From: Michael Scheidell (scheidell@secnap.net)
Date: Mon Sep 02 2002 - 11:21:19 EDT
Radmin is a very fast, very powerful remote administrator server available
on Win95 and above. Radmin is used by help desks and fortune 500 clients
worldwide.
This software gives the user the ability to remotely monitor, control and
transfer files to and from his remote client via a password protected,
encrypted TCP connection. Option include remote Telnet (on WinNt and
above) and fast, encrypted explorer like file transfers.
Recently, we picked up a large increase in probes for radmin default port.
(Tcp port 4899) from several networks, targeting many of our clients who
have never run radmin. This activity suggests an increasing frequency of
port scans for this service.
If you have installed radmin using the default installation options,
please read this:
By default, radmin uses a know port, TCP port 4899 for remote access.
Also, if you are using password authentication only, a remote user only
has to find an open TCP port 4899 and guess one word: your password.
There could also be the possibility of an unknown exploit in radmin that
could allow access without a password.
We discussed this with FamaTech (creators of radmin) and asked if they
knew of any exploits that might explain this increase in scanning. They
indicated that they had no reports of remote exploits at this time.
With no other evidence to go by, we have concluded that this is either an
attempt to find remotely controllable systems with weak passwords, or some
trojan has an embedded radmin server in it.
If you have evidence of an exploit, please contact scheidell@secnap.net
and support@radmin.com
For more information, you can visit FamaTech's user forum:
http://forum.radmin.com/
or their FAQ: "how safe is it to use Radmin" at:
http://www.radmin.com/support/faq.html#1_1
Suggestions to increase security on radmin include:
Change default port from 4899 to something else
(change it on the REMOTE first so you can still access client)
Use ip address filtering to limit the host range if possible.
(If you know the ip address range of your remote clients you can use
that to limit access)
If radmin is running on NT, Win2k or XP PRO, use WinNT options
(requires a username AND password) or use STRONG passwords
Enable the log file and look for unknown addresses attempting to access
your server.
Put radmin behind a Firewall and access via VPN.
---------
SECNAP will continue to monitor this activity and release more information
when available.
More information on current trojan/port scanning activity can be found at:
http://www.mynetwatchman.com/tp.asp (select radmin list)
or directly at:
http://www.mynetwatchman.com/myNetWatchman/incidentsbyport.asp?Range=2&SID=115237
More information on radmin can be found at www.radmin.com
This Security Bulletin is Copyright(c) 2002 SECNAP Network Security, LLC,
and can only be copied or forwarded without modification.
-- Michael Scheidell, SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:21:37 EDT