Results 1 to 10 of 17

Thread: FTP and NT Scanner by Lomax

Hybrid View

  1. July 7th, 2006, 08:09 PM #1
    ChronoSec
    ChronoSec is offline
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Question FTP and NT Scanner by Lomax

    Does anyone know the details of how this program attempts to connect to a computer? Someone was able to access my terminal services server through local account and upload this program. In reviewing security event logs, I see that they did attempt to gain access to my network but were apparently unable to do so. I ran the tool to see what information they were likely working with and notice is that it doesn't seem to attempt domain logins, only local machine logins? I want to make sure I'm understanding the tool right so that I thoroughly examine the extent of their probable access.
  2. March 9th, 2008, 09:22 PM #2
    c0ntent
    c0ntent is offline
    Junior Member
    Join Date
    Mar 2008
    Posts
    1
    where can I downlod this FTP & Nt Scanner by lomax
  3. March 9th, 2008, 09:39 PM #3
    Nokia
    Nokia is offline
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Your probably lucky that it was only some "young'en" that rooted you, who by the sounds of it didn't really know what he was doing - password grinding remote domain machines is the action of someone who has either tried everything else and has run out of options, or someone who doesn't really understand what they are doing. Although personally I would still change any cached domain credentials and all local credentials if I was you.

    If you had been rooted by someone who had half a clue, they would have left something a tad more advanced running, such as whosthere from the Pass the Hash toolkit - as this is not a virus it won't show up as such - and if they exploited you by a method that left them with a bind shell or similar, then it is possible some actions they performed would not show up in your eventvwr.

    Personally I would perform a close inspection of everything on the server/work station. Don't presume that because you have plugged the original fault that allowed you to be rooted in the first place, that you are secure...if it was me I would take for granted that you would find the original attack vector that may even result in the server beeing removed/reformatted and would have provided myself with some other method to retain the access I have to your server and/or network...chances are they did not confine themselves to one server; unless you have good security practices/policies in place..which folks rarely do.
    Last edited by Nokia; March 9th, 2008 at 09:47 PM.
  4. March 10th, 2008, 11:22 AM #4
    nihil
    nihil is offline
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    June 2006???????????????

    Thread closed............... it cannot be relevant today.

    G_O_O_G_L_E
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules