Systems: Famatech's Radmin remote administrator Software
Vulnerable: Radmin 2.0, 2.1 or any version not properly setup or trojanized
Severity: serious
Category: remote administrator access
Classification: unsafe default settings
BugTraq-ID: guid
CVE-number: guid
Remote-Exploit: Yes
Vendor-URL: www.radmin.com
Author: Michael scheidell, secnap Network Security www.secnap.com
Original release date: 09/02/2002
Re-Release Date: 09/25/2004
Re-release reason: large spike in scanning for port 4899, CA removes 'radmin/backdoor'
Discussion from: www.radmin.com
Radmin is a very fast, very powerful remote administrator server available on Win95 and above. Radmin is used by help sort S and Fortune 500 clients worldwide.
This software gives the user the ability to remotely monitor, control and transfer files to and from his remote client via a password protected, encrypted TCP connection. option include remote telnet (on WINNT and above) and fast, encrypted explorer like file transfers.
Recently, we picked up a large increase in probes for Radmin default port. (TCP port 4899) from several networks, targeting rule of our clients who have never run Radmin. this activity suggests an increasing frequency of port scans for this service.
If you have installed Radmin using the default installation options, please read this:
By default, Radmin uses a know port, TCP port 4899 for remote access. also, if you are using password authentication only, a remote user only has to find an open TCP port 4899 and guess one word: your password.
There cocould also be the possibility of an unknown exploit in Radmin that cocould allow access without a password.
This, coupled with anti-virus vendor 'computer associate' including Radmin in a recent anti-virus dat update as "backdoor/radmin.2 _ 0" forced us to re-release this alert.
If you have not installed Radmin, please make sure that you block incoming and outgoing TCP port 4899 and investigate any computer that makes outgoing TCP port 4899 access. scan your internal network for systems (especially laptops) that may be listening on TCP port 4899, and contact secnap for a free external scan of your network. (www.secnap.com/contact) put in comments section 'request free Radmin backdoor scan)
Suggestions to increase security on Radmin include:
Change default port from 4899 to something else
(Change it on the remote first so you can still access client)
Use IP address filtering to limit the host range if possible.
(If you know the IP address range of your remote clients you can use that to limit access)
If Radmin is running on NT, Win2k or XP Pro, use winnt options
(Requires a username and password) or use strong passwords
Enable the log file and look for unknown addresses attempting to access your server.
Put Radmin behind a firewall and access via VPN.
If you have evidence of an exploit, please contact secnap network security and support@radmin.com
For more information, you can visit Famatech's User Forum: http://forum.radmin.com/
Or their FAQ: "How safe is it to use Radmin" at: http://www.radmin.com/support/faq.html#1_1
Additional information may be found:
Http://www3.ca.com/support/vicdownload/NewlyDetectedList.aspx? Cid = 49722
Http://xforce.iss.net/xforce/xfdb/10001
Secnap will continue to monitor this activity and release more information when available.
Credit: Michael scheidell, secnap Network Security Corporation
Original copy of this report can be found at http://www.secnap.com/security/radmin001.html
Copyright:
Above copyright (c) 2002,200 4, secnap Network Security Corporation. World rights reserved.
This security report can be copied and redistributed electronically provided it is not edited and is quoted in its entirety without written consent of secnap Network Security Corporation. additional information or permission may be obtained by contacting secnap network security at 561-999-5000
Contact secnap network security for information on latest security alerts and vulnerabilities, call 866-secnap.net or click www.secnap.com/contact.
To sign up for secnap Network Security Corp's first-alerts mailing list, see www.secnap.com/lists