dameware.com

[SAMark]

Hello,

This may be either an interesting or unusual thread, but I am a computer security professional that has been alerted to a possible intrusion incident on one of our networks. The possible victim machine is being sent to me as I type this, so I have not gotten the chance to look at it first hand yet. However, I have been alerted that this machine may have DameWare installed in part or completely as well as the potential offending IP Address of 123.123.123.123 being mentioned in some log files. After doing some initial research it appears that this IP address may have some special internal meaning/use within the DameWare product(s). In 20-30 words or less, can anyone tell me if that is true and how this IP may be used within DameWare? Sorry, but other than just the basics I am not very familiar with the DameWare product(s) and Googling and searching the product documentation has not been very productive as many people use this IP as a placeholder for an example for the actual IP you should be using.

I'll let anyone reading this do their own WHOIS look-up for this IP address to understand my concerns. Thanks for any information anyone may be able to provide.

--
Mark

[bryan]

Hello Mark,

Wow, I'm not even sure where to begin or what to say about this one. Had I known 123.123.123.123 had such a hidden dark meaning I would have used a different address in my examples (i.e. 123.456.789.012 , etc...) when I created the Command Line Switches KB article years ago. Sorry, I just couldn't resist....

Basically, here are some things you need to know about our software which will hopefully clear this up for you:

1. First and foremost, 123.123.123.123 has absolutely no meaning whatsoever to our software. Our software takes whatever address you enter (HostName, FQDN, or IP-Address) and then passes this off to the O/S, and it's entirely up to the O/S to resolve these addresses properly. So if you do have a problem with this address (or any other IP-Address) for some reason, then you need to look at your O/S itself, because once again our software exclusively uses the O/S for all Names Resolution.

2. The Mini Remote Client Agent is a Service and therefore requires Administrator rights to install / remove / start / stop, just like any other Service in Windows NT/2000/XP/2003/Vista security.

3. If the Mini Remote Client Agent was installed on this machine, and it wasn't installed by one of your local Administrators, then you have a bigger security issue than you realize, and simply removing our software will not resolve your security issue. Our software cannot be installed without first obtaining Administrator rights within the O/S security. Therefore, someone already had Administrator rights on this remote machine before our software could ever be installed. Then once they had already broken into your security, they chose to install our software.

Therefore, you will need to address the "root cause" of your security issue. In other words, how they could have ever installed our software to begin with, because simply removing our software will not resolve your security issue.

The following knowledgebase article explains how to remove the Mini Remote Client Agent Service, via one simple command. But once again this will not resolve your security issue:

How To Manually Install or Remove the Mini Remote & NT Utilities Client Agents
http://www.dameware.com/support/kb/article.aspx?ID=100000

With regard to possibly determining who installed the software, you can check for DWMRCS entries within the Operating System's Application Event Log on the remote machine itself. If anyone has connected to this machine using the MRC software, then these DWMRCS Event Log entries will contain information about this User and their remote machine. Information such as their IP-Address, their HostName, their Desktop UserID, their Microsoft Operating System's registration information, and also if they are using a licensed copy of the software.

The DameWare Mini Remote Control is Unexpectedly Installed on Your Computer
http://www.dameware.com/support/kb/article.aspx?ID=100005

I hope this helps.

[SAMark]

Bryan,

Thanks for your quick response and input on this subject. In the past I have seen other software that uses an internal address in order to pipe network traffic through a process of the software in order to complete what ever the software was intended to do. I'm not a developer and can't really speak to whether that is good software design or not, but is something I've seen before. Your humor in your response is appreciated - yes, your choice of a placeholder IP address to use for examples is ironic and was apparently one of the things we picked up in various pages and news group like forum postings when an analyst at my shop began Google'ing the address. Without saying too much about where I work and where that IP address is actually assigned, it is indeed ironic.

Again, thanks for your quick response and I'll let you and the group know (for information purposes) in another posting if anything interesting results from our examination of the machine in regard to DameWare. Take care!

--
Mark

[bryan]

Hey Mark,

You're most welcome.

Personally I would think if any commercially sold product had functionality like you describe then that company wouldn't be in business for very long. We have been in business since 1990 and many Fortune 500 companies rely on our software on a daily basis in their environments.

Please also feel free to take a look at our customer reference page for a small sampling of our customer base. Many of our customers are leaders in their respective industries. Industries such as HealthCare, Banking, Financial, Telecommunications, Manufacturing, the Military, the Department of Defense, and other branches of the US Government just to name a few (http://www.dameware.com/news/reference/ ).

Actually, the military is our largest customer, and we also recently completed a very large project (Remote Smart Card Login & Authentication) for our users in the Military & DoD.

Thanks again for your feedback. I hope you're able to discover the true source of your issues.

If you have any other questions, please feel free to write to me at support@dameware.com, and I will be happy to povide you with any information you need with regard to our software.

Have a great weekend !!!