Re: scanning from WANADOO-CABLE-BD

From: Abhi (abhi_sriat_private)
Date: Tue Jun 04 2002 - 08:21:53 PDT

Next message: Brian Collins: "Re: Port 445 increase?"

Previous message: Muhammad Faisal Rauf Danka: "Re: Port 445 increase?"
In reply to: Jon Nelson: "Re: scanning from WANADOO-CABLE-BD"
Next in thread: NESTING, DAVID M (SBCSI): "RE: scanning from WANADOO-CABLE-BD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

These are Server-farms used by an audiogalaxy application. Essentially, they
are trying to find writable ftp-servers on the net and trying to load
illegal mp3s on your servers if it is found to have anonymous ftp enabled.
It is an automated application.

Don't bother contacting the ISP. They are doing it intentionally, and will
ignore your mails.
Just block the whole domain.
And disable anonymous-ftp ofcourse.

Regards,
Abhi


----- Original Message -----
From: "Jon Nelson" <quincyat_private>
To: "Hugo van der Kooij" <hvdkooijat_private>
Cc: <incidentsat_private>
Sent: Tuesday, June 04, 2002 4:14 AM
Subject: Re: scanning from WANADOO-CABLE-BD


> My ftp server has been getting probed to see if it accepts anonymous
uploads
> from ftp@.*wanadoo.fr.  Specifically:
>
>   217.128.209.122
>   80.13.216.42
>   80.13.237.189
>   217.128.235.25
>
> It appears to be a script checking:
>
> /images/:
> /_private/:
> /cgi-bin/:
> /usr/:
> /usr/incoming/:
> /home/:
> /public/:
> /pub/incoming/:
> /incoming/:
> /_vti_pvt/:
> /upload/:
> /home/:
> /temp/:
> /wwwroot/:
> /cgi-bin/:
> /cgibin/:
> /in/:
> /_vti_cnf/:
> /_vti_txt/:
> /_vti_log/:
> /anonymous/:
> /outgoing/:
> /tmp/:
> /mailroot/:
> /ftproot/:
> /images/:
> /_private/:
> /usr/:
> /public/incoming/:
> /anonymous/_vti_pvt/:
> /anonymous/incoming/:
> /anonymous/pub/:
> /anonymous/public/:
> /usr/incoming/:
>
> On 02/06/02 20:16 +0200, Hugo van der Kooij wrote:
> > Hi,
> >
> > Did others notice intensive scans from:
> > inetnum:      213.17.86.0 - 213.17.89.255
> > netname:      WANADOO-CABLE-BD
> > as well?
> >
> >
> > Hugo.
> >
> > --
> > All email send to me is bound to the rules described on my homepage.
> >     hvdkooijat_private http://hvdkooij.xs4all.nl/
> >     Don't meddle in the affairs of sysadmins,
> >     for they are subtle and quick to anger.
> >
> >
>
> --------------------------------------------------------------------------
--
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
> --
> ----------------NOTE NEW EMAIL ADDRESS---------------------
> Trooper Jon S. NELSON, Linux Certified Admin. (Sair/GNU)
> Pennsylvania State Police, Computer Crimes Unit
> Office:  610-344-4471
> Page:  866-284-1603 (Toll Free)
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Brian Collins: "Re: Port 445 increase?"
Previous message: Muhammad Faisal Rauf Danka: "Re: Port 445 increase?"
In reply to: Jon Nelson: "Re: scanning from WANADOO-CABLE-BD"
Next in thread: NESTING, DAVID M (SBCSI): "RE: scanning from WANADOO-CABLE-BD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 10:33:07 PDT