Security Incidents mailing list archives
Re: FTP scans from wanadoo.fr
From: "Replugge [Rod]" <replugge () alcoholico org>
Date: 18 Dec 2001 07:32:44 +0100
All of this were 'Suspicious connections' to Trustix FTP Site... if you take a look at least one match with the one's reported by loon. take a quick look at the e-mail addresses provided when login as Anonymous. connection from ATours-101-1-2-156.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM ATours-101-1-2-156.abo.wanadoo.fr, Ggpuser () home com connection from AMontsouris-101-1-5-217.abo.wanadoo.fr FTP LOGIN FAILED FROM AMontsouris-101-1-5-217.abo.wanadoo.fr, anonymous@ftp.m connection from AMontsouris-101-1-5-217.abo.wanadoo.fr FTP LOGIN FAILED FROM AMontsouris-101-1-5-217.abo.wanadoo.fr, anonymous@ftp.m connection from AMontsouris-101-1-5-217.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM AMontsouris-101-1-5-217.abo.wanadoo.fr, Wgpuser () home com connection from AToulon-101-1-3-138.abo.wanadoo.fr connection from AToulon-101-1-3-138.abo.wanadoo.fr connection from AToulon-101-1-3-138.abo.wanadoo.fr connection from AToulon-101-1-3-138.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM AToulon-101-1-3-138.abo.wanadoo.fr, Xgpuser () home com connection from ANeuilly-105-1-3-71.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM ANeuilly-105-1-3-71.abo.wanadoo.fr, Dgpuser () home com connection from ARouen-101-1-3-215.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM ARouen-101-1-3-215.abo.wanadoo.fr, Tgpuser () home com connection from AOrleans-102-1-1-138.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM AOrleans-102-1-1-138.abo.wanadoo.fr, anonymous connection from ARouen-101-1-3-215.abo.wanadoo.fr connection from AOrleans-102-1-1-138.abo.wanadoo.fr ANONYMOUS FTP LOGIN FROM AOrleans-102-1-1-138.abo.wanadoo.fr, Jgpuser () home com connection from ABordeaux-102-1-4-68.abo.wanadoo.fr FTP LOGIN FAILED FROM ABordeaux-102-1-4-68.abo.wanadoo.fr, anonymous@ftp.m connection from ALille-101-1-4-61.abo.wanadoo.fr On Tue, 2001-12-18 at 00:22, loon wrote:
Hello, I'm sure you are all seeing this, but, i have noticed a bit of a pattern to all this, every hit i get starts with the A....i.e.: ftp connection attempt from AReims-101-1-4-54.abo.wanadoo.fr:3165 ftp connection attempt from AToulouse-201-1-2-235.abo.wanadoo.fr:2304 ftp connection attempt from ALyon-201-1-6-98.abo.wanadoo.fr:3620 ftp connection attempt from ABrest-101-1-4-4.abo.wanadoo.fr:3858 ftp connection attempt from ALagny-101-1-6-165.abo.wanadoo.fr:4526 ftp connection attempt from ALille-101-1-2-251.abo.wanadoo.fr:1025 ftp connection attempt from ABesancon-101-1-4-78.abo.wanadoo.fr:3884 this should all but confirm the fact that its some sort of script...hope that helps... loon On Mon, 2001-12-17 at 11:59, Aaron Wolfe wrote:hello, for some time (weeks if not months) several of our remote offices have been logging connects attempts to port 21 from various ips that resolve to (something).wanadoo.fr. since we have firewalls on many different networks from several providers all logging these attempts, i'm fairly sure this is a script randomly scanning ips. I even put up an FTP server on one box to see what would happen if port 21 was open, it attempted to login as anonymous but I didn't let it go any further.---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- -- /* Rodrigo Gutierrez <rodrigo () trustix com> Trustix AS - http://www.trustix.com */ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: FTP scans from wanadoo.fr, (continued)
- Re: FTP scans from wanadoo.fr Glenn Forbes Fleming Larratt (Dec 17)
- Re: FTP scans from wanadoo.fr Todd Suiter (Dec 17)
- Re: FTP scans from wanadoo.fr Mike V (Dec 17)
- Re: FTP scans from wanadoo.fr Jose Nazario (Dec 17)
- Re: FTP scans from wanadoo.fr Sébastien Vaast (Dec 17)
- RE: FTP scans from wanadoo.fr SunTrix Com Management (Dec 17)
- Re: FTP scans from wanadoo.fr russell (Dec 17)
- Re: FTP scans from wanadoo.fr Steve (Dec 17)
- Re: FTP scans from wanadoo.fr loon (Dec 17)
- Re: FTP scans from wanadoo.fr Phil (Dec 17)
- Re: FTP scans from wanadoo.fr Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr dr john halewood (Dec 18)
- Re: FTP scans from wanadoo.fr Alexandre Pinto (Dec 18)
- Re: FTP scans from wanadoo.fr - MOre info Replugge [Rod] (Dec 18)
- Re: FTP scans from wanadoo.fr - MOre info Pieter-Bas IJdens (Dec 19)
- Re: FTP scans from wanadoo.fr Emil Popov (Dec 20)
- FTP scans from wanadoo.fr Gray, Patrick (ISS Atlanta) (Dec 17)
- RE: FTP scans from wanadoo.fr Barber, Chris (Dec 18)
- Re: FTP scans from wanadoo.fr Dave Morris (Dec 20)