Incidents.org is a daily read for me: http://www.incidents.org/diary.php?id=113 Yes, it's widespread, and you are not alone, I see the scans as well. ----- Original Message ----- From: "Aaron Wolfe" <aaronat_private> To: <incidentsat_private> Sent: Monday, December 17, 2001 10:59 AM Subject: FTP scans from wanadoo.fr > > hello, > > for some time (weeks if not months) several of our remote offices have been > logging connects attempts to port 21 from various ips that resolve to > (something).wanadoo.fr. since we have firewalls on many different networks > from several providers all logging these attempts, i'm fairly sure this is a > script randomly scanning ips. I even put up an FTP server on one box to see > what would happen if port 21 was open, it attempted to login as anonymous > but I didn't let it go any further. > > I have made many attempts to contact Wanadoo regarding this. I have sent > them logs and friendly messages asking if there is anything I can do to help > or if they would like more information. Despite sending at least 5 messages > over the last several weeks, I have never received any response at all. > > I have started gathering IPs and just blocking the networks as wanadoo seems > to be a french ISP with nothing of interest to any our our offices. but > obviously I'd like to be as specific as possible when passing out null > routes. > > My questions, has anyone else noticed this? I am almost certain others > have. But more importantly, is there an easy way for me to find out all the > networks that belong to wanadoo so I can just block them all rather than > waiting for a connection from a host in each network? Sorry if that's a > dumb question, i am kind of new to this. (many thanks to this list! i have > learned alot!) Oh, and am I over reacting here? I know these probes happen > all the time, but when they happen at all 20+ of our sites coming from the > same network for several weeks... ? > > -aaron > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 13:38:56 PST