Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-07-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Distributed FTP Brute Force Scans - Is radmin back?

Published: 2004-07-09
Last Updated: 2004-07-10 00:14:29 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Distributed FTP Brute Force Scans

Clarke Morledge of College of William and Mary reports that beginning about 08:30 EDT yesterday, systems at his institution as well as two other Universities have been subjected to what appears to be a distributed brute force FTP attack.

Analysis of the data shows login attempts for 'root', 'admin' and others with various passwords from over thirty different IP addresses. In addition, the source addresses for the attack were different at all three institutions.

If you discover that you have been subjected to this or a similar attack as well, drop us a note and let us know.

radmin 2.0?

Paul Asadoorian at Brown University reports that several systems have been compromised by what seems to be a radmin variation. It should be noted that these systems were all found to be missing at least one major patch. Symptoms of the compromise are as follows:

- They are all scanning the Internet for hosts listening on port 1433

- They are all listening on port 26101 TCP (radmin renamed to lsass.exe in c:\winnt)

- The file tapiui.exe was found in the c:\winnt\system32 directory and it was the FTP server listenting on port 35894.

- The file "kill.exe" was found in the root of the c drive

- They all listen on the following port for FTP:

Port: 35894

Banner: 220 Microsoft FTP Server

- The file tapiui.exe was found in the c:\winnt\system32 directory and it was the FTP server listenting on port 35894.


Various AV vendors list Trojans and Backdoors that mention radmin V 2.0 but none seem to show the same files being dropped or registry entries such as:

[HKEY_CURRENT_USER\Software\RAdmin\v2.0\Clients]
"2"=hex:e0,93,04,00,0c,0c,00,50,00,00,05,00,00,00,64,00,00,00,00,00,00,00,01,\
00,00,00,00,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,01,00,\
00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,31,39,32,\
2e,31,36,38,2e,31,2e,35,30,00,00,00,00,51,05,01,35,1c,ca,12,00,2e,00,d3,77,\
51,05,01,35,6b,00,10,01,af,cc,d3,77,50,ef,5e,00,07,00,00,00,11,00,00,00,04,\
00,00,00,28,00,00,00,10,00,00,00,02,02,00,00,00,00,00,00,f8,d3,14,00,00,02,\
00,00,03,00,00,00,03,00,00,00,48,00,00,00,14,00,00,00,11,00,00,00,31,39,32,\
2e,31,36,38,2e,31,2e,35,30,00,00,00,00,51,05,01,35,1c,ca,12,00,2e,00,d3,77,\
51,05,01,35,6b,00,10,01,af,cc,d3,77,50,ef,5e,00,07,00,00,00,11,00,00,00,04,\
00,00,00,28,00,00,00,10,00,00,00,02,02,00,00,00,00,00,00,f8,d3,14,00,00,02,\
00,00,03,00,00,00,03,00,00,00,48,00,00,00,14,00,00,00,11,00,00,00,00,00,00,\
00,00,00,00,00,00,00,23,13,00,00,49,9c,00,00,02,00,00,00,00,00,00,00

and

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RestrictAnonymous"=dword:00000001

Our malware analysis team is examining the files.
This is probably a good time to restate our recomendation that if a system under your control has been compromised, flatten and rebuild it securely from known good media.



SANSFIRE - If you're at SANSFIRE or in the Monterey area, stop into the IPNet Hacking Challenge and say 'Hi' to the handlers.

Offer to take them out and buy them a beverage or nine.

Make sure they have a tough time getting up in the morning. ;)


Chris 'There is no spoon or chip on my shoulder' dot Carboni at verizon dot net
Keywords:
0 comment(s)
Diary Archives