[unisog] RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files

Christopher Cramer chris.cramer at duke.edu
Wed Mar 27 14:53:51 GMT 2002

the remotenc backdoor comes with the ability to trojan itself as any
number of windows services and can be configured to listen on any port. 
if you want to take a closer look, the program can be downloaded from: 

this page also lists the scanner fluxay which has the ability to
dictionary attack the passwords for windows administrator accounts.  

i haven't had too much time to look into these, but i would love to hear
someone else's analysis. :)


Christopher E. Cramer, Ph.D.
Information Technology Security Officer
Duke University,  Office of Information Technology
253A North Building, Box 90132, Durham, NC  27708-0291
PH: 919-660-7003  FAX: 919-660-7076  email: chris.cramer at duke.edu

On Wed, 2002-03-27 at 01:08, Daniel G. Epstein wrote:
> On Tue, Mar 26, 2002 at 11:46:33PM -0600, Daniel G. Epstein wrote:
> > strings output, along with an author going by the name of Assassin.  We
> > have seen these as trojaned versions of C:\WINNT\system32\W32Time.exe
> > and MSTask.exe, but they don't return such an obvious prompt as you
> > describe.
> Oops, I forgot to mention that these binaries were listening on TCP 7
> and TCP 1025.  It occurs to me that Tracey Losco from NYU was asking about
> port 1025 scans in the "Coordinated Scans" thread . . . perhaps the
> scanners were looking for that?
> Cheers,
> Dan
> -- 
> A boast of "I have been's,"  | Daniel G. Epstein
> quoted from foolscap tomes,  | Network Security Officer,
> is a shadow brushed away     | Network Security & Enterprise
> by an acorn from an oak tree |  Network Systems Administration
> or a salmon in a pool.       | NSIT, The University of Chicago
>                              | depstein at uchicago.edu
> For PGP key see http://security.uchicago.edu/centerinfo/pgpkeys.shtml

More information about the unisog mailing list