[nsp-sec] Stolen FTP credentials (11727) from Bredo data

Dave Woutersen (GOVCERT.NL) dave.woutersen at govcert.nl
Thu Nov 18 10:48:28 EST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Im still receiving data from LE in regards to the Bredolab investigation.
I'm sorry this stuff is coming in waves.

LE noticed in the wiretap data that there was a mechanism in place that
would check FTP credentials against domains and report back with either a
OK or a fail. We do not know what these OK's were used for, we suspect to
inject malicious iframes into webpages but we are not sure.

Attached are two files. "ftp-creds-domains.txt" and "ftp-creds-AS.txt"

The ftp-creds-domains.txt file contains all OK's that were found in the tap
data with the following fields:
Date -> time -> year -> domain:port -> username -> IP(s) the domains
resolves to.

For obvious reasons the passwords are not included. We can get those when
asked for.

The ftp-creds-AS.txt contains a sorted list of associated ASN's.
Im sorry if the data is not always consistent, for example, not all domains
contained a userid after the query on the 2T+ of wiretap data had finished.
Also I do not know how useful the data is, but if you own any of the
mentioned domains, i would be really interested to know if the domain was
actually compromised and what they injected if they injected anything.

Greetz,
Dave

- -- 
Dave Woutersen
security specialist

GOVCERT.NL
T +31 70 888 75 55
I www.govcert.nl
E dave.woutersen at govcert.nl

PGP Fingerprint: C87E 47E2 89D8 5DFB C86F  A3F3 1557 E2E9 AC15 7DD5

GOVCERT.NL is the Computer Emergency Response Team for the Dutch
Government. We support the government in preventing and dealing with
IT-related security incidents.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFM5UqS/zvo1MPWKhMRAkrVAKDC0cqllEzi96EYtmwRnYvV8jMaoQCePqDU
US2D93Omwt+sDQxHtsDnY5g=
=NIFL
-----END PGP SIGNATURE-----

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ftp-creds-domains.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20101118/57e2042e/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ftp-creds-AS.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20101118/57e2042e/attachment-0003.txt>

More information about the nsp-security mailing list