[nsp-sec] ACK 680 Stolen FTP credentials (11727) from Bredo data

Torsten Voss voss at dfn-cert.de
Fri Nov 19 10:34:42 EST 2010 

Hi Dave,

thanks for the data and hint!

ACK AS680

Cheers,
Torsten


Am 18.11.2010 16:48, schrieb Dave Woutersen (GOVCERT.NL):
> ----------- nsp-security Confidential --------
> 
> 
> 
> 
> Hi,
> 
> Im still receiving data from LE in regards to the Bredolab investigation.
> I'm sorry this stuff is coming in waves.
> 
> LE noticed in the wiretap data that there was a mechanism in place that
> would check FTP credentials against domains and report back with either a
> OK or a fail. We do not know what these OK's were used for, we suspect to
> inject malicious iframes into webpages but we are not sure.
> 
> Attached are two files. "ftp-creds-domains.txt" and "ftp-creds-AS.txt"
> 
> The ftp-creds-domains.txt file contains all OK's that were found in the tap
> data with the following fields:
> Date -> time -> year -> domain:port -> username -> IP(s) the domains
> resolves to.
> 
> For obvious reasons the passwords are not included. We can get those when
> asked for.
> 
> The ftp-creds-AS.txt contains a sorted list of associated ASN's.
> Im sorry if the data is not always consistent, for example, not all domains
> contained a userid after the query on the 2T+ of wiretap data had finished.
> Also I do not know how useful the data is, but if you own any of the
> mentioned domains, i would be really interested to know if the domain was
> actually compromised and what they injected if they injected anything.
> 
> Greetz,
> Dave
> 
> -- Dave Woutersen
> security specialist
> 
> GOVCERT.NL
> T +31 70 888 75 55
> I www.govcert.nl
> E dave.woutersen at govcert.nl
> 
> PGP Fingerprint: C87E 47E2 89D8 5DFB C86F  A3F3 1557 E2E9 AC15 7DD5
> 
> GOVCERT.NL is the Computer Emergency Response Team for the Dutch
> Government. We support the government in preventing and dealing with
> IT-related security incidents.
> 
> 

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________



-- 
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team), Phone +49 40 808077-634

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen               https://www.cert.dfn.de/autowarn

More information about the nsp-security mailing list