[unisog] RemoteNC backdoors, attacks via ports 1433, 524, 139,
445, 21, destroyed files
chris.cramer at duke.edu
Wed Mar 27 14:53:51 GMT 2002
the remotenc backdoor comes with the ability to trojan itself as any
number of windows services and can be configured to listen on any port.
if you want to take a closer look, the program can be downloaded from:
this page also lists the scanner fluxay which has the ability to
dictionary attack the passwords for windows administrator accounts.
i haven't had too much time to look into these, but i would love to hear
someone else's analysis. :)
Christopher E. Cramer, Ph.D.
Information Technology Security Officer
Duke University, Office of Information Technology
253A North Building, Box 90132, Durham, NC 27708-0291
PH: 919-660-7003 FAX: 919-660-7076 email: chris.cramer at duke.edu
On Wed, 2002-03-27 at 01:08, Daniel G. Epstein wrote:
> On Tue, Mar 26, 2002 at 11:46:33PM -0600, Daniel G. Epstein wrote:
> > strings output, along with an author going by the name of Assassin. We
> > have seen these as trojaned versions of C:\WINNT\system32\W32Time.exe
> > and MSTask.exe, but they don't return such an obvious prompt as you
> > describe.
> Oops, I forgot to mention that these binaries were listening on TCP 7
> and TCP 1025. It occurs to me that Tracey Losco from NYU was asking about
> port 1025 scans in the "Coordinated Scans" thread . . . perhaps the
> scanners were looking for that?
> A boast of "I have been's," | Daniel G. Epstein
> quoted from foolscap tomes, | Network Security Officer,
> is a shadow brushed away | Network Security & Enterprise
> by an acorn from an oak tree | Network Systems Administration
> or a salmon in a pool. | NSIT, The University of Chicago
> | depstein at uchicago.edu
> For PGP key see http://security.uchicago.edu/centerinfo/pgpkeys.shtml
More information about the unisog