Re: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files

["switched" <security-mail () q-east net>]

Recently I found 12 or so machines that had fluxray on them and I don't know
how they got there...  But interestingly enough there was a file called
"Project1" on each machine ( I don't remember the extension ).  All the
machines were Windows 2000 SP1 but I am unsure of the Hotfixes, etc. that
were applied to each.  I believe Fluxray was installed in
C:\WINDOWS\SYSTEM32\IPCSVC and was running as ipcsvc.exe.

----- Original Message -----
From: <bukys () rochester edu>
To: <incidents () securityfocus com>
Cc: <bukys () rochester edu>
Sent: Wednesday, March 13, 2002 12:07 PM
Subject: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21,
destroyed files


> We have experienced an unusually tenacious set of destructive attacks
> on very many machines here, in three waves over the last several weeks.
>
> Last month it was port 1433 SQL server blank admin password attacks,
> resulting in blasting of systems down to empty C: drives. Closely
> following by another set of attacks (method unknown) from the same set
> of hosts (in China), resulting in installation of the RemoteNC backdoor
> (usually listening on TCP ports 4 or 6), and often ending in
> destruction of the C: drive.
>
> This month, it looks like ping and port 524 probes, followed by a mix
> of port 21, 139, and 445 activity.  Also including installation of
> RemoteNC and/or wiping of C: drive, or at least removal of kernel
> file.  Disabling of port 524 traffic still resulted in successful
> attacks that apparently worked around lack of port 524 information
> leaks.  We have known brute-force password attempts.  We DON'T KNOW
> whether all entry is solely via weak passwords, or something else.
>
> I suspect they may be something called "Fluxay" which was published on
> the same Chinese site (netxeyes) that publishes RemoteNC.  Last month
> it was not downloadable to me.  Since then a few people have turned up
> some copies for me.
>
> RemoteNC is easy to detect, as a TCP connection to it gets a "RemoteNC
> password:" prompt.  Executable file on compromised machines is usually
> "TCPMUX.EXE" or "TCPMX.EXE".  ISS shows the "tcpmux" or "tcpmx" service
> running.  Recent antivirus software detects it (since we submitted it
> to AV vendors last month).
>
>
> *** If anybody is experiencing the same, CAN COMPARE NOTES? ***
>
>
> Liudvikas Bukys
> University of Rochester
> bukys () rochester edu
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com