These are Server-farms used by an audiogalaxy application. Essentially, they are trying to find writable ftp-servers on the net and trying to load illegal mp3s on your servers if it is found to have anonymous ftp enabled. It is an automated application. Don't bother contacting the ISP. They are doing it intentionally, and will ignore your mails. Just block the whole domain. And disable anonymous-ftp ofcourse. Regards, Abhi ----- Original Message ----- From: "Jon Nelson" <quincyat_private> To: "Hugo van der Kooij" <hvdkooijat_private> Cc: <incidentsat_private> Sent: Tuesday, June 04, 2002 4:14 AM Subject: Re: scanning from WANADOO-CABLE-BD > My ftp server has been getting probed to see if it accepts anonymous uploads > from ftp@.*wanadoo.fr. Specifically: > > 217.128.209.122 > 80.13.216.42 > 80.13.237.189 > 217.128.235.25 > > It appears to be a script checking: > > /images/: > /_private/: > /cgi-bin/: > /usr/: > /usr/incoming/: > /home/: > /public/: > /pub/incoming/: > /incoming/: > /_vti_pvt/: > /upload/: > /home/: > /temp/: > /wwwroot/: > /cgi-bin/: > /cgibin/: > /in/: > /_vti_cnf/: > /_vti_txt/: > /_vti_log/: > /anonymous/: > /outgoing/: > /tmp/: > /mailroot/: > /ftproot/: > /images/: > /_private/: > /usr/: > /public/incoming/: > /anonymous/_vti_pvt/: > /anonymous/incoming/: > /anonymous/pub/: > /anonymous/public/: > /usr/incoming/: > > On 02/06/02 20:16 +0200, Hugo van der Kooij wrote: > > Hi, > > > > Did others notice intensive scans from: > > inetnum: 213.17.86.0 - 213.17.89.255 > > netname: WANADOO-CABLE-BD > > as well? > > > > > > Hugo. > > > > -- > > All email send to me is bound to the rules described on my homepage. > > hvdkooijat_private http://hvdkooij.xs4all.nl/ > > Don't meddle in the affairs of sysadmins, > > for they are subtle and quick to anger. > > > > > > -------------------------------------------------------------------------- -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > -- > ----------------NOTE NEW EMAIL ADDRESS--------------------- > Trooper Jon S. NELSON, Linux Certified Admin. (Sair/GNU) > Pennsylvania State Police, Computer Crimes Unit > Office: 610-344-4471 > Page: 866-284-1603 (Toll Free) > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 10:33:07 PDT