Security company Finjan, which made the discovery, is not making public the names of the vulnerable Web domains, but its figures reveal that 160 out of the world's top 1000 domains have had their credentials stolen and are open to malware and spyware. Companies wanting to check if their domain is on the list can contact Finjan.
The database contains the username, password and server address of 8,700 domains, which would allow any hacker who rents the information to access the servers and plant malware. Users going to that website would then be open to infection, such as having a Trojan secretly downloaded on to their machine.
The stolen accounts include global companies in a wide range of industries, Government agencies and even some security companies.
The discovery underlines a problem that has been growing over the last year or so, with hackers targeting legitimate websites to avoid being detected by URL blacklists.
Security company Sophos says it detects around 6,000 new infected Web pages every day, although last June the daily figure surged to more than 29,000 for a short period.
"83 of these infected webpages actually belong to innocent companies and individuals, unaware that their sites have been hacked," said Graham Cluley, a senior consultant at Sophos.
"Criminal gangs are not only infecting Web pages, they are also trading usernames and passwords, which means they can spirit themselves onto corporate websites and plant dangerous code without having to exploit a vulnerability. Even if your website does not have a vulnerability on it which can be exploited, the hackers can effectively walk straight in through a side door."
The Finjan research uncovered what it calls "an almost unnoticeable standalone application" that the criminals use to trade stolen the FTP account credentials. It allows the server administrator to manage FTP credential information to inject iframe tags to any Web page it finds on the compromised FTP account. And it even helps the server administrator put a price tag on the stolen credentials by rating them by their country of residence and their Google rating.
The database that Finjan discovered certainly shows that many of the stolen domains have been chosen for their maximum commercial value. Ten of the accounts relate to some of the most visited websites, which are ranked in the world's top 100 according to Alexa.com.
Of the total 8,700 stolen accounts, most are based in the U.S. and Russia. Just 78 came from the U.K.
Yuval-Ben Itzhak, CTO at Finjan, summed up the risks: "If your FTP server credentials are on the list, criminals may use it to add crimeware on to your site -- so people visiting your site will get infected with crimeware and may sue you. And if the FTP server includes confidential documents and data, that can be in the hands of the criminals." He suggested that a good place to start is to change FTP passwords frequently.
Cluley said IT departments should regularly audit the usernames and passwords which have FTP access to their website, and ensure that passwords are changed regularly so that if they do fall into the wrong hands they cannot be abused for too long. "Some firms may wish to implement additional authentication methods to ensure that the person uploading code to the website really is who he or she claims to be," he added.
"Web servers are the backbone of the internet. Ensuring that servers are secure from outside attack is a prime concern for any organisation that relies on them."
His tips for protecting Web servers are:
You can download the Finjan report online.