>From reading the thread on famatech's site, this looks more like a weak password issue, which is true of "ANY" piece of software using simple password authentication. Basically, If Radmin is listening on it's default port tcp/4899, and you are not using the built in IP Filter and/or you are not using a firewall to restrict connections to that port, then you are susceptible to dictionary attacks. Plain and simple. This *does not* automatically mean that radmin is insecure. <snip>he assured me that his RA password is strong enough. </snip> Strong enough means absolutely nothing in the world of dictionary attacks...... Ask more detailed questions like: 1. Did they enable logging on the radmin service? settings for remote admin/options/logging (use event log , use logfile) If so, did they even bother looking at the logs? If not, then shame on them. 2. Are they using the built in IP Filters? settings for remote admin/options/Use IP filter If not, are they using any other method such as a vpn/firewall/router acl to allow/block access to that service? If not then shame on them.... 3. Did they even think about running the service on another port other then 4899? 4. Did it ever occur to them not to use the "weak" password method, rather to use the integrated NT Permissions <recommended> I think this is more of a case of end user ignorance then a hole/backdoor in radmin. JMO LordInfidel -----Original Message----- From: Pavel Levshin [mailto:flicker@mariinsky.ru] Sent: Monday, February 16, 2004 6:23 AM To: bugtraq@securityfocus.com Subject: Remote Administrator 2.x: highly possible remote hole or backdoor Hello! There is ongoing DDOS attack against some websites in Russia, including http://www.peterhost.ru. It has begun at 21, January, and has increased over time. Actual flood is performed by little executables on "infected" computers. These .exe files lie at the root directory of the drive C of each computer. They vary in size, and are, in common, from 3072 to 5120 bytes in size. Some of names of these executables are: 666.exe rich.exe ric1.exe fich.exe tcpf.exe udpf.exe tzpf.exe tzpy.exe This in not a real infection, though. Affected computers have different versions of Windows installed. There are Windows 98 as well as Windows 2000 and XP. Most of these computers are somewhat protected with firewall. Other software differs, too, but there is one common point between most of them: they have Remote Administrator 2.x (http://www.famatech.com) installed and reachable from the Internet. It does not look like a simple issue with weak passwords. I did speak with a owner of the affected PC, and he assured me that his RA password is strong enough. Moreover, there is a thread on the same problem: http://www.famatech.com/support/forum/read.php?PAGEN_1=1&FID=11&TID=5856#nav _start As of Feb, 12, most computers used for DDOS were located at IP networks with following first octets: 200, 202, 203, 210-213, 217-220, 24, 61-69, 80-82. With best regards, Pavel Levshin. E-mail: flicker@mariinsky.ru