[nsp-sec] ATTN Qwest/Akamai....Re: More compromised ftp accounts

Fri Sep 4 18:30:52 EDT 2009

Patrick W. Gilmore wrote:
> On Sep 4, 2009, at 5:01 PM, Brian Eckman wrote:
>> Thomas Hungenberg wrote:
>>> Hi teams,
>>> Roman from abuse.ch came across a new Ziframer installation (see 
>>> <http://www.abuse.ch/?p=1739>).
>>> It comes along with a list of 18245 ftp credentials.
>>> Many of the accounts were already included with the list of accounts 
>>> I posted here on 2009-08-25
>>> (found along with another Iframer kit).
>>> Please find attached a sanitized list (pw removed) of 8169 
>>> compromised ftp accounts that are new.
>>> Format: ASN | IP | CC | ftp username | AS name
>> <snip>
>>
>> When looking at the list for any hosts within AS57 and AS217, as I 
>> scrolled down, I noticed a number in AS209 (Qwest) that had the same 
>> username (cust-r2), spread out across several very different IP 
>> spaces. I grabbed three IPs from different subnets and put them into 
>> BFK's Passive DNS (formerly the RUS-CERT service), and it appears that 
>> they are all Akamai servers. In fact, the only RUS-CERT entries appear 
>> to be Symantec related.
>>
>> Hopefully this isn't a real security issue, but being a Symantec site 
>> license owner for a 50,000 or so node network, it worries me a smidge 
>> that organized criminals spreading malware are using (presumably) 
>> stolen credentials for hosts that places like ftp.symantec.com and 
>> liveupdate.symantec.com appear to reside on.
> 
> Akamai occasionally uses many servers spread over many prefixes to do 
> the same thing (obviously).  I do not think this is an issue, but we 
> will be checking.
> 
> Thanx for the heads up.

Sorry for the late follow-up, but I think it's nothing. Eight years ago, 
it was in "the news"...

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2001-10/0037.html

Thanks,
Brian

-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance