[nsp-sec] NACK for AS217 Re: 12k probably compromised FTP accounts
Brian Eckman
eckman at umn.edu
Wed Apr 2 13:45:20 EDT 2008
Brian Eckman wrote:
> ----------- nsp-security Confidential --------
>
> Tom Fischer wrote:
>> ----------- nsp-security Confidential --------
>>
>> Hi,
>>
>> attached (the first part) of a list of probably compromised
>> FTP accounts. The data is based on an iframer toolkit
>> (a toolkit which uses stolen FTP credentials to add iframes/JavaScript/...).
>>
>> I've removed the ftp passwords for obvious reasons.
>> The data is not verified.
>>
>> ASN | ip address | ftp server | login
> > 217 | 128.101.36.204 | ftp.cs.umn.edu |ftp
>
> 'ftp' allows typical anonymous access. Uploads can only be made to
> writable-and-not-readable directories. There hasn't been a Web server on
> this host for about a year.
>
> If there is malicious content that is readable by
whoops, I didn't mean to send that...
What I meant to say is, if there is malicious content that is readable,
then please let me know and we'll get it pulled ASAP.
Any username that is provided to the server (including 'ftp') is treated
as the anonymous user - any password works. So it isn't a "compromised
account" (thus the NACK). But again, if it is participating in some
evilness, we would gladly thwart that. (An admin grepped through the
filesystem looking for evil script code, and didn't see any. If you can
provide the full path to the code, I'll gladly pass it on.)
Cheers,
Brian
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list