Security Incidents mailing list archives

RE: FTP scans from wanadoo.fr

From: "Rick Darsey" <rdarsey () aims1 com>
Date: Mon, 17 Dec 2001 15:36:13 -0600

Sorry for sending this directly to you, but my posts to the list do not seem
to go through. Here is what I have from the wanadoo.fr domain. This is from
2 servers;


Apr 10 09:27:07 web1 ftpd[11279]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M ASte-Genev-Bois-101-1-2-63.abo.wanadoo.fr [193.252.179.63], anonymous
Apr 16 11:18:56 web1 ftpd[3864]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
 AMontsouris-102-1-2-174.abo.wanadoo.fr [217.128.29.174], anonymous
Jun  8 04:14:54 web1 ftpd[1385]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
 APuteaux-102-1-6-200.abo.wanadoo.fr [193.253.62.200], anonymous
Jun 14 09:13:47 web1 ftpd[15558]: failed login from
ANancy-101-1-4-76.abo.wanado
o.fr [217.128.39.76]
Jun 14 09:13:47 web1 ftpd[15558]: lost connection to
ANancy-101-1-4-76.abo.wanad
oo.fr [217.128.39.76]
Jun 14 18:39:41 web1 ftpd[16468]: lost connection to
ANancy-101-1-4-76.abo.wanad
oo.fr [217.128.39.76]
Aug  9 00:57:06 web1 ftpd[14222]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M APuteaux-102-1-5-184.abo.wanadoo.fr [193.253.243.184], anonymous
Aug 27 08:59:14 web1 ftpd[662]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
ANancy-101-1-5-119.abo.wanadoo.fr [217.128.164.119], anonymous
Sep  6 03:01:43 web1 ftpd[8275]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
 ASte-Genev-Bois-101-1-4-36.abo.wanadoo.fr [217.128.44.36], anonymous
Oct 15 14:35:15 web1 ftpd[4232]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
 APoitiers-101-1-2-106.abo.wanadoo.fr [217.128.89.106], anonymous
Oct 17 08:16:21 web1 ftpd[5405]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
ADijon-101-1-4-141.abo.wanadoo.fr [80.11.37.141], anonymous
Oct 20 04:21:02 web1 ftpd[11680]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M ABrest-101-1-3-139.abo.wanadoo.fr [217.128.96.139], anonymous
Oct 20 13:30:30 web1 ftpd[12425]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M ANantes-101-1-5-30.abo.wanadoo.fr [193.251.16.30], anonymous
Oct 24 17:23:02 web1 ftpd[25429]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M ADijon-101-1-1-101.abo.wanadoo.fr [193.251.185.101], anonymous
Nov  1 15:28:30 web1 ftpd[22007]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M ADijon-101-1-3-238.abo.wanadoo.fr [217.128.160.238], anonymous
Nov 19 16:33:34 web1 ftpd[13591]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M ALyon-102-1-2-108.abo.wanadoo.fr [193.253.230.108], anonymous
Nov 21 16:24:42 web1 ftpd[18453]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M ALyon-102-1-6-48.abo.wanadoo.fr [80.11.199.48], anonymous
Nov 23 02:40:31 web1 ftpd[7743]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
 ALyon-102-1-6-48.abo.wanadoo.fr [80.11.199.48], anonymous
Nov 26 05:26:32 web1 ftpd[3037]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
 AClermont-Ferrand-101-1-2-216.abo.wanadoo.fr [193.252.188.216], anonymous
Nov 26 13:29:42 web1 ftpd[647]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
ANeuilly-101-1-4-53.abo.wanadoo.fr [193.252.2.53], anonymous
Nov 30 11:50:24 web1 ftpd[4418]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
 ALimoges-101-1-1-116.abo.wanadoo.fr [193.251.24.116], anonymous
Dec 13 19:50:44 web1 ftpd[4722]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FROM
 ANice-103-1-5-203.abo.wanadoo.fr [80.13.196.203], anonymous
[New Server]
May 17 04:20:20 scosysv ftpd[28190]: FTP LOGIN REFUSED (ftp not in
/etc/passwd)
FROM ca-ol-bordeaux-11-195.abo.wanadoo.fr [213.56.54.195], anonymous
Aug 21 13:02:45 scosysv ftpd[3326]: FTP LOGIN REFUSED (ftp not in
/etc/passwd) F
ROM AMarseille-101-1-2-224.abo.wanadoo.fr [80.11.1.224], anonymous
Oct  6 02:49:38 scosysv ftpd[88]: FTP LOGIN REFUSED (ftp not in /etc/passwd)
FRO
M ALille-101-1-2-249.abo.wanadoo.fr [217.128.25.249], anonymous
Nov 18 16:14:29 scosysv ftpd[10984]: FTP LOGIN REFUSED (ftp not in
/etc/passwd)
FROM APlessis-Bouchard-101-1-4-238.abo.wanadoo.fr [217.128.88.238],
anonymous

-----Original Message-----
From: Todd Suiter [mailto:todd () s4r com]
Sent: Monday, December 17, 2001 3:21 PM
To: Paul Asadoorian
Cc: aaron () aaronwolfe com; incidents () securityfocus com
Subject: Re: FTP scans from wanadoo.fr


Here you go:

From: Chris Reynolds [mailto:chris () ideacatchers com]
Sent: Friday, December 07, 2001 2:53 PM
To: Intrusions List (E-mail)
Subject: Wanadoo.fr Scans


Hi all,

Good news on the Wanadoo.fr front! Their upstream provider, Opentransit
is
now aware of the scope of the scanning activity from Wanadoo.fr network
space and they have requested a list of source IPs involved in scanning
and/or attacks. Opentransit has said that they will be escalating this
issue
with Wanadoo.fr management, and they need some data to go with it.

Please forward any IDS or server logs showing Wanadoo.fr activity - the
more
source IPs we send them, the easier it will be for them to enact some
positive change at Wanadoo.fr. We should be able to get this wrapped up
very
soon!

Thanks,


On Mon, 17 Dec 2001, Paul Asadoorian wrote:

We too have seen the exact same traffic here.  Not sure what to do about

it,

too bad there wasn't an "Ftp blacklist" sorta the same thing that exists

for

mail.  It may prove useful if the ISP suddenly realizes that half of their
address space is being blocked on numerous routers across the Internet.

Paul Asadoorian, GCIA
----- Original Message -----
From: "Aaron Wolfe" <aaron () aaronwolfe com>
To: <incidents () securityfocus com>
Sent: Monday, December 17, 2001 12:59 PM
Subject: FTP scans from wanadoo.fr


hello,

for some time (weeks if not months) several of our remote offices have

been

logging connects attempts to port 21 from various ips that resolve to
(something).wanadoo.fr.  since we have firewalls on many different

networks

from several providers all logging these attempts, i'm fairly sure this

is

script randomly scanning ips.  I even put up an FTP server on one box to

see

what would happen if port 21 was open, it attempted to login as

anonymous

but I didn't let it go any further.

I have made many attempts to contact Wanadoo regarding this.  I have

sent

them logs and friendly messages asking if there is anything I can do to

help

or if they would like more information.  Despite sending at least 5

messages

over the last several weeks, I have never received any response at all.

I have started gathering IPs and just blocking the networks as wanadoo

seems

to be a french ISP with nothing of interest to any our our offices.  but
obviously I'd like to be as specific as possible when passing out null
routes.

My questions, has anyone else noticed this?  I am almost certain others
have.  But more importantly, is there an easy way for me to find out all

the

networks that belong to wanadoo so I can just block them all rather than
waiting for a connection from a host in each network?  Sorry if that's a
dumb question, i am kind of new to this.  (many thanks to this list! i

have

learned alot!)  Oh, and am I over reacting here?  I know these probes

happen

all the time, but when they happen at all 20+ of our sites coming from

the

same network for several weeks...  ?

-aaron


--------------------------------------------------------------------------
--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

FTP scans from wanadoo.fr Aaron Wolfe (Dec 17)
- Re: FTP scans from wanadoo.fr Paul Asadoorian (Dec 17)
  - Re: FTP scans from wanadoo.fr Todd Suiter (Dec 17)
    - RE: FTP scans from wanadoo.fr Rick Darsey (Dec 17)
    - Re: FTP scans from wanadoo.fr Glenn Forbes Fleming Larratt (Dec 17)
- Re: FTP scans from wanadoo.fr Todd Suiter (Dec 17)
- Re: FTP scans from wanadoo.fr Mike V (Dec 17)
- Re: FTP scans from wanadoo.fr Jose Nazario (Dec 17)
- Re: FTP scans from wanadoo.fr Sébastien Vaast (Dec 17)
- RE: FTP scans from wanadoo.fr SunTrix Com Management (Dec 17)
- Re: FTP scans from wanadoo.fr russell (Dec 17)
  - Re: FTP scans from wanadoo.fr Steve (Dec 17)
- Re: FTP scans from wanadoo.fr loon (Dec 17)
  - Re: FTP scans from wanadoo.fr Phil (Dec 17)

(Thread continues...)