Re: FTP scans from wanadoo.fr

From: russell (R.FULTON@auckland.ac.nz)
Date: 12/17/01

• Previous message: SunTrix Com Management: "RE: FTP scans from wanadoo.fr"
• In reply to: Aaron Wolfe: "FTP scans from wanadoo.fr"
• Next in thread: Steve: "Re: FTP scans from wanadoo.fr"
• Next in thread: loon: "Re: FTP scans from wanadoo.fr"
• Reply: Steve: "Re: FTP scans from wanadoo.fr"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: russell <R.FULTON@auckland.ac.nz>
To: aaron@aaronwolfe.com
Date: 18 Dec 2001 11:49:08 +1300

On Tue, 2001-12-18 at 06:59, Aaron Wolfe wrote:
>
> hello,
>
> for some time (weeks if not months) several of our remote offices have been
> logging connects attempts to port 21 from various ips that resolve to
> (something).wanadoo.fr. since we have firewalls on many different networks
> from several providers all logging these attempts, i'm fairly sure this is a
> script randomly scanning ips. I even put up an FTP server on one box to see
> what would happen if port 21 was open, it attempted to login as anonymous
> but I didn't let it go any further.

I've been wondering when someone would start complaining about wanadoo.
I have been reporting two or three ftp scans a day for months! Let's
hope that they actually do something about it now.

Not far behind wanadoo.fr is t-online.de (which I believe is a large
German ISP). I am seeing about five ftp scans a week from t-online.de,
all are reported to their abuse address.

Does anyone have any contacts who might ba able to get some real action
on this issue?

Cheers, Russell

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: SunTrix Com Management: "RE: FTP scans from wanadoo.fr"
• In reply to: Aaron Wolfe: "FTP scans from wanadoo.fr"
• Next in thread: Steve: "Re: FTP scans from wanadoo.fr"
• Next in thread: loon: "Re: FTP scans from wanadoo.fr"
• Reply: Steve: "Re: FTP scans from wanadoo.fr"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Telnet/ftp problems SBS2000 ... Please make sure your client computers are configured as both Firewall ... will find two options "Enable folder view for FTP sites" and "Use Passive ... that the control connection has been successfully established, ... (other than port 21) ... (microsoft.public.windows.server.sbs) FTP transfer port ... FTP transfer port ... the FTP server "listens" for client connections on its port 21. ... it will establish a separate control connection and data connection with ... (bit.listserv.ibm-main) Re: Hacked? External address knocks on internal private address... ... The important part of your message is that FTP is allowed out... ... You open a connection to an FTP Server and logon. ... When you ask the server for a file the server issues a "PORT" command ... so it can open a port on the firewall to allow the incoming Data ... (comp.security.firewalls) Re: Question: FTP via alternate port ... The problem with FTP is that it requires two ports to operate. ... FTP command stream in order to dynamically open that port for the data ... Ideally the attacker would want to upload another tool onto the ... (Pen-Test) Re: Internet Explorer Keeps Timing out on FTP ... > This is a problem with the FTP client. ... When the PORT command is used, the FTP client is asking the FTP server to ... (microsoft.public.inetserver.iis.ftp)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2001-12