-
July 7th, 2006, 08:09 PM
#1
Junior Member
FTP and NT Scanner by Lomax
Does anyone know the details of how this program attempts to connect to a computer? Someone was able to access my terminal services server through local account and upload this program. In reviewing security event logs, I see that they did attempt to gain access to my network but were apparently unable to do so. I ran the tool to see what information they were likely working with and notice is that it doesn't seem to attempt domain logins, only local machine logins? I want to make sure I'm understanding the tool right so that I thoroughly examine the extent of their probable access.
-
July 9th, 2006, 02:49 AM
#2
No one here can put this puzzle together for you without:
a) fully understanding your environment.
b) analyzing all logs
c) understanding your business process
d) understanding what the software does that has compromised your host/network.
That said, the only "Lomax" I'm familiar with is Paul Lomax, who writes books for O'Reilly.
Can you provide a link to the software in question? At very least we can tell you what the software does and you can take it from there.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 9th, 2006, 07:45 AM
#3
Junior Member
Thanks for responding TH13. I suppose I wasn't clear in my questions. I know how the attacker gained access to my terminal server so I'm not so concerned about that part. He left the scanner I mentioned, though, and I was hoping someone knew the program and could give me more indepth info on its workings.
When I ran the tool (it's a CLI from a command prompt), it showed the name of the program as "FTP and NT Scanner by Lomax (credits Inode (inode@wayeth.eu.com))." You can go to the site and see that the author took his tools off the web because they were being used for cracking. The tool seems pretty simple in that it tries to connect to computers within a given ip range using a brute force method. There is a username file and password file that it uses for determining a working login. But it seems to only attempt to log on to a machine's local account and not the domain. I just figured someone in the antionline community would be familiar with the tool and could confirm my suspicions of the program's workings or learn more about its capabilities. No big deal if there is not, though, as I'm confident that I've plugged the weak spot that was used to compromise my system. Thanks anyways.
-
July 9th, 2006, 11:33 AM
#4
While I'm not familiar with this specific tool, I'm VERY familiar with others that do the same thing. It sounds by your description that this is a simple "grinder" tool. My guess is that it also uses that static PW list against the standard TCP port for FTP (21).
Any chance you can zip up the tool and attach it here? If not, the size of the PW file alone will tell me how dangerous (or not) this is. If not, I can arrange for upload out of band.
Thanks.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 9th, 2006, 05:08 PM
#5
Junior Member
Here's the tool. I'd say you're right about the way it works. What I'm not sure of is if it is just checking port 21 or any other ports (by default or by command). Take a look and let me know what you think.
-
July 9th, 2006, 05:57 PM
#6
Well, this is possibly a start:
Antivirus Version Update Result
AntiVir 6.35.0.21 07.09.2006 no virus found
Authentium 4.93.8 07.07.2006 no virus found
Avast 4.7.844.0 07.07.2006 no virus found
AVG 386 07.07.2006 no virus found
BitDefender 7.2 07.09.2006 no virus found
CAT-QuickHeal 8.00 07.07.2006 no virus found
ClamAV devel-20060426 07.07.2006 no virus found
DrWeb 4.33 07.09.2006 no virus found
eTrust-InoculateIT 23.72.64 07.09.2006 no virus found
eTrust-Vet 12.6.2291 07.07.2006 no virus found
Ewido 3.5 07.09.2006 no virus found
Fortinet 2.77.0.0 07.09.2006 suspicious
F-Prot 3.16f 07.07.2006 no virus found
F-Prot4 4.2.1.29 07.07.2006 no virus found
Ikarus 0.2.65.0 07.07.2006 no virus found
Kaspersky 4.0.2.24 07.09.2006 no virus found
McAfee 4802 07.07.2006 Tool-LoScan
Microsoft 1.1481 07.09.2006 no virus found
NOD32v2 1.1651 07.08.2006 no virus found
Norman 5.90.23 07.07.2006 no virus found
Panda 9.0.0.4 07.09.2006 no virus found
Sophos 4.07.0 07.09.2006 no virus found
Symantec 8.0 07.09.2006 no virus found
TheHacker 5.9.8.170 07.07.2006 no virus found
UNA 1.83 07.08.2006 no virus found
VBA32 3.11.0 07.09.2006 no virus found
VirusBuster 4.3.7:9 07.08.2006 no virus foun
So Fortinet didn't like the look of it amd McAfee thinks that it is "Tool-LoScan" I would go to the McAfee site and check up what they have about that in their malware library.
-
July 10th, 2006, 01:18 AM
#7
I will run this tool in a sandbox tomorrow when I get to the office. I will see if it does any sneaky backdoor stuff too. Stay tuned.
Thanks.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 10th, 2006, 04:58 PM
#8
It's probably based on the source found here (only available though google cache as the original site took it offline) modified to make it run on Windows (cygwin). Looks like a plain FTP dictionary scanner. It probably used the "users" file for usernames and "pass" for passwords.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 10th, 2006, 06:27 PM
#9
Yep, after some testing this is a vanilla grinder app. It uses the dictionary that comes with it to grind FTP servers and windows local accounts. No backdoors, etc.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 10th, 2006, 08:57 PM
#10
Junior Member
Thanks guys, I really appreciate it!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|