Sorry for sending this directly to you, but my posts to the list do not seem to go through. Here is what I have from the wanadoo.fr domain. This is from 2 servers; Apr 10 09:27:07 web1 ftpd[11279]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M ASte-Genev-Bois-101-1-2-63.abo.wanadoo.fr [193.252.179.63], anonymous Apr 16 11:18:56 web1 ftpd[3864]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM AMontsouris-102-1-2-174.abo.wanadoo.fr [217.128.29.174], anonymous Jun 8 04:14:54 web1 ftpd[1385]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM APuteaux-102-1-6-200.abo.wanadoo.fr [193.253.62.200], anonymous Jun 14 09:13:47 web1 ftpd[15558]: failed login from ANancy-101-1-4-76.abo.wanado o.fr [217.128.39.76] Jun 14 09:13:47 web1 ftpd[15558]: lost connection to ANancy-101-1-4-76.abo.wanad oo.fr [217.128.39.76] Jun 14 18:39:41 web1 ftpd[16468]: lost connection to ANancy-101-1-4-76.abo.wanad oo.fr [217.128.39.76] Aug 9 00:57:06 web1 ftpd[14222]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M APuteaux-102-1-5-184.abo.wanadoo.fr [193.253.243.184], anonymous Aug 27 08:59:14 web1 ftpd[662]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM ANancy-101-1-5-119.abo.wanadoo.fr [217.128.164.119], anonymous Sep 6 03:01:43 web1 ftpd[8275]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM ASte-Genev-Bois-101-1-4-36.abo.wanadoo.fr [217.128.44.36], anonymous Oct 15 14:35:15 web1 ftpd[4232]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM APoitiers-101-1-2-106.abo.wanadoo.fr [217.128.89.106], anonymous Oct 17 08:16:21 web1 ftpd[5405]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM ADijon-101-1-4-141.abo.wanadoo.fr [80.11.37.141], anonymous Oct 20 04:21:02 web1 ftpd[11680]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M ABrest-101-1-3-139.abo.wanadoo.fr [217.128.96.139], anonymous Oct 20 13:30:30 web1 ftpd[12425]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M ANantes-101-1-5-30.abo.wanadoo.fr [193.251.16.30], anonymous Oct 24 17:23:02 web1 ftpd[25429]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M ADijon-101-1-1-101.abo.wanadoo.fr [193.251.185.101], anonymous Nov 1 15:28:30 web1 ftpd[22007]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M ADijon-101-1-3-238.abo.wanadoo.fr [217.128.160.238], anonymous Nov 19 16:33:34 web1 ftpd[13591]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M ALyon-102-1-2-108.abo.wanadoo.fr [193.253.230.108], anonymous Nov 21 16:24:42 web1 ftpd[18453]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M ALyon-102-1-6-48.abo.wanadoo.fr [80.11.199.48], anonymous Nov 23 02:40:31 web1 ftpd[7743]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM ALyon-102-1-6-48.abo.wanadoo.fr [80.11.199.48], anonymous Nov 26 05:26:32 web1 ftpd[3037]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM AClermont-Ferrand-101-1-2-216.abo.wanadoo.fr [193.252.188.216], anonymous Nov 26 13:29:42 web1 ftpd[647]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM ANeuilly-101-1-4-53.abo.wanadoo.fr [193.252.2.53], anonymous Nov 30 11:50:24 web1 ftpd[4418]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM ALimoges-101-1-1-116.abo.wanadoo.fr [193.251.24.116], anonymous Dec 13 19:50:44 web1 ftpd[4722]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM ANice-103-1-5-203.abo.wanadoo.fr [80.13.196.203], anonymous [New Server] May 17 04:20:20 scosysv ftpd[28190]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM ca-ol-bordeaux-11-195.abo.wanadoo.fr [213.56.54.195], anonymous Aug 21 13:02:45 scosysv ftpd[3326]: FTP LOGIN REFUSED (ftp not in /etc/passwd) F ROM AMarseille-101-1-2-224.abo.wanadoo.fr [80.11.1.224], anonymous Oct 6 02:49:38 scosysv ftpd[88]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FRO M ALille-101-1-2-249.abo.wanadoo.fr [217.128.25.249], anonymous Nov 18 16:14:29 scosysv ftpd[10984]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM APlessis-Bouchard-101-1-4-238.abo.wanadoo.fr [217.128.88.238], anonymous -----Original Message----- From: Todd Suiter [mailto:toddat_private] Sent: Monday, December 17, 2001 3:21 PM To: Paul Asadoorian Cc: aaronat_private; incidentsat_private Subject: Re: FTP scans from wanadoo.fr Here you go: From: Chris Reynolds [mailto:chrisat_private] Sent: Friday, December 07, 2001 2:53 PM To: Intrusions List (E-mail) Subject: Wanadoo.fr Scans Hi all, Good news on the Wanadoo.fr front! Their upstream provider, Opentransit is now aware of the scope of the scanning activity from Wanadoo.fr network space and they have requested a list of source IPs involved in scanning and/or attacks. Opentransit has said that they will be escalating this issue with Wanadoo.fr management, and they need some data to go with it. Please forward any IDS or server logs showing Wanadoo.fr activity - the more source IPs we send them, the easier it will be for them to enact some positive change at Wanadoo.fr. We should be able to get this wrapped up very soon! Thanks, On Mon, 17 Dec 2001, Paul Asadoorian wrote: > We too have seen the exact same traffic here. Not sure what to do about it, > too bad there wasn't an "Ftp blacklist" sorta the same thing that exists for > mail. It may prove useful if the ISP suddenly realizes that half of their > address space is being blocked on numerous routers across the Internet. > > Paul Asadoorian, GCIA > ----- Original Message ----- > From: "Aaron Wolfe" <aaronat_private> > To: <incidentsat_private> > Sent: Monday, December 17, 2001 12:59 PM > Subject: FTP scans from wanadoo.fr > > > > > > hello, > > > > for some time (weeks if not months) several of our remote offices have > been > > logging connects attempts to port 21 from various ips that resolve to > > (something).wanadoo.fr. since we have firewalls on many different > networks > > from several providers all logging these attempts, i'm fairly sure this is > a > > script randomly scanning ips. I even put up an FTP server on one box to > see > > what would happen if port 21 was open, it attempted to login as anonymous > > but I didn't let it go any further. > > > > I have made many attempts to contact Wanadoo regarding this. I have sent > > them logs and friendly messages asking if there is anything I can do to > help > > or if they would like more information. Despite sending at least 5 > messages > > over the last several weeks, I have never received any response at all. > > > > I have started gathering IPs and just blocking the networks as wanadoo > seems > > to be a french ISP with nothing of interest to any our our offices. but > > obviously I'd like to be as specific as possible when passing out null > > routes. > > > > My questions, has anyone else noticed this? I am almost certain others > > have. But more importantly, is there an easy way for me to find out all > the > > networks that belong to wanadoo so I can just block them all rather than > > waiting for a connection from a host in each network? Sorry if that's a > > dumb question, i am kind of new to this. (many thanks to this list! i > have > > learned alot!) Oh, and am I over reacting here? I know these probes > happen > > all the time, but when they happen at all 20+ of our sites coming from the > > same network for several weeks... ? > > > > -aaron > > > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 13:56:40 PST