[nsp-sec] 46.252.128.63 C&C for Stolen FTP credentials ?
Thomas Hungenberg
th.lab at hungenberg.net
Wed Apr 20 14:42:30 EDT 2011
Harri Sylvander wrote:
> We just got confirmation from one constituent that the affected user
> had changed their password late February to the one that was
> compromised, but again, the host in question did not have ftpd
> running, only sshd. So yes, it would seem that there is fresh data as
> well.
The credentials in the lists found on the malicious server were all in format
ftp://username:password@host[:port][/path]
So maybe the attackers took harvested credentials for all kind of services
and converted them to ftp-login-style.
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list