Security Incidents mailing list archives

Re: FTP scans from wanadoo.fr

From: Phil <pbi () cartel-info fr>
Date: Tue, 18 Dec 2001 00:55:57 +0100 (CET)

On 17 Dec 2001, loon wrote:

Hello,
I'm sure you are all seeing this, but, i have noticed a bit of a pattern
to all this, every hit i get starts with the A....i.e.:



ftp connection attempt from AReims-101-1-4-54.abo.wanadoo.fr:3165
ftp connection attempt from AToulouse-201-1-2-235.abo.wanadoo.fr:2304
ftp connection attempt from ALyon-201-1-6-98.abo.wanadoo.fr:3620
ftp connection attempt from ABrest-101-1-4-4.abo.wanadoo.fr:3858
ftp connection attempt from ALagny-101-1-6-165.abo.wanadoo.fr:4526
ftp connection attempt from ALille-101-1-2-251.abo.wanadoo.fr:1025
ftp connection attempt from ABesancon-101-1-4-78.abo.wanadoo.fr:3884

this should all but confirm the fact that its some sort of script...hope
that helps...

loon



The naming scheme for wanadoo domains is
A`location name`-x-y-z-t.abo.wanadoo.fr
where x seems to be a three digit name (I don't know what it mean)
      y seems to be  a one digit name (i've never seen other than 1)
      z seems to be the number of the class C used for this location
      t seems to be the last IP number
location is a city name, except for Paris where it is divided in regions
of the town.

What I want to say is that the attacks seem to come from very different
places in France. It may be a very well coordinated large scale crackers
group. But it's far more probable that the attacks come from compromised
machines or from spoofed IPs, and that the attacker don't like wanadoo.


-- 
Philippe Biondi <pbi@ cartel-info.fr>   Cartel Informatique
Security Consultant/R&D                 http://www.cartel-info.fr
Phone: +33 1 44 06 97 94                Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: FTP scans from wanadoo.fr, (continued)
- - - RE: FTP scans from wanadoo.fr Rick Darsey (Dec 17)
    - Re: FTP scans from wanadoo.fr Glenn Forbes Fleming Larratt (Dec 17)
- Re: FTP scans from wanadoo.fr Todd Suiter (Dec 17)
- Re: FTP scans from wanadoo.fr Mike V (Dec 17)
- Re: FTP scans from wanadoo.fr Jose Nazario (Dec 17)
- Re: FTP scans from wanadoo.fr Sébastien Vaast (Dec 17)
- RE: FTP scans from wanadoo.fr SunTrix Com Management (Dec 17)
- Re: FTP scans from wanadoo.fr russell (Dec 17)
  - Re: FTP scans from wanadoo.fr Steve (Dec 17)
- Re: FTP scans from wanadoo.fr loon (Dec 17)
  - Re: FTP scans from wanadoo.fr Phil (Dec 17)
  - Re: FTP scans from wanadoo.fr Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr dr john halewood (Dec 18)
  - Re: FTP scans from wanadoo.fr Alexandre Pinto (Dec 18)
  - Re: FTP scans from wanadoo.fr - MOre info Replugge [Rod] (Dec 18)
    - Re: FTP scans from wanadoo.fr - MOre info Pieter-Bas IJdens (Dec 19)
- Re: FTP scans from wanadoo.fr Emil Popov (Dec 20)
- FTP scans from wanadoo.fr Gray, Patrick (ISS Atlanta) (Dec 17)
- RE: FTP scans from wanadoo.fr Barber, Chris (Dec 18)
- Re: FTP scans from wanadoo.fr Dave Morris (Dec 20)