Re: FTP scans from wanadoo.fr
From: Mike V (mnv@alumni.princeton.edu)Date: 12/17/01
- Previous message: Todd Suiter: "Re: FTP scans from wanadoo.fr"
- In reply to: Aaron Wolfe: "FTP scans from wanadoo.fr"
- Next in thread: Jose Nazario: "Re: FTP scans from wanadoo.fr"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mike V" <mnv@alumni.princeton.edu> To: <aaron@aaronwolfe.com>, <incidents@securityfocus.com> Date: Mon, 17 Dec 2001 13:59:12 -0700
Incidents.org is a daily read for me:
http://www.incidents.org/diary.php?id=113
Yes, it's widespread, and you are not alone, I see the scans as well.
----- Original Message -----
From: "Aaron Wolfe" <aaron@aaronwolfe.com>
To: <incidents@securityfocus.com>
Sent: Monday, December 17, 2001 10:59 AM
Subject: FTP scans from wanadoo.fr
>
> hello,
>
> for some time (weeks if not months) several of our remote offices have
been
> logging connects attempts to port 21 from various ips that resolve to
> (something).wanadoo.fr. since we have firewalls on many different
networks
> from several providers all logging these attempts, i'm fairly sure this is
a
> script randomly scanning ips. I even put up an FTP server on one box to
see
> what would happen if port 21 was open, it attempted to login as anonymous
> but I didn't let it go any further.
>
> I have made many attempts to contact Wanadoo regarding this. I have sent
> them logs and friendly messages asking if there is anything I can do to
help
> or if they would like more information. Despite sending at least 5
messages
> over the last several weeks, I have never received any response at all.
>
> I have started gathering IPs and just blocking the networks as wanadoo
seems
> to be a french ISP with nothing of interest to any our our offices. but
> obviously I'd like to be as specific as possible when passing out null
> routes.
>
> My questions, has anyone else noticed this? I am almost certain others
> have. But more importantly, is there an easy way for me to find out all
the
> networks that belong to wanadoo so I can just block them all rather than
> waiting for a connection from a host in each network? Sorry if that's a
> dumb question, i am kind of new to this. (many thanks to this list! i
have
> learned alot!) Oh, and am I over reacting here? I know these probes
happen
> all the time, but when they happen at all 20+ of our sites coming from the
> same network for several weeks... ?
>
> -aaron
>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > >---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Todd Suiter: "Re: FTP scans from wanadoo.fr"
- In reply to: Aaron Wolfe: "FTP scans from wanadoo.fr"
- Next in thread: Jose Nazario: "Re: FTP scans from wanadoo.fr"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
