RE: FTP scans from wanadoo.fr

From: SunTrix Com Management (execat_private)
Date: Mon Dec 17 2001 - 14:04:41 PST

  • Next message: russell: "Re: FTP scans from wanadoo.fr"

    Greetings Aaron,
    
    Yes indeed, we had regularly received major numbers of ftp anon attempts from
    both *.wanadoo.fr and *.dip.t-dialin.net on our servers that ran ftpd.
    
    Considering the IP space involved ( these two telcos pretty much cover EU ), my
    solution once I reached the "international had-it line", was to shut down the
    ftpd and require our users to use SCP.  That ended my frustration and our users
    took to it very nicely.  There's even a free Win version of SCP, "WinScp" at
    http://winscp.vse.cz/eng/ , very easy to support.
    
    If you're "hell-bent" to try to get a response (I wish you well), wanadoo has an
    abuseat_private email, but there are also admin/tech contact email listed at:
    
    http://www.nic.fr/cgi-bin/whois
    
    HTH,
    
    Nikki Cook
    
    SunTrix Com
    Daytona Beach, Fl
    Voice: (386) 258-5434
    
    -----Original Message-----
    From: Aaron Wolfe [mailto:aaronat_private]
    Sent: Monday, December 17, 2001 1:00 PM
    To: incidentsat_private
    Subject: FTP scans from wanadoo.fr
    
    
    
    hello,
    
    for some time (weeks if not months) several of our remote offices have been
    logging connects attempts to port 21 from various ips that resolve to
    (something).wanadoo.fr.  since we have firewalls on many different networks
    from several providers all logging these attempts, i'm fairly sure this is a
    script randomly scanning ips.  I even put up an FTP server on one box to see
    what would happen if port 21 was open, it attempted to login as anonymous
    but I didn't let it go any further.
    
    I have made many attempts to contact Wanadoo regarding this.  I have sent
    them logs and friendly messages asking if there is anything I can do to help
    or if they would like more information.  Despite sending at least 5 messages
    over the last several weeks, I have never received any response at all.
    
    I have started gathering IPs and just blocking the networks as wanadoo seems
    to be a french ISP with nothing of interest to any our our offices.  but
    obviously I'd like to be as specific as possible when passing out null
    routes.
    
    My questions, has anyone else noticed this?  I am almost certain others
    have.  But more importantly, is there an easy way for me to find out all the
    networks that belong to wanadoo so I can just block them all rather than
    waiting for a connection from a host in each network?  Sorry if that's a
    dumb question, i am kind of new to this.  (many thanks to this list! i have
    learned alot!)  Oh, and am I over reacting here?  I know these probes happen
    all the time, but when they happen at all 20+ of our sites coming from the
    same network for several weeks...  ?
    
    -aaron
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 15:32:14 PST