| VID |
24076 |
| Severity |
40 |
| Port |
10002 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The radmin server has been detected as running on port 10002. This probably indicates that a remote attacker exploited the GDI+ integer overflow vulnerability, described in Microsoft Security Bulletin MS04-028 with a widely available exploit. Radmin server can work as a service under all supported operating systems, which allows you to logon and logoff a user remotely as a remote administration tool. By connecting to this server and logging into the remote host, anyone could take complete control of the relevant host.
* Platforms Affected:
Microsoft Windows Any version
* References:
http://www.easynews.com/virus.txt
http://www.radmin.com/default.html
http://www.spywareguide.com/product_show.php?id=578
http://www.kb.cert.org/vuls/id/297462
http://www.ciac.org/ciac/bulletins/o-213.shtml
http://packetstormsecurity.nl/0409-advisories/ms04-028.html
http://packetstormsecurity.nl/0409-exploits/ms04-028-cmd.c
http://packetstormsecurity.nl/0409-exploits/JpegOfDeath.c
http://packetstormsecurity.nl/0409-exploits/JpgDownloader.c
http://packetstormsecurity.nl/0409-exploits/JpegOfDeathAll.c |
| Recommendation |
Remove the radmin program from the computer by using a anti-virus program (vaccine program).
-- AND --
If the MS04-028 patch has not been applied, apply the appropriate patch for your system, as listed in the Microsoft Security Bulletin MS04-028 at http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
And you also need to look for more vulnerable versions of the .dll files within your system using gdiscan.exe, available from http://isc.sans.org/gdiscan.php . If vulnerable .dll files are detected, then those files should be upgraded manually. |
| Related URL |
CVE-2004-0200 (CVE) |
| Related URL |
1503,11173 (SecurityFocus) |
| Related URL |
16304 (ISS) |
|
