Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: FTP and NT Scanner by Lomax

  1. #11
    Junior Member
    Join Date
    Oct 2005
    Posts
    18
    Sorry Nihil,

    Just quickly, is there a firefox extension or some tool for quickly scanning something with all those different AVs?
    Cereal: Eaten at all times of the day.

  2. #12
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Nope.

    Simply go to www.virustotal.com and upload a sample. They run it against a handfull of vender signatures and the output is what Nihil has posted.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #13
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi there wheaty_bytes

    TH13 is quite right. I use virus total (he has given you the link) and Jotti, which is here:

    http://virusscan.jotti.org/

    The both do as he says but use slightly different mixtures of AVs, so you get a broader cover if you use both. I tend to use them as a "first pass" just to see if something has already been discovered or if it looks like a generic malware

  4. #14
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    As this has been resolved, I won't add that much other than ntscan, ipcscan, and sqlscan have been the most popular tools I have seen in windows honeynet research. They all function as TH13 has noted; by grinding against a box with a list of passwords. Typically the password that got them in to your box will be at the top of the list if you find it on your box. An attacker typically will break in to a box and start trying to spread their sphere of influence in a matter of moments.
    These are pretty much a part of the standard l337 h4x0r toolkit containing things like fport, psinfo and the like(usually a kit of 8 executables).
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  5. #15
    Junior Member
    Join Date
    Mar 2008
    Posts
    1
    where can I downlod this FTP & Nt Scanner by lomax

  6. #16
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Your probably lucky that it was only some "young'en" that rooted you, who by the sounds of it didn't really know what he was doing - password grinding remote domain machines is the action of someone who has either tried everything else and has run out of options, or someone who doesn't really understand what they are doing. Although personally I would still change any cached domain credentials and all local credentials if I was you.

    If you had been rooted by someone who had half a clue, they would have left something a tad more advanced running, such as whosthere from the Pass the Hash toolkit - as this is not a virus it won't show up as such - and if they exploited you by a method that left them with a bind shell or similar, then it is possible some actions they performed would not show up in your eventvwr.

    Personally I would perform a close inspection of everything on the server/work station. Don't presume that because you have plugged the original fault that allowed you to be rooted in the first place, that you are secure...if it was me I would take for granted that you would find the original attack vector that may even result in the server beeing removed/reformatted and would have provided myself with some other method to retain the access I have to your server and/or network...chances are they did not confine themselves to one server; unless you have good security practices/policies in place..which folks rarely do.
    Last edited by Nokia; March 9th, 2008 at 09:47 PM.

  7. #17
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    June 2006???????????????

    Thread closed............... it cannot be relevant today.

    G_O_O_G_L_E

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •