[nsp-sec] ATTN Qwest/Akamai....Re: More compromised ftp accounts
Patrick W. Gilmore
patrick at akamai.com
Fri Sep 4 18:02:09 EDT 2009
On Sep 4, 2009, at 5:01 PM, Brian Eckman wrote:
> Thomas Hungenberg wrote:
>> Hi teams,
>> Roman from abuse.ch came across a new Ziframer installation (see <http://www.abuse.ch/?p=1739
>> >).
>> It comes along with a list of 18245 ftp credentials.
>> Many of the accounts were already included with the list of
>> accounts I posted here on 2009-08-25
>> (found along with another Iframer kit).
>> Please find attached a sanitized list (pw removed) of 8169
>> compromised ftp accounts that are new.
>> Format: ASN | IP | CC | ftp username | AS name
> <snip>
>
> When looking at the list for any hosts within AS57 and AS217, as I
> scrolled down, I noticed a number in AS209 (Qwest) that had the same
> username (cust-r2), spread out across several very different IP
> spaces. I grabbed three IPs from different subnets and put them into
> BFK's Passive DNS (formerly the RUS-CERT service), and it appears
> that they are all Akamai servers. In fact, the only RUS-CERT entries
> appear to be Symantec related.
>
> Hopefully this isn't a real security issue, but being a Symantec
> site license owner for a 50,000 or so node network, it worries me a
> smidge that organized criminals spreading malware are using
> (presumably) stolen credentials for hosts that places like ftp.symantec.com
> and liveupdate.symantec.com appear to reside on.
Akamai occasionally uses many servers spread over many prefixes to do
the same thing (obviously). I do not think this is an issue, but we
will be checking.
Thanx for the heads up.
--
TTFN,
patrick
More information about the nsp-security
mailing list