mailing list archives
RE: what next
From: "Devin Rambo" <drambo () vediorps com>
Date: Tue, 6 Feb 2007 10:39:08 -0500
In short, mstls.exe is bad news:
The $64,000 Question is what these goons did to your server that you haven't
detected. You can take steps to remove the malware you know about, but your
best bet is to back up your data, wipe the drive, and do a clean reinstall.
It's the only way to be 100% certain that you've gotten rid of it.
After that, all the standard disclaimers: shut off unused/unnecessary
serves, apply patches, use up-to-date antivirus, harden where possible, etc.
All of which the folks here can offer plenty of advice for doing. Good luck.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of nemanja.janic () centroproizvod co yu
Sent: Tuesday, February 06, 2007 6:38 AM
To: security-basics () securityfocus com
Subject: what next
i wasn't sure where to post this, and since i'm just starting out in
security, i figured that this is the place.
i've had a fine unknown gentleman enter at his will to my server; among
other things he left behind a file named tt (no extension) which contained
the following lines:
open 220.127.116.11 14547
user 1 1
open 18.104.22.168 5191
user 1 1
I figure this is some script to be used with ftp, or at least i think so.
I did tracert to those adresses, but that's where i'm stuck. What can i do
And any idea what that mstls.exe is? I deleted it, but it was 0 bytes in
Thanx in advance.