Re: FTP scans from wanadoo.fr

From: Replugge [Rod] (repluggeat_private)
Date: Mon Dec 17 2001 - 22:32:44 PST

  • Next message: Montz, James C. (James Tower): "RE: SSH Attempts: Link to RedHat?"

    All of this were 'Suspicious connections' to Trustix FTP Site... if you
    take a look at least one match with the one's reported by loon. take a
    quick look at the e-mail addresses provided when login as Anonymous.
      
    
    connection from ATours-101-1-2-156.abo.wanadoo.fr
    ANONYMOUS FTP LOGIN FROM ATours-101-1-2-156.abo.wanadoo.fr,
    Ggpuserat_private
    connection from AMontsouris-101-1-5-217.abo.wanadoo.fr
    FTP LOGIN FAILED FROM AMontsouris-101-1-5-217.abo.wanadoo.fr,
    anonymousat_private
    connection from AMontsouris-101-1-5-217.abo.wanadoo.fr
    FTP LOGIN FAILED FROM AMontsouris-101-1-5-217.abo.wanadoo.fr,
    anonymousat_private
    connection from AMontsouris-101-1-5-217.abo.wanadoo.fr
    ANONYMOUS FTP LOGIN FROM AMontsouris-101-1-5-217.abo.wanadoo.fr,
    Wgpuserat_private
    connection from AToulon-101-1-3-138.abo.wanadoo.fr
    connection from AToulon-101-1-3-138.abo.wanadoo.fr
    connection from AToulon-101-1-3-138.abo.wanadoo.fr
    connection from AToulon-101-1-3-138.abo.wanadoo.fr
    ANONYMOUS FTP LOGIN FROM AToulon-101-1-3-138.abo.wanadoo.fr,
    Xgpuserat_private
    connection from ANeuilly-105-1-3-71.abo.wanadoo.fr
    ANONYMOUS FTP LOGIN FROM ANeuilly-105-1-3-71.abo.wanadoo.fr,
    Dgpuserat_private
    connection from ARouen-101-1-3-215.abo.wanadoo.fr
    ANONYMOUS FTP LOGIN FROM ARouen-101-1-3-215.abo.wanadoo.fr,
    Tgpuserat_private
    connection from AOrleans-102-1-1-138.abo.wanadoo.fr
    ANONYMOUS FTP LOGIN FROM AOrleans-102-1-1-138.abo.wanadoo.fr, anonymous
    connection from ARouen-101-1-3-215.abo.wanadoo.fr
    connection from AOrleans-102-1-1-138.abo.wanadoo.fr
    ANONYMOUS FTP LOGIN FROM AOrleans-102-1-1-138.abo.wanadoo.fr,
    Jgpuserat_private
    connection from ABordeaux-102-1-4-68.abo.wanadoo.fr
    FTP LOGIN FAILED FROM ABordeaux-102-1-4-68.abo.wanadoo.fr,
    anonymousat_private
    connection from ALille-101-1-4-61.abo.wanadoo.fr
    
    
    
    
    On Tue, 2001-12-18 at 00:22, loon wrote:
    > Hello, 
    > I'm sure you are all seeing this, but, i have noticed a bit of a pattern
    > to all this, every hit i get starts with the A....i.e.:
    > 
    > 
    > 
    > ftp connection attempt from AReims-101-1-4-54.abo.wanadoo.fr:3165
    > ftp connection attempt from AToulouse-201-1-2-235.abo.wanadoo.fr:2304
    > ftp connection attempt from ALyon-201-1-6-98.abo.wanadoo.fr:3620
    > ftp connection attempt from ABrest-101-1-4-4.abo.wanadoo.fr:3858
    > ftp connection attempt from ALagny-101-1-6-165.abo.wanadoo.fr:4526
    > ftp connection attempt from ALille-101-1-2-251.abo.wanadoo.fr:1025
    > ftp connection attempt from ABesancon-101-1-4-78.abo.wanadoo.fr:3884
    > 
    > this should all but confirm the fact that its some sort of script...hope
    > that helps...
    > 
    > 
    > loon
    > 
    > 
    > On Mon, 2001-12-17 at 11:59, Aaron Wolfe wrote:
    > > 
    > > hello,
    > > 
    > > for some time (weeks if not months) several of our remote offices have been
    > > logging connects attempts to port 21 from various ips that resolve to
    > > (something).wanadoo.fr.  since we have firewalls on many different networks
    > > from several providers all logging these attempts, i'm fairly sure this is a
    > > script randomly scanning ips.  I even put up an FTP server on one box to see
    > > what would happen if port 21 was open, it attempted to login as anonymous
    > > but I didn't let it go any further.
    > > 
    > 
    > 
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    -- 
    
    
    --
    /* 
    Rodrigo Gutierrez <rodrigoat_private>
    Trustix AS - http://www.trustix.com 
    */
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 09:40:57 PST