Re: FTP scans from wanadoo.fr

[Todd Suiter <todd () s4r com>]

Yes, we've seen them. One of our customers had an open anon ftp(we explained
the reasons this was bad, they wanted it anyway). Had several hundred connects
from .wanadoo. then from everywhere else, pulling various full images (aliens
vs predator 2, etc). Sent mail to abuse@, etc. No response. Ended up doing
some magic with our firewalls and on the host itself to fix the 'issue', but
the wanadoo folks were non responsive. I've seen on other lists(snort and one
more that I don't recall) that other people are seeing this as well, and
have gone so far as to get in touch with the French govt to help. No response. If I run across that thread in my old 
mail, I'll forward it.

t

(Also note, they seemed to be scripted, plus some human intervention. Going
so far as installing a few 'timing' scripts, and one .asp that I'm stealing
cause its pretty cool. On an 'infected' host, look for win.asp and take
a look. You can usually find it by going to http://Infected_virtual/win.asp. Tells you all kinds of nifty stuff about 
the host...)



On Mon, 17 Dec 2001, Aaron Wolfe wrote:

> hello,
>
> for some time (weeks if not months) several of our remote offices have been
> logging connects attempts to port 21 from various ips that resolve to
> (something).wanadoo.fr.  since we have firewalls on many different networks
> from several providers all logging these attempts, i'm fairly sure this is a
> script randomly scanning ips.  I even put up an FTP server on one box to see
> what would happen if port 21 was open, it attempted to login as anonymous
> but I didn't let it go any further.
>
> I have made many attempts to contact Wanadoo regarding this.  I have sent
> them logs and friendly messages asking if there is anything I can do to help
> or if they would like more information.  Despite sending at least 5 messages
> over the last several weeks, I have never received any response at all.
>
> I have started gathering IPs and just blocking the networks as wanadoo seems
> to be a french ISP with nothing of interest to any our our offices.  but
> obviously I'd like to be as specific as possible when passing out null
> routes.
>
> My questions, has anyone else noticed this?  I am almost certain others
> have.  But more importantly, is there an easy way for me to find out all the
> networks that belong to wanadoo so I can just block them all rather than
> waiting for a connection from a host in each network?  Sorry if that's a
> dumb question, i am kind of new to this.  (many thanks to this list! i have
> learned alot!)  Oh, and am I over reacting here?  I know these probes happen
> all the time, but when they happen at all 20+ of our sites coming from the
> same network for several weeks...  ?
>
> -aaron
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com