[nsp-sec] Stolen FTP credentials ACK AS209, AS5668 & AS32855

Hicks, Howard Howard.Hicks at CenturyLink.com
Tue Aug 16 11:45:52 EDT 2011 

Thanks!
  209 | 204.27.176.27   | US | ftp.geoeye.com            | jsi              | sp****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 209.181.142.76  | US | ftp.captaris.com          | FTPUser          | 1C****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 209.181.252.241 | US | ftp.drlandis.com          | ptranscription   | pa****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 63.145.187.133  | US | ftp.asusinc.com           | GSWUser          | GS****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 63.145.37.134   | US | ftp.kidkraft.com          | customer         | ki****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 63.151.174.237  | US | ftp.dwholdings.com        | himatsingka      | dw****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 63.226.143.41   | US | ftp.servbelarus.com       | bsdg             | gd****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 65.112.71.158   | US | ftp.dancomnews.com        | pre-press        | pa****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 65.118.251.230  | US | ftp.wrightind.com         | carbis           | dw****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 65.119.39.6     | US | ftp2.des-ae.com           | des5             | lm****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 65.123.19.14    | US | ftp.lenox.com             | lcc              | cr****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 65.127.124.25   | US | ftp.spacecoinc.com        | spacecoinc.com   | oc****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 67.41.110.193   | US | ftp.shive-hattery.com     | shinc            | Pe****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 68.177.109.18   | US | ftp.mwhglobal.com         | hydro-pampa      | ta****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 68.177.205.195  | US | ftp.carlanelsonco.com     | REC              | 1r****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 71.39.40.12     | US | ftp.wpas-inc.com          | uwf72elig        | xt****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 72.166.81.49    | US | ftp.dialshows.com         | KIXF-FM          | 92****** | ASN-QWEST - Qwest Communications Company, LLC
   209 | 72.166.81.49    | US | ftp.dialshows.com         | WQOK-FM          | 27****** | ASN-QWEST - Qwest Communications Company, LLC
  5668 | 207.230.208.158 | US | ftp.inlandprinting.com    | wre              | t3****** | AS-5668 - CenturyTel Internet Holdings, Inc.
  5668 | 207.230.215.194 | US | ftp.cpcprints.com         | molinedispatch   | mo****** | AS-5668 - CenturyTel Internet Holdings, Inc.
  5668 | 209.142.136.231 | US | ftp.centurytel.com        | famtran          | fr****** | AS-5668 - CenturyTel Internet Holdings, Inc.
32855 | 67.237.129.87   | US | ftp.sheridan.com          | upload           | lo****** | EMBARQ-NEBRASKA - Embarq Corporation
 32855 | 74.5.113.30     | US | ftp.jaygroup.com          | takeshape        | 98****** | EMBARQ-NEBRASKA - Embarq Corporation
--

Howard Hicks

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Thomas Hungenberg
> Sent: Tuesday, August 16, 2011 7:49 AM
> To: nsp-sec
> Subject: [nsp-sec] Stolen FTP credentials
>
> ----------- nsp-security Confidential --------
>
> Hi,
>
> please find below a list of stolen FTP login credentials found on a
> compromised server.
> I don't have information on how and when the credentials were stolen but
> there are
> indications they have been harvested on ZeuS infected PCs.
>
> Format: ASN | IP | CC | hostname | username | sanitized password | AS name
>
>
>      - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list