Re: FTP scans from wanadoo.fr

From: Jose Nazario (jose@biocserver.BIOC.cwru.edu)
Date: 12/17/01 

Date: Mon, 17 Dec 2001 16:00:15 -0500 (EST)
From: Jose Nazario <jose@biocserver.BIOC.cwru.edu>
To: Aaron Wolfe <aaron@aaronwolfe.com>

On Mon, 17 Dec 2001, Aaron Wolfe wrote:

> I have made many attempts to contact Wanadoo regarding this.

heh .. good luck. wanadoo seems quite happy to be quiet about it. mayeb if
you phrase it in french ... i dunno.

whats amusing is that french copyright is extremely easy to enforce. maybe
if you approach it as a copyright matter (likely warez trading, possibly
ftpd exploit hopes thogh) they'll take it more seriously.

> My questions, has anyone else noticed this? I am almost certain
> others have. But more importantly, is there an easy way for me to
> find out all the networks that belong to wanadoo so I can just block
> them all rather than waiting for a connection from a host in each
> network? Sorry if that's a dumb question, i am kind of new to this.
> (many thanks to this list! i have learned alot!) Oh, and am I over
> reacting here? I know these probes happen all the time, but when they
> happen at all 20+ of our sites coming from the same network for
> several weeks... ?

you're certainly not alone. it can't hurt to block their access to ftp
(20, 21 tcp) at the door. blocking all access may be a bit too much,
imagine if you're overseas on business using a wanadoo.fr line ... your
site policy should be pretty strict anyhow for non-standard communications
(web, mail) ...

best of luck,

____________________________
jose nazario jose@cwru.edu
                           PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com