[nsp-sec] Stolen FTP credentials (11727) from Bredo data

Serge Droz serge.droz at switch.ch
Wed Nov 24 08:12:24 EST 2010 

ACK

513
559
702
1836
3303
6724
6730
6830
8220
8404
8758
9042
9044
9100
10297
12333
12350
13030
15600
15623
16215
21069
24900
24940
24951
29097
29222
29245
35206
41186
44776
47302

Cheers
Serge

On 18/11/10 16:48, Dave Woutersen (GOVCERT.NL) wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> 
> Hi,
> 
> Im still receiving data from LE in regards to the Bredolab investigation.
> I'm sorry this stuff is coming in waves.
> 
> LE noticed in the wiretap data that there was a mechanism in place that
> would check FTP credentials against domains and report back with either a
> OK or a fail. We do not know what these OK's were used for, we suspect to
> inject malicious iframes into webpages but we are not sure.
> 
> Attached are two files. "ftp-creds-domains.txt" and "ftp-creds-AS.txt"
> 
> The ftp-creds-domains.txt file contains all OK's that were found in the tap
> data with the following fields:
> Date -> time -> year -> domain:port -> username -> IP(s) the domains
> resolves to.
> 
> For obvious reasons the passwords are not included. We can get those when
> asked for.
> 
> The ftp-creds-AS.txt contains a sorted list of associated ASN's.
> Im sorry if the data is not always consistent, for example, not all domains
> contained a userid after the query on the 2T+ of wiretap data had finished.
> Also I do not know how useful the data is, but if you own any of the
> mentioned domains, i would be really interested to know if the domain was
> actually compromised and what they injected if they injected anything.
> 
> Greetz,
> Dave
> 
> -- Dave Woutersen
> security specialist
> 
> GOVCERT.NL
> T +31 70 888 75 55
> I www.govcert.nl
> E dave.woutersen at govcert.nl
> 
> PGP Fingerprint: C87E 47E2 89D8 5DFB C86F  A3F3 1557 E2E9 AC15 7DD5
> 
> GOVCERT.NL is the Computer Emergency Response Team for the Dutch
> Government. We support the government in preventing and dealing with
> IT-related security incidents.
> 
> 

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

-- 
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch

More information about the nsp-security mailing list