[nsp-sec] 46.252.128.63 C&C for Stolen FTP credentials ?
Harri Sylvander
harri.sylvander at csc.fi
Wed Apr 20 11:04:39 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello again,
> > The first few chars of the reported passwords match the ones that were
> > compromised in that incident ~6 months ago. Obviously possible that
> > the users have reverted to the same old or similar passwords. The
> > other possibility is that there is also some old data mixed in and at
> > least some of the reported credentials might be for services other
> > than FTP.
>
> I have confirmation that at least two accounts where collected a couple
> of months ago. Both were used on one computer a couple of months (last
> year) ago.
We just got confirmation from one constituent that the affected user
had changed their password late February to the one that was
compromised, but again, the host in question did not have ftpd
running, only sshd. So yes, it would seem that there is fresh data as
well.
One constituent is taking a look at a box that was talking UDP with:
46.252.128.63:44978
I'll report back if they find anything anomalous.
Cheers,
- -hts
- --
Harri Sylvander, Funet CERT, CSC - IT Center for Science Ltd.
P.O. Box 405, 02101 Espoo, Finland, tel +358 9 457 2082
CSC is the Finnish IT Center for Science, http://www.csc.fi/
e-mail: harri.sylvander at csc.fi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iD8DBQFNrvYHAhrm/iIgvswRAoxJAJ4uX4C+nXmBQ84iEaKl59gzZ6MiZQCeLrjQ
dNVzT1G9XOyrm+iJuQjD/hY=
=yC9i
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list