Incidents
RE: ano (at) ano (dot) com [email concealed] ftpd dip.t-dialin.net Nov 12 2002 06:29PM
Owen McCusker (mccusker sonalysts com)
Dear Owen,

The incidents you describe are caused by a popular cracker tool / well-
known vulnerability scanner called "FX-Scanner". It indeed seems most
popular in Germany. I was looking for it because I was noticing TCP:57
attempts for some time now in my (Linux) logs. A long Google search
directed me to a message submitted by Johannes Ullrich at
http://isc.incidents.org/show_comment.html?id=28
and finally to http://www.fx-tools.net

In fact, the attack pattern of FX-Scanner V.030 beta is as follows:

(1) One ping (ICMP)

(2) If port 80 (http) is open, a large number of IIS-hacks. These are
defined by a file called "unicode.txt" included in the package. This
file contains 77 plain-text lines intended to exploit well known ISS
"unicode" vulnerabilities. However, the cracker can modify this file at
will, so expect some different patterns here.

(3) Two attempts to TCP:57 (TCP port 57). According to Johannes Ullrich
the reason to do this is because the port is normally CLOSED.

(4) Three TCP:21 (ftp) attempts if closed. As said, I don't run ftpd's
so I don't know what would happen if ftpd runs. However, the fx-scanner
V.030 beta package includes the following file:

07/07/02 07:40p 104,154 file.txt
9a5c9475663ad6dcf53f42446972a7b1 *file.txt

so probably that file is planted using user-specified or random names;
contents are binary crap as you describe. The file "scanner.ini" also
included contains the following lines (among others):

ftp_Uname=anonymous
ftp_UPassword=ano (at) ano (dot) com [email concealed]
ftp_Port=21

I played around with the tool a bit on a WXP testsetup (no network
cable) while listening on TCP:57 using NETCAT and confirmed that indeed
fx-scanner connects to the port mentioned. Please note: running such a
program against a public net is simply NOT DONE and hopefully/probably
illegal. If you consider (don't) to do just that, note that the tool is
remotely controllable; it listens to TCP port 4113 and uses the default
password "fxadmin" (both are variables in the ini file). It may also
include other, unspecified, backdoors. Although I did not monitor
behavior using a sniffer, the "Ring_Server=True" line in the ini-file
suggests that fx-scanner may call home when run (it could also be the
ping though). The remote control program is included in the package.

BTW I wouldn't be surprised if the number of German badguys using this
tool is significantly less than one may think. Blackhats may have found
ways to install this tool on PC's from innocent (but clueless) T-Online
dialup/ADSL users (perhaps via KaZaa or whatever), and are controlling
them remotely. The blackhats may be Germans, but obviously that is not
necessarily the case. However, I'm purely speculating here.

Cheers!

Erik van Straten

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus