On 17 Dec 2001, loon wrote:
> Hello,
> I'm sure you are all seeing this, but, i have noticed a bit of a pattern
> to all this, every hit i get starts with the A....i.e.:
>
>
>
> ftp connection attempt from AReims-101-1-4-54.abo.wanadoo.fr:3165
> ftp connection attempt from AToulouse-201-1-2-235.abo.wanadoo.fr:2304
> ftp connection attempt from ALyon-201-1-6-98.abo.wanadoo.fr:3620
> ftp connection attempt from ABrest-101-1-4-4.abo.wanadoo.fr:3858
> ftp connection attempt from ALagny-101-1-6-165.abo.wanadoo.fr:4526
> ftp connection attempt from ALille-101-1-2-251.abo.wanadoo.fr:1025
> ftp connection attempt from ABesancon-101-1-4-78.abo.wanadoo.fr:3884
>
> this should all but confirm the fact that its some sort of script...hope
> that helps...
>
> loon
The naming scheme for wanadoo domains is
A`location name`-x-y-z-t.abo.wanadoo.fr
where x seems to be a three digit name (I don't know what it mean)
y seems to be a one digit name (i've never seen other than 1)
z seems to be the number of the class C used for this location
t seems to be the last IP number
location is a city name, except for Paris where it is divided in regions
of the town.
What I want to say is that the attacks seem to come from very different
places in France. It may be a very well coordinated large scale crackers
group. But it's far more probable that the attacks come from compromised
machines or from spoofed IPs, and that the attacker don't like wanadoo.
--
Philippe Biondi <pbi@ cartel-info.fr> Cartel Informatique
Security Consultant/R&D http://www.cartel-info.fr
Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 16:07:11 PST