FTP scans from wanadoo.fr

From: Gray, Patrick (ISS Atlanta) (PGrayat_private)
Date: Mon Dec 17 2001 - 16:04:47 PST

  • Next message: John Oliver: "Re: SSH Attempts: Link to RedHat?"

    According to the Ripe.net (european whois server) this company owns the
    following subnet, 193.252.19.x -- 193.252.21.255. SO if he blocks this
    subnet range, he should not have any problems with that ISP. 
    
    Here is some additional contact info for wanadoo.fr
    
    inetnum:      193.252.19.0 - 193.252.21.255
    netname:      FR-WANADOO
    descr:        France Telecom Interactive / Wanadoo
    country:      FR
    admin-c:      WITR1-RIPE
    tech-c:       WITR1-RIPE
    status:       ASSIGNED PA
    remarks:      for hacking, spamming or security problems send mail to
    remarks:      postmasterat_private AND abuseat_private
    remarks:      for ANY problem send mail to gestionip.ftat_private
    mnt-by:       FT-BRX
    changed:      nocat_private 19990129
    changed:      Patrice.Robertat_private 19990219
    changed:      nocat_private 19990427
    changed:      addr-regat_private 19990506
    changed:      gestionip.ftat_private 20000626
    changed:      gestionip.ftat_private 20010117
    source:       RIPE
    
    route:        193.252.0.0/18
    descr:        France Telecom
    descr:        FTI
    origin:       AS3215
    mnt-by:       FT-BRX
    changed:      gestionip.ftat_private 20001018
    source:       RIPE
    
    role:         Wanadoo Interactive Technical Role
    address:      WANADOO INTERACTIVE
    address:      48 rue Camille Desmoulins
    address:      92791 ISSY LES MOULINEAUX CEDEX 9
    address:      FR
    phone:        +33 1 58 88 50 00
    e-mail:       abuseat_private
    e-mail:       postmasterat_private
    admin-c:      FTI-RIPE
    tech-c:       TEFS1-RIPE
    nic-hdl:      WITR1-RIPE
    notify:       gestionip.ftat_private
    mnt-by:       FT-BRX
    changed:      gestionip.ftat_private 20010504
    changed:      gestionip.ftat_private 20010912
    changed:      gestionip.ftat_private 20011204
    source:       RIPE
    
    
    -----Original Message-----
    From: Aaron Wolfe [mailto:aaronat_private]
    Sent: Monday, December 17, 2001 1:00 PM
    To: incidentsat_private
    Subject: FTP scans from wanadoo.fr
    
    
    
    hello,
    
    for some time (weeks if not months) several of our remote offices have been
    logging connects attempts to port 21 from various ips that resolve to
    (something).wanadoo.fr.  since we have firewalls on many different networks
    from several providers all logging these attempts, i'm fairly sure this is a
    script randomly scanning ips.  I even put up an FTP server on one box to see
    what would happen if port 21 was open, it attempted to login as anonymous
    but I didn't let it go any further.
    
    I have made many attempts to contact Wanadoo regarding this.  I have sent
    them logs and friendly messages asking if there is anything I can do to help
    or if they would like more information.  Despite sending at least 5 messages
    over the last several weeks, I have never received any response at all.
    
    I have started gathering IPs and just blocking the networks as wanadoo seems
    to be a french ISP with nothing of interest to any our our offices.  but
    obviously I'd like to be as specific as possible when passing out null
    routes.
    
    My questions, has anyone else noticed this?  I am almost certain others
    have.  But more importantly, is there an easy way for me to find out all the
    networks that belong to wanadoo so I can just block them all rather than
    waiting for a connection from a host in each network?  Sorry if that's a
    dumb question, i am kind of new to this.  (many thanks to this list! i have
    learned alot!)  Oh, and am I over reacting here?  I know these probes happen
    all the time, but when they happen at all 20+ of our sites coming from the
    same network for several weeks...  ?
    
    -aaron
    
    Patrick Gray
    Manager, Internet Threat Intelligence Center
    X-Force, MSS Special Operations Group
    Internet Security Systems
    6303 Barfield Road
    Atlanta, GA 30328
    404.236.2924 - tel
    404.271.9911 - cell
    pgrayat_private
    
    Internet Security Systems - The Power to Protect
    www.iss.net 
    
     
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 16:11:15 PST