Re: FTP scans from wanadoo.fr

From: Replugge [Rod] (replugge@alcoholico.org)
Date: 12/18/01 

From: "Replugge [Rod]" <replugge@alcoholico.org>
To: incidents@securityfocus.com
Date: 18 Dec 2001 07:32:44 +0100

All of this were 'Suspicious connections' to Trustix FTP Site... if you
take a look at least one match with the one's reported by loon. take a
quick look at the e-mail addresses provided when login as Anonymous.
  

connection from ATours-101-1-2-156.abo.wanadoo.fr
ANONYMOUS FTP LOGIN FROM ATours-101-1-2-156.abo.wanadoo.fr,
Ggpuser@home.com
connection from AMontsouris-101-1-5-217.abo.wanadoo.fr
FTP LOGIN FAILED FROM AMontsouris-101-1-5-217.abo.wanadoo.fr,
anonymous@ftp.m
connection from AMontsouris-101-1-5-217.abo.wanadoo.fr
FTP LOGIN FAILED FROM AMontsouris-101-1-5-217.abo.wanadoo.fr,
anonymous@ftp.m
connection from AMontsouris-101-1-5-217.abo.wanadoo.fr
ANONYMOUS FTP LOGIN FROM AMontsouris-101-1-5-217.abo.wanadoo.fr,
Wgpuser@home.com
connection from AToulon-101-1-3-138.abo.wanadoo.fr
connection from AToulon-101-1-3-138.abo.wanadoo.fr
connection from AToulon-101-1-3-138.abo.wanadoo.fr
connection from AToulon-101-1-3-138.abo.wanadoo.fr
ANONYMOUS FTP LOGIN FROM AToulon-101-1-3-138.abo.wanadoo.fr,
Xgpuser@home.com
connection from ANeuilly-105-1-3-71.abo.wanadoo.fr
ANONYMOUS FTP LOGIN FROM ANeuilly-105-1-3-71.abo.wanadoo.fr,
Dgpuser@home.com
connection from ARouen-101-1-3-215.abo.wanadoo.fr
ANONYMOUS FTP LOGIN FROM ARouen-101-1-3-215.abo.wanadoo.fr,
Tgpuser@home.com
connection from AOrleans-102-1-1-138.abo.wanadoo.fr
ANONYMOUS FTP LOGIN FROM AOrleans-102-1-1-138.abo.wanadoo.fr, anonymous
connection from ARouen-101-1-3-215.abo.wanadoo.fr
connection from AOrleans-102-1-1-138.abo.wanadoo.fr
ANONYMOUS FTP LOGIN FROM AOrleans-102-1-1-138.abo.wanadoo.fr,
Jgpuser@home.com
connection from ABordeaux-102-1-4-68.abo.wanadoo.fr
FTP LOGIN FAILED FROM ABordeaux-102-1-4-68.abo.wanadoo.fr,
anonymous@ftp.m
connection from ALille-101-1-4-61.abo.wanadoo.fr

On Tue, 2001-12-18 at 00:22, loon wrote:
> Hello,
> I'm sure you are all seeing this, but, i have noticed a bit of a pattern
> to all this, every hit i get starts with the A....i.e.:
>
>
>
> ftp connection attempt from AReims-101-1-4-54.abo.wanadoo.fr:3165
> ftp connection attempt from AToulouse-201-1-2-235.abo.wanadoo.fr:2304
> ftp connection attempt from ALyon-201-1-6-98.abo.wanadoo.fr:3620
> ftp connection attempt from ABrest-101-1-4-4.abo.wanadoo.fr:3858
> ftp connection attempt from ALagny-101-1-6-165.abo.wanadoo.fr:4526
> ftp connection attempt from ALille-101-1-2-251.abo.wanadoo.fr:1025
> ftp connection attempt from ABesancon-101-1-4-78.abo.wanadoo.fr:3884
>
> this should all but confirm the fact that its some sort of script...hope
> that helps...
>
>
> loon
>
>
> On Mon, 2001-12-17 at 11:59, Aaron Wolfe wrote:
> >
> > hello,
> >
> > for some time (weeks if not months) several of our remote offices have been
> > logging connects attempts to port 21 from various ips that resolve to
> > (something).wanadoo.fr. since we have firewalls on many different networks
> > from several providers all logging these attempts, i'm fairly sure this is a
> > script randomly scanning ips. I even put up an FTP server on one box to see
> > what would happen if port 21 was open, it attempted to login as anonymous
> > but I didn't let it go any further.
> >
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
> 

-- 

--
/* 
Rodrigo Gutierrez <rodrigo@trustix.com>
Trustix AS - http://www.trustix.com 
*/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Quantcast