[nsp-sec] NACK 7992 RE: 6k probably compromised FTP accounts
Chris Morrow
morrowc at ops-netman.net
Fri Apr 4 13:45:40 EDT 2008
On Fri, 4 Apr 2008, Krista Hickey wrote:
> ----------- nsp-security Confidential --------
>
>> Tom Fischer wrote:
>>
>> Hi,
>>
>> attached (the second part of) a list of probably compromised
>> FTP accounts. The data is based on an iframer toolkit
>> (a toolkit which uses stolen FTP credentials to add
>> iframes/JavaScript/...).
>>
>> I've removed the ftp passwords for obvious reasons.
>> The data is not verified.
>
> Our sole entry in both the previous list and this list is actually our
> corporate webserver, I spoke with the IT security guy responsible for
> the webserver this morning and he's investigated and there are no FTP
> services running on this machine nor have their been since he can
> remember. He's going to take a look at his logs and get the webteam to
> review any iframe references in their pages but given the lack of FTP
> services running and the fact that the logins don't ring any bells for
> anyone I'd have to guess this is either very old list (ie: maybe that IP
> was used for a box that had FTP 5+ years ago) or bogus, has anyone else
> represented on the list been able to confirm there's an issue?
the google-listed things are just web-services-only... I'm not sure if the
user's accounts are broken though, just that there is not FTP present on
the ips/hostnames.
-Chris
More information about the nsp-security
mailing list