Security Incidents mailing list archives
Re: FTP scans from wanadoo.fr
From: Phil <pbi () cartel-info fr>
Date: Tue, 18 Dec 2001 00:55:57 +0100 (CET)
On 17 Dec 2001, loon wrote:
Hello, I'm sure you are all seeing this, but, i have noticed a bit of a pattern to all this, every hit i get starts with the A....i.e.: ftp connection attempt from AReims-101-1-4-54.abo.wanadoo.fr:3165 ftp connection attempt from AToulouse-201-1-2-235.abo.wanadoo.fr:2304 ftp connection attempt from ALyon-201-1-6-98.abo.wanadoo.fr:3620 ftp connection attempt from ABrest-101-1-4-4.abo.wanadoo.fr:3858 ftp connection attempt from ALagny-101-1-6-165.abo.wanadoo.fr:4526 ftp connection attempt from ALille-101-1-2-251.abo.wanadoo.fr:1025 ftp connection attempt from ABesancon-101-1-4-78.abo.wanadoo.fr:3884 this should all but confirm the fact that its some sort of script...hope that helps... loon
The naming scheme for wanadoo domains is A`location name`-x-y-z-t.abo.wanadoo.fr where x seems to be a three digit name (I don't know what it mean) y seems to be a one digit name (i've never seen other than 1) z seems to be the number of the class C used for this location t seems to be the last IP number location is a city name, except for Paris where it is divided in regions of the town. What I want to say is that the attacks seem to come from very different places in France. It may be a very well coordinated large scale crackers group. But it's far more probable that the attacks come from compromised machines or from spoofed IPs, and that the attacker don't like wanadoo. -- Philippe Biondi <pbi@ cartel-info.fr> Cartel Informatique Security Consultant/R&D http://www.cartel-info.fr Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99 PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: FTP scans from wanadoo.fr, (continued)
- RE: FTP scans from wanadoo.fr Rick Darsey (Dec 17)
- Re: FTP scans from wanadoo.fr Glenn Forbes Fleming Larratt (Dec 17)
- Re: FTP scans from wanadoo.fr Todd Suiter (Dec 17)
- Re: FTP scans from wanadoo.fr Mike V (Dec 17)
- Re: FTP scans from wanadoo.fr Jose Nazario (Dec 17)
- Re: FTP scans from wanadoo.fr Sébastien Vaast (Dec 17)
- RE: FTP scans from wanadoo.fr SunTrix Com Management (Dec 17)
- Re: FTP scans from wanadoo.fr russell (Dec 17)
- Re: FTP scans from wanadoo.fr Steve (Dec 17)
- Re: FTP scans from wanadoo.fr loon (Dec 17)
- Re: FTP scans from wanadoo.fr Phil (Dec 17)
- Re: FTP scans from wanadoo.fr Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr dr john halewood (Dec 18)
- Re: FTP scans from wanadoo.fr Alexandre Pinto (Dec 18)
- Re: FTP scans from wanadoo.fr - MOre info Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr - MOre info Pieter-Bas IJdens (Dec 19)
- Re: FTP scans from wanadoo.fr Emil Popov (Dec 20)
- FTP scans from wanadoo.fr Gray, Patrick (ISS Atlanta) (Dec 17)
- RE: FTP scans from wanadoo.fr Barber, Chris (Dec 18)
- Re: FTP scans from wanadoo.fr Dave Morris (Dec 20)