mailing list archives
RE: what next
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Tue, 6 Feb 2007 11:45:53 -0500
Yes, it is an FTP script. It's probably used by the attacker or malware
to download a malicious program or kit from a remote location. Very
common. My suggestion is to clean or rebuild you involved
computers/network. Patch or fix the problem that allowed the unknown
gentleman to do unauthorized behavior, and get on with normal life.
You'll spend too much time trying to investigate this sort of stuff, and
in the end, unless you get lucky enough to find all the malicious files
and disassemble them, you really won't know the intruder's intent or
Just my one half cent.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of nemanja.janic () centroproizvod co yu
Sent: Tuesday, February 06, 2007 6:38 AM
To: security-basics () securityfocus com
Subject: what next
i wasn't sure where to post this, and since i'm just starting out in
security, i figured that this is the place.
i've had a fine unknown gentleman enter at his will to my server; among
other things he left behind a file named tt (no extension) which
contained the following lines:
open 220.127.116.11 14547
user 1 1
open 18.104.22.168 5191
user 1 1
I figure this is some script to be used with ftp, or at least i think
I did tracert to those adresses, but that's where i'm stuck. What can i
And any idea what that mstls.exe is? I deleted it, but it was 0 bytes in
Thanx in advance.