Re: FTP scans from wanadoo.fr

From: Paul Asadoorian (paul.comat_private)
Date: Mon Dec 17 2001 - 13:08:39 PST

  • Next message: Todd Suiter: "Re: FTP scans from wanadoo.fr"

    We too have seen the exact same traffic here.  Not sure what to do about it,
    too bad there wasn't an "Ftp blacklist" sorta the same thing that exists for
    mail.  It may prove useful if the ISP suddenly realizes that half of their
    address space is being blocked on numerous routers across the Internet.
    
    Paul Asadoorian, GCIA
    ----- Original Message -----
    From: "Aaron Wolfe" <aaronat_private>
    To: <incidentsat_private>
    Sent: Monday, December 17, 2001 12:59 PM
    Subject: FTP scans from wanadoo.fr
    
    
    >
    > hello,
    >
    > for some time (weeks if not months) several of our remote offices have
    been
    > logging connects attempts to port 21 from various ips that resolve to
    > (something).wanadoo.fr.  since we have firewalls on many different
    networks
    > from several providers all logging these attempts, i'm fairly sure this is
    a
    > script randomly scanning ips.  I even put up an FTP server on one box to
    see
    > what would happen if port 21 was open, it attempted to login as anonymous
    > but I didn't let it go any further.
    >
    > I have made many attempts to contact Wanadoo regarding this.  I have sent
    > them logs and friendly messages asking if there is anything I can do to
    help
    > or if they would like more information.  Despite sending at least 5
    messages
    > over the last several weeks, I have never received any response at all.
    >
    > I have started gathering IPs and just blocking the networks as wanadoo
    seems
    > to be a french ISP with nothing of interest to any our our offices.  but
    > obviously I'd like to be as specific as possible when passing out null
    > routes.
    >
    > My questions, has anyone else noticed this?  I am almost certain others
    > have.  But more importantly, is there an easy way for me to find out all
    the
    > networks that belong to wanadoo so I can just block them all rather than
    > waiting for a connection from a host in each network?  Sorry if that's a
    > dumb question, i am kind of new to this.  (many thanks to this list! i
    have
    > learned alot!)  Oh, and am I over reacting here?  I know these probes
    happen
    > all the time, but when they happen at all 20+ of our sites coming from the
    > same network for several weeks...  ?
    >
    > -aaron
    >
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 13:14:07 PST