXE". ISS shows the "tcpmux" or "tcpmx" service > running. Recent antivirus software detects it (since we submitted it > to AV vendors last month). > > > *** If anybody is experiencing the same, CAN COMPARE NOTES? *** > > > Liudvikas Bukys > University of Rochester > bukysat_private > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 15:19:13 PST