The Feds and Mil just scanned me

Hey i just got Port probed on UDP 1026 by the FEDS twice within seconds of each other, Then another on the same port 20 mins later from the MIL ? lol !


Address lookup
canonical name za602c7ce.ip.fs.fed.us.
aliases
addresses 166.2.199.206

Domain Whois record
Queried whois.nic.gov with "fs.fed.us"...

% DOTGOV WHOIS Server ready

Please be advised that this whois server only contains information pertaining to the .GOV domain. For information for other domains please use the whois server at RS.INTERNIC.NET.

Network Whois record
Queried whois.arin.net with "166.2.199.206"...

OrgName: US Forest Service
OrgID: UFS-1
Address: Room 808
Address: P.O. Box 96090
City: Washington
StateProv: DC
PostalCode: 20090-6090
Country: US

NetRange: 166.2.0.0 - 166.7.255.255
CIDR: 166.2.0.0/15, 166.4.0.0/14
NetName: NETBLK-USFS
NetHandle: NET-166-2-0-0-1
Parent: NET-166-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.USDA.GOV
NameServer: NS2.USDA.GOV
Comment:
RegDate: 1993-11-03
Updated: 2005-10-11

RTechHandle: ZU20-ARIN
RTechName: USDA - Office of the ChiefInformation Officer
RTechPhone: +1-970-295-5277
RTechEmail: Network.Operations@usda.gov

OrgTechHandle: ZU20-ARIN
OrgTechName: USDA - Office of the ChiefInformation Officer
OrgTechPhone: +1-970-295-5277
OrgTechEmail: Network.Operations@usda.gov

# ARIN WHOIS database, last updated 2006-01-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.



Address lookup
lookup failed 214.222.222.29
Could not find a domain name corresponding to this IP address.

Domain Whois record
Don't have a domain name for which to get a record

Network Whois record
Queried whois.arin.net with "214.222.222.29"...

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US

NetRange: 214.0.0.0 - 214.255.255.255
CIDR: 214.0.0.0/8
NetName: DDN-NIC15
NetHandle: NET-214-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: AAA-VIENNA.NIPR.MIL
NameServer: AAA-KELLY.NIPR.MIL
NameServer: AAA-WHEELER.NIPR.MIL
NameServer: AAA-VAIHINGEN.NIPR.MIL
Comment: DoD Network Information Center
Comment: 3990 E. Broad Street
Comment: Columbus, OH 43218 US
RegDate: 1998-03-27
Updated: 2005-10-07

RTechHandle: MIL-HSTMST-ARIN
RTechName: Network DoD
RTechPhone: +1-800-365-3642
RTechEmail: HOSTMASTER@nic.mil

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil


StevieO

[CrazyM]

While the scans may have come from those IP's, keep in mind the IP's could have been spoofed as well.

Regards,

CrazyM

Perhaps the feds are checking up on you because of your connections with holyfather.

Heres one of my fav's StevieO

Device 1, Blocked Incoming UDP packet (no matching rule), src=34.151.178.85, dst=xx.xx.xx.xxx, sport=28048, dport=1025

For the persistant ones you can always feed something like this into your browser:

214.222.222.29:80/Archives/GOP/franklincoverup.shtml

CrazyM

Point taken, but ?

deviladvocate

So you think it's got something to do with the local priest ?

band_R_b00sh

I spent quite some looking into all that "in the woods" etc story. I DL'd the UK made TV documentary that got pulled by most US etc TV stations just before airing, Amazing, so thanks for posting.

It's been happening again today all in half an hour, more of these types of "Unusual" attempted probes to my PC, that all got blocked. And the DOD is a repeat too. I havn't been checking 24/7 because i'm not worried at all lol, as i'm not doing anything illegal !

All these were NOT identified with ANY Source DNS name in my FW logs, i had to look them up.


25.175.183.229

OrgName: DINSA, Ministry of Defence
OrgID: DMD-16
Address: HQ DCSA, Copenacre, c/o Basil Hill Barracks,
City: Corsham
StateProv: Wiltshire
PostalCode: SN13 9NR
Country: GB

9.7.12.12

OrgName: IBM Corporation
OrgID: IBMCOR-8
Address: 1311 Mamaroneck Ave.
City: White Plains
StateProv: NY
PostalCode: 10605
Country: US

192.88.50.48

No match found for 192.88.50.48.

DNS query for 48.50.88.192.in-addr.arpa returned an error from the server: NameError

No records to display

214.53.21.185

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US

75.129.46.56

No match found for 75.129.46.56

DNS query for 56.46.129.75.in-addr.arpa returned an error from the server: NameError

No records to display

156.77.34.144

OrgName: KeyBank
OrgID: KEYBAN
Address: 127 Public Square
City: Cleveland
StateProv: OH
PostalCode: 44115
Country: US

38.249.252.135

OrgName: Performance Systems International Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US


Here's a thread with other reports from late last year also port 1026 etc, on DOD probes. http://forums.phoenixlabs.org/archiv...hp?t-1227.html

The United States Department of Defense, abbreviated as DoD or DOD and sometimes called the Defense Department http://en.wikipedia.org/wiki/Department_of_Defense

As well as the other probes before, i have found all my USB modem drivers have mysteriously uninstalled themselves on three occassions after reboots over a two week period. Couple this with frequent daily disconnects and data slowdowns from my ISP, and no credible answers or solutions from them. Emails that got bounced back ? stalling, and only evasion and trying to pass the buck from one dept to another, with promises that their Tech people are on it and would phone me. They still have not !

All these things could be mere coincidence of course, but ?

Well let them waste time and other peoples money "if" they are targetting me directly, it won't make any difference to me. All very interesting and amusing, apart from the disconnect and slowdown problems that is, and i can't wait to see what happens next ? And the funny thing is, i know that it's happening, but they don't know that i do !


StevieO

Well it's still going on, and once again these are all to ports 1025 - 1029, and like before they don't automatically get resolved in my FW logs, i had to do a whois to get them from the numbers ?

This is just a sample selection from over the last week or so of the Really obvious ones. There have many others from universities in the USA and elsewhere too. Also some big name companys.


55.145.166.146 = DoD Network Information Center NS01/2/3.ARMY.MIL

55.127.234.103 = DoD Network Information Center NS01/2/3.ARMY.MIL

55.245.123.218 = DoD Network Information Center. Army National Guard Bureau

33.186.92.10 = DoD Network Information Center OrgTechHandle: MIL-HSTMST-ARIN

11.124.41.31 = DoD Network Information Center. DoD Intel Information Systems. Defense Intelligence Agency

26.211.165.32 = OrgName: DoD Network Information Center. NetName: MILNET

26.241.5.196 = DoD Network Information Center. Defense Information Systems Agency

215.62.199.197 = DoD Network Information Center

6.70.78.241 = DoD Network Information Center. U.S. Army Yuma Proving Ground

29.251.2.166 = DoD Network Information Center. Defense Information Systems Agency

28.123.110.227 = DoD Network Information Center. 7790 Science Applicationis Crt.,

30.24.31.218 = DoD Network Information Center. Defense Information Systems Agency

30.206.181.23 = DoD Network Information Center. Defense Information Systems Agency

33.93.174.249 = DoD Network Information Center. Science Applications Court

22.217.191.1 = DoD Network Information Center. Defense Information Systems Agency

205.89.200.165 = DoD Network Information Center. Space and Naval Warfare Systems

214.113.53.146 = DoD Network Information Center. DoD Network Information Center

214.110.18.240 = DoD Network Information Center.


131.35.215.17 = Fairchild Air Force Base WA. NameServer: CITS-DNS1.FAIRCHILD.AF.MIL

25.146.13.180 = DINSA, Ministry of Defence. HQ DCSA, Copenacre, c/o Basil Hill Barracks. Corsham Wiltshire. RELAY.MOD.UK

192.150.222.107 = Lajes Field, Azores, Portugal. The 65th Air Base Wing largest U.S. military organization in the Azores

192.16.210.106 = OrgName: Defense Research Establishment Ottawa

164.141.87.75 = Police Administration in Finland

56.110.177.125 = OrgName: U.S. Postal Service

56.87.158.99 = OrgName: U.S. Postal Service

152.85.33.115 = Tennessee Valley Authority. NameServer: INFO.TVA.GOV

65.252.209.237 = UUNET Technologies, Inc. StateProv: VA

63.45.48.121 = UUNET Technologies, Inc.

144.171.91.248 = National Academy of Sciences


StevieO

[nadirah]

Those that come from the universities are really malicious, perhaps there is a hacker among the students. As for those coming from the authorities, has the US government started using these tactics to spy on people? Or the computers at the Pentagon are infected or something or some soldier's fooling around with the computer at the base!

164.141.87.75 = Police Administration in Finland

Is the police officer up to something?

StevieO consider reporting them here: http://www.mynetwatchman.com/
I don't give a damn who the hell is conducting port scans, even if they're from the government.

[noway]

Pretty strange. I would go outside and see if there is a flying saucer on the roof just in case your
firewall is blocking an important message like this:

[nadirah]

Quote:

Originally Posted by noway

I would go outside and see if there is a flying saucer on the roof.

LOL.

Actually I get scanned daily, Peer Guardian blocks them.

noway

That's pretty funny lol, and i like the alert box too.

One of the curious things about all of this, is that i'm on a dynamic IP. So either they are scanning thousands and thousands of port ranges, which seems very dumb and a complete waste of time so i can't believe that is happening, or they are specifically targetting people/someone. For what reasons i have no idea, but they won't get in here anyway no matter how many times they try, or through any of the 65,000 + ports, as i'm stealthed.

I'll keep watching on and off to see if keeps happening, and if the tactics change etc. It's a bit like James Bond, or would that be the Matrix, but for real lol


StevieO

[AvianFlux]

I get quite a few of those DoD probes on the same ports. I'm pretty sure they're botted computers sending out Windows Messenger spam.

[nadirah]

Quote:

Originally Posted by AvianFlux

I get quite a few of those DoD probes on the same ports. I'm pretty sure they're botted computers sending out Windows Messenger spam.

My prediction is that those botted computers are being used by hackers to send out messenger spam and they spoof the name and content of the message to make the end-user think its from the government or some other authorised agency.

Quote:

Originally Posted by StevieO

CrazyM

I spent quite some looking into all that "in the woods" etc story. I DL'd the UK made TV documentary that got pulled by most US etc TV stations just before airing, Amazing, so thanks for posting.

StevieO

Yes I've also done that wood stuff (seems to be a ridiculous tradition) last week, but I'm waiting for the Feds to knock on my door LOL

[StevieO]

They could be botted computers sending out stuff on Windows Messenger ports, but i never see the messages as i have WM etc disabled. So if they do spoof the name and content of the message, it doesn't apply to me.

All my ports are stealthed by my FW and block everything, apart from the ones i'm using to surf of course.

If they were bots how could they actually utilise all those IP numbers like the official DOD ones etc ?


StevieO