Fluxay contains a trojan, make sure you scan it for viruses "twice!" Port 524, do you need this open. Time and time again, I find many a system exposed to the world with a ridiculous number of ports open. Only let in through whatever firewall you use, the ports that are absolutely necessary for the servers functionality. Surely you could place your SQL server inside your network, and pass traffic through to it from a secure machine? If not, the people/services using SQl must be reasonably trusted, put them on a separated connection? Cheers JM -----Original Message----- From: bukysat_private [mailto:bukysat_private] Sent: 13 March 2002 18:07 To: incidentsat_private Cc: bukysat_private Subject: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files We have experienced an unusually tenacious set of destructive attacks on very many machines here, in three waves over the last several weeks. Last month it was port 1433 SQL server blank admin password attacks, resulting in blasting of systems down to empty C: drives. Closely following by another set of attacks (method unknown) from the same set of hosts (in China), resulting in installation of the RemoteNC backdoor (usually listening on TCP ports 4 or 6), and often ending in destruction of the C: drive. This month, it looks like ping and port 524 probes, followed by a mix of port 21, 139, and 445 activity. Also including installation of RemoteNC and/or wiping of C: drive, or at least removal of kernel file. Disabling of port 524 traffic still resulted in successful attacks that apparently worked around lack of port 524 information leaks. We have known brute-force password attempts. We DON'T KNOW whether all entry is solely via weak passwords, or something else. I suspect they may be something called "Fluxay" which was published on the same Chinese site (netxeyes) that publishes RemoteNC. Last month it was not downloadable to me. Since then a few people have turned up some copies for me. RemoteNC is easy to detect, as a TCP connection to it gets a "RemoteNC password:" prompt. Executable file on compromised machines is usually "TCPMUX.EXE" or "TCPMX.EXE". ISS shows the "tcpmux" or "tcpmx" service running. Recent antivirus software detects it (since we submitted it to AV vendors last month). *** If anybody is experiencing the same, CAN COMPARE NOTES? *** Liudvikas Bukys University of Rochester bukysat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.336 / Virus Database: 188 - Release Date: 11/03/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.336 / Virus Database: 188 - Release Date: 11/03/2002 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 12:10:49 PST