The malicious domain, discovered last week by researchers at network security and management firm Blue Coat, housed a set of sensitive files, two of which contained a total nearly 100,000 login and password combinations for a mixed batch of domains.
Another file contained 1,905 login and password combinations for the Servage.net domain, a provider that hosts more than 185,000 websites. And, a fourth file contained 197 credentials for a set of sites on the Russian narod.ru domain and several other Russian, Polish and Ukrainian web hosts.
Most of the logins – presumably used by webmasters – had "reasonably strong" passwords, Chris Larsen, a security researcher at Blue Coat, wrote in a blog post last week. One password in particular was a 39-character, German phrase with a few numbers mixed in. Other passwords, however, were not as complex.
“Sadly, there were still quite a few ‘dictionary word' passwords and ‘simple numeric' passwords and other easily guessed ones, but these were a clear minority,” Larsen wrote.
Meanwhile, late last year an analysis of 32 million passwords obtained by a hacker who broke into the database of social networking application provider RockYou.com, revealed that the most commonly used password on the site was ‘123456.'
Stumbling on a booty of stolen credentials can be frustrating for researchers because there is not much they can do to notify those whose passwords have been stolen, Larsen said. The discovery, however, does provide an opportunity to remind webmasters that their FTP credentials should be protected and treated with as much care as banking credentials.
“Try to only use them from computers that are known to be secure,” he wrote. “The bad guys want your login.”
Besides the stolen credentials, researchers also discovered several known malicious executable files and an encrypted payload disguised as a GIF.