Security Incidents mailing list archives

FTP scans from wanadoo.fr

From: "Gray, Patrick (ISS Atlanta)" <PGray () iss net>
Date: Mon, 17 Dec 2001 19:04:47 -0500



According to the Ripe.net (european whois server) this company owns the
following subnet, 193.252.19.x -- 193.252.21.255. SO if he blocks this
subnet range, he should not have any problems with that ISP. 

Here is some additional contact info for wanadoo.fr

inetnum:      193.252.19.0 - 193.252.21.255
netname:      FR-WANADOO
descr:        France Telecom Interactive / Wanadoo
country:      FR
admin-c:      WITR1-RIPE
tech-c:       WITR1-RIPE
status:       ASSIGNED PA
remarks:      for hacking, spamming or security problems send mail to
remarks:      postmaster () wanadoo fr AND abuse () wanadoo fr
remarks:      for ANY problem send mail to gestionip.ft () francetelecom com
mnt-by:       FT-BRX
changed:      noc () rain fr 19990129
changed:      Patrice.Robert () fti net 19990219
changed:      noc () rain fr 19990427
changed:      addr-reg () rain fr 19990506
changed:      gestionip.ft () francetelecom fr 20000626
changed:      gestionip.ft () francetelecom fr 20010117
source:       RIPE

route:        193.252.0.0/18
descr:        France Telecom
descr:        FTI
origin:       AS3215
mnt-by:       FT-BRX
changed:      gestionip.ft () francetelecom fr 20001018
source:       RIPE

role:         Wanadoo Interactive Technical Role
address:      WANADOO INTERACTIVE
address:      48 rue Camille Desmoulins
address:      92791 ISSY LES MOULINEAUX CEDEX 9
address:      FR
phone:        +33 1 58 88 50 00
e-mail:       abuse () wanadoo fr
e-mail:       postmaster () wanadoo fr
admin-c:      FTI-RIPE
tech-c:       TEFS1-RIPE
nic-hdl:      WITR1-RIPE
notify:       gestionip.ft () francetelecom com
mnt-by:       FT-BRX
changed:      gestionip.ft () francetelecom com 20010504
changed:      gestionip.ft () francetelecom com 20010912
changed:      gestionip.ft () francetelecom com 20011204
source:       RIPE


-----Original Message-----
From: Aaron Wolfe [mailto:aaron () aaronwolfe com]
Sent: Monday, December 17, 2001 1:00 PM
To: incidents () securityfocus com
Subject: FTP scans from wanadoo.fr



hello,

for some time (weeks if not months) several of our remote offices have been
logging connects attempts to port 21 from various ips that resolve to
(something).wanadoo.fr.  since we have firewalls on many different networks
from several providers all logging these attempts, i'm fairly sure this is a
script randomly scanning ips.  I even put up an FTP server on one box to see
what would happen if port 21 was open, it attempted to login as anonymous
but I didn't let it go any further.

I have made many attempts to contact Wanadoo regarding this.  I have sent
them logs and friendly messages asking if there is anything I can do to help
or if they would like more information.  Despite sending at least 5 messages
over the last several weeks, I have never received any response at all.

I have started gathering IPs and just blocking the networks as wanadoo seems
to be a french ISP with nothing of interest to any our our offices.  but
obviously I'd like to be as specific as possible when passing out null
routes.

My questions, has anyone else noticed this?  I am almost certain others
have.  But more importantly, is there an easy way for me to find out all the
networks that belong to wanadoo so I can just block them all rather than
waiting for a connection from a host in each network?  Sorry if that's a
dumb question, i am kind of new to this.  (many thanks to this list! i have
learned alot!)  Oh, and am I over reacting here?  I know these probes happen
all the time, but when they happen at all 20+ of our sites coming from the
same network for several weeks...  ?

-aaron

Patrick Gray
Manager, Internet Threat Intelligence Center
X-Force, MSS Special Operations Group
Internet Security Systems
6303 Barfield Road
Atlanta, GA 30328
404.236.2924 - tel
404.271.9911 - cell
pgray () iss net

Internet Security Systems - The Power to Protect
www.iss.net 

 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: FTP scans from wanadoo.fr, (continued)
- Re: FTP scans from wanadoo.fr russell (Dec 17)
  - Re: FTP scans from wanadoo.fr Steve (Dec 17)
- Re: FTP scans from wanadoo.fr loon (Dec 17)
  - Re: FTP scans from wanadoo.fr Phil (Dec 17)
  - Re: FTP scans from wanadoo.fr Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr dr john halewood (Dec 18)
  - Re: FTP scans from wanadoo.fr Alexandre Pinto (Dec 18)
  - Re: FTP scans from wanadoo.fr - MOre info Replugge [Rod] (Dec 18)
    - Re: FTP scans from wanadoo.fr - MOre info Pieter-Bas IJdens (Dec 19)
- Re: FTP scans from wanadoo.fr Emil Popov (Dec 20)
- FTP scans from wanadoo.fr Gray, Patrick (ISS Atlanta) (Dec 17)
- RE: FTP scans from wanadoo.fr Barber, Chris (Dec 18)
- Re: FTP scans from wanadoo.fr Dave Morris (Dec 20)