[nsp-sec] Ack 6830_: Stolen FTP credentials (11727) from Bredo data

Fronenbroek, Kick kfronenbroek at upcbroadband.com
Thu Nov 18 14:34:19 EST 2010 

Hello Dave,
Ack for AS6830, AS9141 & 8404

Regards,
Kick

On 18 nov 2010, at 16:48, Dave Woutersen (GOVCERT.NL) wrote:

> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> Im still receiving data from LE in regards to the Bredolab investigation.
> I'm sorry this stuff is coming in waves.
> 
> LE noticed in the wiretap data that there was a mechanism in place that
> would check FTP credentials against domains and report back with either a
> OK or a fail. We do not know what these OK's were used for, we suspect to
> inject malicious iframes into webpages but we are not sure.
> 
> Attached are two files. "ftp-creds-domains.txt" and "ftp-creds-AS.txt"
> 
> The ftp-creds-domains.txt file contains all OK's that were found in the tap
> data with the following fields:
> Date -> time -> year -> domain:port -> username -> IP(s) the domains
> resolves to.
> 
> For obvious reasons the passwords are not included. We can get those when
> asked for.
> 
> The ftp-creds-AS.txt contains a sorted list of associated ASN's.
> Im sorry if the data is not always consistent, for example, not all domains
> contained a userid after the query on the 2T+ of wiretap data had finished.
> Also I do not know how useful the data is, but if you own any of the
> mentioned domains, i would be really interested to know if the domain was
> actually compromised and what they injected if they injected anything.
> 
> Greetz,
> Dave
> 
> - -- Dave Woutersen
> security specialist
> 
> GOVCERT.NL
> T +31 70 888 75 55
> I www.govcert.nl
> E dave.woutersen at govcert.nl
> 
> PGP Fingerprint: C87E 47E2 89D8 5DFB C86F  A3F3 1557 E2E9 AC15 7DD5
> 
> GOVCERT.NL is the Computer Emergency Response Team for the Dutch
> Government. We support the government in preventing and dealing with
> IT-related security incidents.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.8.3 (Build 4028)
> Charset: utf-8
> 
> wj8DBQFM5UqS/zvo1MPWKhMRAkrVAKDC0cqllEzi96EYtmwRnYvV8jMaoQCePqDU
> US2D93Omwt+sDQxHtsDnY5g=
> =NIFL
> -----END PGP SIGNATURE-----
> 
> <ftp-creds-domains.txt><ftp-creds-AS.txt>
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list