According to the Ripe.net (european whois server) this company owns the following subnet, 193.252.19.x -- 193.252.21.255. SO if he blocks this subnet range, he should not have any problems with that ISP. Here is some additional contact info for wanadoo.fr inetnum: 193.252.19.0 - 193.252.21.255 netname: FR-WANADOO descr: France Telecom Interactive / Wanadoo country: FR admin-c: WITR1-RIPE tech-c: WITR1-RIPE status: ASSIGNED PA remarks: for hacking, spamming or security problems send mail to remarks: postmasterat_private AND abuseat_private remarks: for ANY problem send mail to gestionip.ftat_private mnt-by: FT-BRX changed: nocat_private 19990129 changed: Patrice.Robertat_private 19990219 changed: nocat_private 19990427 changed: addr-regat_private 19990506 changed: gestionip.ftat_private 20000626 changed: gestionip.ftat_private 20010117 source: RIPE route: 193.252.0.0/18 descr: France Telecom descr: FTI origin: AS3215 mnt-by: FT-BRX changed: gestionip.ftat_private 20001018 source: RIPE role: Wanadoo Interactive Technical Role address: WANADOO INTERACTIVE address: 48 rue Camille Desmoulins address: 92791 ISSY LES MOULINEAUX CEDEX 9 address: FR phone: +33 1 58 88 50 00 e-mail: abuseat_private e-mail: postmasterat_private admin-c: FTI-RIPE tech-c: TEFS1-RIPE nic-hdl: WITR1-RIPE notify: gestionip.ftat_private mnt-by: FT-BRX changed: gestionip.ftat_private 20010504 changed: gestionip.ftat_private 20010912 changed: gestionip.ftat_private 20011204 source: RIPE -----Original Message----- From: Aaron Wolfe [mailto:aaronat_private] Sent: Monday, December 17, 2001 1:00 PM To: incidentsat_private Subject: FTP scans from wanadoo.fr hello, for some time (weeks if not months) several of our remote offices have been logging connects attempts to port 21 from various ips that resolve to (something).wanadoo.fr. since we have firewalls on many different networks from several providers all logging these attempts, i'm fairly sure this is a script randomly scanning ips. I even put up an FTP server on one box to see what would happen if port 21 was open, it attempted to login as anonymous but I didn't let it go any further. I have made many attempts to contact Wanadoo regarding this. I have sent them logs and friendly messages asking if there is anything I can do to help or if they would like more information. Despite sending at least 5 messages over the last several weeks, I have never received any response at all. I have started gathering IPs and just blocking the networks as wanadoo seems to be a french ISP with nothing of interest to any our our offices. but obviously I'd like to be as specific as possible when passing out null routes. My questions, has anyone else noticed this? I am almost certain others have. But more importantly, is there an easy way for me to find out all the networks that belong to wanadoo so I can just block them all rather than waiting for a connection from a host in each network? Sorry if that's a dumb question, i am kind of new to this. (many thanks to this list! i have learned alot!) Oh, and am I over reacting here? I know these probes happen all the time, but when they happen at all 20+ of our sites coming from the same network for several weeks... ? -aaron Patrick Gray Manager, Internet Threat Intelligence Center X-Force, MSS Special Operations Group Internet Security Systems 6303 Barfield Road Atlanta, GA 30328 404.236.2924 - tel 404.271.9911 - cell pgrayat_private Internet Security Systems - The Power to Protect www.iss.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 16:11:15 PST