Systems: Famatech's Radmin Remote administrator softwareVulnerable: Radmin 2.0, 2.1 or any version not properly setup or trojanizedSeverity: SeriousCategory: Remote administrator accessClassification: unsafe default settingsBugTraq-ID: TBACVE-Number: TBARemote-Exploit: YesVendor-Url:
Www.radmin.com
Author: Michael Scheidell, SecNAP Network Security
Www.secnap.com
Original Release Date: 09/02 / 2002RE-RELEASE date: 09/25 / 2004re-Release Reason: Large Spike in Scanning for Port 4899, CA Removes' Radmin / Backdoor'discussion from:
Www.radmin.com
Radmin is a very fast, very powerful remote administrator server available on Win95 and above. Radmin is used by help desks and fortune 500 clients worldwide.This software gives the user the ability to remotely monitor, control and transfer files to and from his remote client via a password protected, encrypted TCP connection. Option include remote Telnet (on WinNt and above) and fast, encrypted explorer like file transfers.Recently, we picked up a large increase in probes for radmin default port. (Tcp port 4899) from several . networks, targeting many of our clients who have never run radmin This activity suggests an increasing frequency of port scans for this service.If you have installed radmin using the default installation options, please read this: By default, radmin uses a know port, TCP Port 4899 For Remote Access. Also, IF you are using password Authentication Only, A Remote User Only Has To Find An Open TCP Port 4899 And Guess One Word: Your Password. There Could Also Be The P ossibility of an unknown exploit in radmin that could allow access without a password.This, coupled with anti-virus vendor 'Computer Associates' including radmin in a recent anti-virus dat update as "BACKDOOR / RADMIN.2_0" forced us to re- release this alert.If you have NOT installed radmin, please make sure that you block incoming and outgoing TCP port 4899 and investigate any computer that makes outgoing tcp port 4899 access. Scan your internal network for systems (especially laptops) that may be listening on TCP Port 4899, And Contact Secnap for a free external scan your network. (Www.secnap.com/contact) PUT IN Comments Section '
request free radmin backdoor scan) Suggestions to increase security on radmin include: Change default port from 4899 to something else (change it on the REMOTE first so you can still access client) Use ip address filtering to limit the host range if possible (If. you know the ip address range of your remote clients you can use that to limit access) If radmin is running on NT, Win2k or XP PRO, use WinNT options (requires a username aND password) or use STRONG passwordsEnable the log file and look for unknown addresses attempting to access your server.Put radmin behind a Firewall and access via VPN.If you have evidence of an exploit, please contact SECNAP Network Security and support@radmin.comFor more information, you can visit FamaTech's user forum: http: / /forum.radmin.com/
Or Their FAQ: "How Safe Is It To Use Radmin" AT:
http://www.radmin.com/support/faq.html# 1_1
Additional Information May Be Found AT:
http://www3.ca.com/support/vicdownload/newlydtectedlist.aspx?cid=49722
Http://xforce.iss.net/xforce/xfdb/10001
Secnap Will Continue To Monitor This Activity and Release More Information When Available.credit: Michael Scheidell, Secnap Network Security CorporationRiginal Copy Of this Report Can Be Found At
http://www.secnap.com/security/radmin001.html
Copyright:.. Above Copyright (c) 2002, 2004, SECNAP Network Security Corporation World rights reserved This security report can be copied and redistributed electronically provided it is not edited and is quoted in its entirety without written consent of SECNAP Network Security Corporation Additional. information or permission may be obtained by contacting SECNAP Network Security at 561-999-5000Contact SECNAP Network Security for information on latest security alerts and vulnerabilities, call 866-SECNAP.NET or clickwww.secnap.com/contact
.To Sign Up for Secnap Network Security Corp's First-alerts Mailing List, See
Www.secnap.com/lists