Security Incidents mailing list archives

Re: scanning from WANADOO-CABLE-BD

From: "Pieter-Bas IJdens" <pieter-bas () ijdens com>
Date: Tue, 4 Jun 2002 10:33:23 +0200

This is done by an automated scanning tool called grim's ping. Take a look
at http://grimsping.cjb.net/ to learn more about it. The software is used
not to find vulnerable ftp servers, but to find misconfigured ftp servers
that can be used to trade warez on.

I think many people are being scanned by this tool. Most scans I get that
follow this pattern either come from wanadoo.fr or t-dialin.net/t-online.de.
These imo are the two european ISPs that have a large number of cable/dsl
users, but are least likely to act on complaints.

  Pieter-Bas

My ftp server has been getting probed to see if it accepts anonymous

uploads

from ftp@.*wanadoo.fr.  Specifically:

  217.128.209.122
  80.13.216.42
  80.13.237.189
  217.128.235.25

It appears to be a script checking:

/images/:

...

/usr/incoming/:




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

scanning from WANADOO-CABLE-BD Hugo van der Kooij (Jun 02)
- Re: scanning from WANADOO-CABLE-BD Jon Nelson (Jun 03)
  - Re: scanning from WANADOO-CABLE-BD Pieter-Bas IJdens (Jun 04)
  - Re: scanning from WANADOO-CABLE-BD Abhi (Jun 04)
- <Possible follow-ups>
- RE: scanning from WANADOO-CABLE-BD Jonkman, Matthew A. (Jun 03)
- RE: scanning from WANADOO-CABLE-BD NESTING, DAVID M (SBCSI) (Jun 03)