[nsp-sec] ACK 3303 Stolen FTP credentials (11727) from Bredo data

[Stéphane Dodeller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Dave,

Ack for 3303
Proxy-ack for AS44038

Thanks for the info!

Stéphane

Le 18 nov. 2010 à 16:48, Dave Woutersen (GOVCERT.NL) a écrit :

> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> Im still receiving data from LE in regards to the Bredolab investigation.
> I'm sorry this stuff is coming in waves.
> 
> LE noticed in the wiretap data that there was a mechanism in place that
> would check FTP credentials against domains and report back with either a
> OK or a fail. We do not know what these OK's were used for, we suspect to
> inject malicious iframes into webpages but we are not sure.
> 
> Attached are two files. "ftp-creds-domains.txt" and "ftp-creds-AS.txt"
> 
> The ftp-creds-domains.txt file contains all OK's that were found in the tap
> data with the following fields:
> Date -> time -> year -> domain:port -> username -> IP(s) the domains
> resolves to.
> 
> For obvious reasons the passwords are not included. We can get those when
> asked for.
> 
> The ftp-creds-AS.txt contains a sorted list of associated ASN's.
> Im sorry if the data is not always consistent, for example, not all domains
> contained a userid after the query on the 2T+ of wiretap data had finished.
> Also I do not know how useful the data is, but if you own any of the
> mentioned domains, i would be really interested to know if the domain was
> actually compromised and what they injected if they injected anything.
> 
> Greetz,
> Dave
> 
> - -- Dave Woutersen
> security specialist
> 
> GOVCERT.NL
> T +31 70 888 75 55
> I www.govcert.nl
> E dave.woutersen at govcert.nl
> 
> PGP Fingerprint: C87E 47E2 89D8 5DFB C86F  A3F3 1557 E2E9 AC15 7DD5
> 
> GOVCERT.NL is the Computer Emergency Response Team for the Dutch
> Government. We support the government in preventing and dealing with
> IT-related security incidents.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.8.3 (Build 4028)
> Charset: utf-8
> 
> wj8DBQFM5UqS/zvo1MPWKhMRAkrVAKDC0cqllEzi96EYtmwRnYvV8jMaoQCePqDU
> US2D93Omwt+sDQxHtsDnY5g=
> =NIFL
> -----END PGP SIGNATURE-----
> 
> <ftp-creds-domains.txt><ftp-creds-AS.txt>
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQEVAwUBTOahl+SB/9UpeWIUAQJJhAgAkEsyLV8mjQFoheFkvIf+8rTZo0l4Cv8F
zD4sTQb8Xe3Ii9RcJB1d7mKyZF6E8JuQ/urfSowoZshPiXRasomFUEOLtKSzDOl0
+s3qZ8GLPNoUlaeaj4OpClapE6ZxhII61R9xRdwUk0zu8nCf5N+aK89LB3U/gon3
m9eULyE2qCEYz/zxDZ9kQI4j0aTfkqgV6DoZAO0DhrYqCk0wHqy70ld2xDZXmnQd
mrDggiC0D2A6WtcPJWF12IbTZqruWw+7ULxhcfMRNCe/4nahvmRrN/J3WgXT5KEM
vN008WdZzbciVw7SSmH0NcktByLEaVCtmDzW2u3r4WXBSf8rmE8tZw==
=nzK7
-----END PGP SIGNATURE-----