Hello, I'm sure you are all seeing this, but, i have noticed a bit of a pattern to all this, every hit i get starts with the A....i.e.: ftp connection attempt from AReims-101-1-4-54.abo.wanadoo.fr:3165 ftp connection attempt from AToulouse-201-1-2-235.abo.wanadoo.fr:2304 ftp connection attempt from ALyon-201-1-6-98.abo.wanadoo.fr:3620 ftp connection attempt from ABrest-101-1-4-4.abo.wanadoo.fr:3858 ftp connection attempt from ALagny-101-1-6-165.abo.wanadoo.fr:4526 ftp connection attempt from ALille-101-1-2-251.abo.wanadoo.fr:1025 ftp connection attempt from ABesancon-101-1-4-78.abo.wanadoo.fr:3884 this should all but confirm the fact that its some sort of script...hope that helps... loon On Mon, 2001-12-17 at 11:59, Aaron Wolfe wrote: > > hello, > > for some time (weeks if not months) several of our remote offices have been > logging connects attempts to port 21 from various ips that resolve to > (something).wanadoo.fr. since we have firewalls on many different networks > from several providers all logging these attempts, i'm fairly sure this is a > script randomly scanning ips. I even put up an FTP server on one box to see > what would happen if port 21 was open, it attempted to login as anonymous > but I didn't let it go any further. > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 15:41:54 PST