mailing list archives
Re: what next
From: jhori <jhori () ucdavis edu>
Date: Tue, 06 Feb 2007 09:45:02 -0800
nemanja.janic () centroproizvod co yu wrote:
To elaborate a little more on this, it's a rootkit with a ftp built into
it. Meaning that it connects to a IRC server somewhere.
i wasn't sure where to post this, and since i'm just starting out in security, i figured that this is the place.
i've had a fine unknown gentleman enter at his will to my server; among other things he left behind a file named tt (no
extension) which contained the following lines:
open 126.96.36.199 14547
user 1 1
open 188.8.131.52 5191
user 1 1
I figure this is some script to be used with ftp, or at least i think so.
I did tracert to those adresses, but that's where i'm stuck. What can i do next?
And any idea what that mstls.exe is? I deleted it, but it was 0 bytes in size.
Thanx in advance.
Sounds like your machine might still be a bot within a botnet though. I
tried connecting to the server mentioned above in mIRC and get a
connection refused (meaning that they have some kind of script within
the rootkit that will most likely put in a pwd to allow access)
Although you may have already deleted the file, it has most likely
installed itself within another folder. I would try and do a search for
.mrc files within your PC to try and find that folder. You'll most
likely find all the information that you need to get on that server
within the folder.
If you don't want to do the research, then I would get some kind of
rootkit cleaner...There's a lot to choose from.