July 7th, 2006, 09:09 PM
FTP and NT Scanner by Lomax
Does anyone know the details of how this program attempts to connect to a computer? Someone was able to access my terminal services server through local account and upload this program. In reviewing security event logs, I see that they did attempt to gain access to my network but were apparently unable to do so. I ran the tool to see what information they were likely working with and notice is that it doesn't seem to attempt domain logins, only local machine logins? I want to make sure I'm understanding the tool right so that I thoroughly examine the extent of their probable access.
March 9th, 2008, 10:22 PM
where can I downlod this FTP & Nt Scanner by lomax
March 9th, 2008, 10:39 PM
Your probably lucky that it was only some "young'en" that rooted you, who by the sounds of it didn't really know what he was doing - password grinding remote domain machines is the action of someone who has either tried everything else and has run out of options, or someone who doesn't really understand what they are doing. Although personally I would still change any cached domain credentials and all local credentials if I was you.
If you had been rooted by someone who had half a clue, they would have left something a tad more advanced running, such as whosthere from the Pass the Hash toolkit - as this is not a virus it won't show up as such - and if they exploited you by a method that left them with a bind shell or similar, then it is possible some actions they performed would not show up in your eventvwr.
Personally I would perform a close inspection of everything on the server/work station. Don't presume that because you have plugged the original fault that allowed you to be rooted in the first place, that you are secure...if it was me I would take for granted that you would find the original attack vector that may even result in the server beeing removed/reformatted and would have provided myself with some other method to retain the access I have to your server and/or network...chances are they did not confine themselves to one server; unless you have good security practices/policies in place..which folks rarely do.
Last edited by Nokia; March 9th, 2008 at 10:47 PM.
March 10th, 2008, 12:22 PM
Thread closed............... it cannot be relevant today.