All of this were 'Suspicious connections' to Trustix FTP Site... if you take a look at least one match with the one's reported by loon. take a quick look at the e-mail addresses provided when login as Anonymous. connection from ATours-101-1-2-156.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM ATours-101-1-2-156.abo.wanadoo.fr, Ggpuserat_private connection from AMontsouris-101-1-5-217.abo.wanadoo.fr FTP LOGIN FAILED FROM AMontsouris-101-1-5-217.abo.wanadoo.fr, anonymousat_private connection from AMontsouris-101-1-5-217.abo.wanadoo.fr FTP LOGIN FAILED FROM AMontsouris-101-1-5-217.abo.wanadoo.fr, anonymousat_private connection from AMontsouris-101-1-5-217.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM AMontsouris-101-1-5-217.abo.wanadoo.fr, Wgpuserat_private connection from AToulon-101-1-3-138.abo.wanadoo.fr connection from AToulon-101-1-3-138.abo.wanadoo.fr connection from AToulon-101-1-3-138.abo.wanadoo.fr connection from AToulon-101-1-3-138.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM AToulon-101-1-3-138.abo.wanadoo.fr, Xgpuserat_private connection from ANeuilly-105-1-3-71.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM ANeuilly-105-1-3-71.abo.wanadoo.fr, Dgpuserat_private connection from ARouen-101-1-3-215.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM ARouen-101-1-3-215.abo.wanadoo.fr, Tgpuserat_private connection from AOrleans-102-1-1-138.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM AOrleans-102-1-1-138.abo.wanadoo.fr, anonymous connection from ARouen-101-1-3-215.abo.wanadoo.fr connection from AOrleans-102-1-1-138.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM AOrleans-102-1-1-138.abo.wanadoo.fr, Jgpuserat_private connection from ABordeaux-102-1-4-68.abo.wanadoo.fr FTP LOGIN FAILED FROM ABordeaux-102-1-4-68.abo.wanadoo.fr, anonymousat_private connection from ALille-101-1-4-61.abo.wanadoo.fr On Tue, 2001-12-18 at 00:22, loon wrote: > Hello, > I'm sure you are all seeing this, but, i have noticed a bit of a pattern > to all this, every hit i get starts with the A....i.e.: > > > > ftp connection attempt from AReims-101-1-4-54.abo.wanadoo.fr:3165 > ftp connection attempt from AToulouse-201-1-2-235.abo.wanadoo.fr:2304 > ftp connection attempt from ALyon-201-1-6-98.abo.wanadoo.fr:3620 > ftp connection attempt from ABrest-101-1-4-4.abo.wanadoo.fr:3858 > ftp connection attempt from ALagny-101-1-6-165.abo.wanadoo.fr:4526 > ftp connection attempt from ALille-101-1-2-251.abo.wanadoo.fr:1025 > ftp connection attempt from ABesancon-101-1-4-78.abo.wanadoo.fr:3884 > > this should all but confirm the fact that its some sort of script...hope > that helps... > > > loon > > > On Mon, 2001-12-17 at 11:59, Aaron Wolfe wrote: > > > > hello, > > > > for some time (weeks if not months) several of our remote offices have been > > logging connects attempts to port 21 from various ips that resolve to > > (something).wanadoo.fr. since we have firewalls on many different networks > > from several providers all logging these attempts, i'm fairly sure this is a > > script randomly scanning ips. I even put up an FTP server on one box to see > > what would happen if port 21 was open, it attempted to login as anonymous > > but I didn't let it go any further. > > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -- -- /* Rodrigo Gutierrez <rodrigoat_private> Trustix AS - http://www.trustix.com */ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 09:40:57 PST