The Feds and Mil just scanned me

Discussion in 'other security issues & news' started by StevieO, Jan 15, 2006.

Thread Status:
Not open for further replies.
  1. StevieO
    Offline

    StevieO Guest

    Hey i just got Port probed on UDP 1026 by the FEDS twice within seconds of each other, Then another on the same port 20 mins later from the MIL ? lol !


    Address lookup
    canonical name za602c7ce.ip.fs.fed.us.
    aliases
    addresses 166.2.199.206

    Domain Whois record
    Queried whois.nic.gov with "fs.fed.us"...

    % DOTGOV WHOIS Server ready

    Please be advised that this whois server only contains information pertaining to the .GOV domain. For information for other domains please use the whois server at RS.INTERNIC.NET.

    Network Whois record
    Queried whois.arin.net with "166.2.199.206"...

    OrgName: US Forest Service
    OrgID: UFS-1
    Address: Room 808
    Address: P.O. Box 96090
    City: Washington
    StateProv: DC
    PostalCode: 20090-6090
    Country: US

    NetRange: 166.2.0.0 - 166.7.255.255
    CIDR: 166.2.0.0/15, 166.4.0.0/14
    NetName: NETBLK-USFS
    NetHandle: NET-166-2-0-0-1
    Parent: NET-166-0-0-0-0
    NetType: Direct Assignment
    NameServer: NS1.USDA.GOV
    NameServer: NS2.USDA.GOV
    Comment:
    RegDate: 1993-11-03
    Updated: 2005-10-11

    RTechHandle: ZU20-ARIN
    RTechName: USDA - Office of the ChiefInformation Officer
    RTechPhone: +1-970-295-5277
    RTechEmail: Network.Operations@usda.gov

    OrgTechHandle: ZU20-ARIN
    OrgTechName: USDA - Office of the ChiefInformation Officer
    OrgTechPhone: +1-970-295-5277
    OrgTechEmail: Network.Operations@usda.gov

    # ARIN WHOIS database, last updated 2006-01-14 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.



    Address lookup
    lookup failed 214.222.222.29
    Could not find a domain name corresponding to this IP address.

    Domain Whois record
    Don't have a domain name for which to get a record

    Network Whois record
    Queried whois.arin.net with "214.222.222.29"...

    OrgName: DoD Network Information Center
    OrgID: DNIC
    Address: 3990 E. Broad Street
    City: Columbus
    StateProv: OH
    PostalCode: 43218
    Country: US

    NetRange: 214.0.0.0 - 214.255.255.255
    CIDR: 214.0.0.0/8
    NetName: DDN-NIC15
    NetHandle: NET-214-0-0-0-1
    Parent:
    NetType: Direct Allocation
    NameServer: AAA-VIENNA.NIPR.MIL
    NameServer: AAA-KELLY.NIPR.MIL
    NameServer: AAA-WHEELER.NIPR.MIL
    NameServer: AAA-VAIHINGEN.NIPR.MIL
    Comment: DoD Network Information Center
    Comment: 3990 E. Broad Street
    Comment: Columbus, OH 43218 US
    RegDate: 1998-03-27
    Updated: 2005-10-07

    RTechHandle: MIL-HSTMST-ARIN
    RTechName: Network DoD
    RTechPhone: +1-800-365-3642
    RTechEmail: HOSTMASTER@nic.mil

    OrgTechHandle: MIL-HSTMST-ARIN
    OrgTechName: Network DoD
    OrgTechPhone: +1-800-365-3642
    OrgTechEmail: HOSTMASTER@nic.mil


    StevieO
  2. CrazyM
    Offline

    CrazyM Firewall Expert

    While the scans may have come from those IP's, keep in mind the IP's could have been spoofed as well.

    Regards,

    CrazyM
  3. deviladvocate
    Offline

    deviladvocate Guest

    Perhaps the feds are checking up on you because of your connections with holyfather.
  4. band_R_b00sh
    Offline

    band_R_b00sh Guest

    Heres one of my fav's StevieO

    Device 1, Blocked Incoming UDP packet (no matching rule), src=34.151.178.85, dst=xx.xx.xx.xxx, sport=28048, dport=1025

    For the persistant ones you can always feed something like this into your browser:

    214.222.222.29:80/Archives/GOP/franklincoverup.shtml
  5. StevieO
    Offline

    StevieO Guest

    CrazyM

    Point taken, but ?

    deviladvocate

    So you think it's got something to do with the local priest ?

    band_R_b00sh

    I spent quite some looking into all that "in the woods" etc story. I DL'd the UK made TV documentary that got pulled by most US etc TV stations just before airing, Amazing, so thanks for posting.

    It's been happening again today all in half an hour, more of these types of "Unusual" attempted probes to my PC, that all got blocked. And the DOD is a repeat too. I havn't been checking 24/7 because i'm not worried at all lol, as i'm not doing anything illegal !

    All these were NOT identified with ANY Source DNS name in my FW logs, i had to look them up.


    25.175.183.229

    OrgName: DINSA, Ministry of Defence
    OrgID: DMD-16
    Address: HQ DCSA, Copenacre, c/o Basil Hill Barracks,
    City: Corsham
    StateProv: Wiltshire
    PostalCode: SN13 9NR
    Country: GB

    9.7.12.12

    OrgName: IBM Corporation
    OrgID: IBMCOR-8
    Address: 1311 Mamaroneck Ave.
    City: White Plains
    StateProv: NY
    PostalCode: 10605
    Country: US

    192.88.50.48

    No match found for 192.88.50.48.

    DNS query for 48.50.88.192.in-addr.arpa returned an error from the server: NameError

    No records to display

    214.53.21.185

    OrgName: DoD Network Information Center
    OrgID: DNIC
    Address: 3990 E. Broad Street
    City: Columbus
    StateProv: OH
    PostalCode: 43218
    Country: US

    75.129.46.56

    No match found for 75.129.46.56

    DNS query for 56.46.129.75.in-addr.arpa returned an error from the server: NameError

    No records to display

    156.77.34.144

    OrgName: KeyBank
    OrgID: KEYBAN
    Address: 127 Public Square
    City: Cleveland
    StateProv: OH
    PostalCode: 44115
    Country: US

    38.249.252.135

    OrgName: Performance Systems International Inc.
    OrgID: PSI
    Address: 1015 31st St NW
    City: Washington
    StateProv: DC
    PostalCode: 20007
    Country: US


    Here's a thread with other reports from late last year also port 1026 etc, on DOD probes. http://forums.phoenixlabs.org/archive/index.php?t-1227.html

    The United States Department of Defense, abbreviated as DoD or DOD and sometimes called the Defense Department http://en.wikipedia.org/wiki/Department_of_Defense

    As well as the other probes before, i have found all my USB modem drivers have mysteriously uninstalled themselves on three occassions after reboots over a two week period. Couple this with frequent daily disconnects and data slowdowns from my ISP, and no credible answers or solutions from them. Emails that got bounced back ? stalling, and only evasion and trying to pass the buck from one dept to another, with promises that their Tech people are on it and would phone me. They still have not !

    All these things could be mere coincidence of course, but ?

    Well let them waste time and other peoples money "if" they are targetting me directly, it won't make any difference to me. All very interesting and amusing, apart from the disconnect and slowdown problems that is, and i can't wait to see what happens next ? And the funny thing is, i know that it's happening, but they don't know that i do !


    StevieO
  6. StevieO
    Offline

    StevieO Guest

    Well it's still going on, and once again these are all to ports 1025 - 1029, and like before they don't automatically get resolved in my FW logs, i had to do a whois to get them from the numbers ?

    This is just a sample selection from over the last week or so of the Really obvious ones. There have many others from universities in the USA and elsewhere too. Also some big name companys.


    55.145.166.146 = DoD Network Information Center NS01/2/3.ARMY.MIL

    55.127.234.103 = DoD Network Information Center NS01/2/3.ARMY.MIL

    55.245.123.218 = DoD Network Information Center. Army National Guard Bureau

    33.186.92.10 = DoD Network Information Center OrgTechHandle: MIL-HSTMST-ARIN

    11.124.41.31 = DoD Network Information Center. DoD Intel Information Systems. Defense Intelligence Agency

    26.211.165.32 = OrgName: DoD Network Information Center. NetName: MILNET

    26.241.5.196 = DoD Network Information Center. Defense Information Systems Agency

    215.62.199.197 = DoD Network Information Center

    6.70.78.241 = DoD Network Information Center. U.S. Army Yuma Proving Ground

    29.251.2.166 = DoD Network Information Center. Defense Information Systems Agency

    28.123.110.227 = DoD Network Information Center. 7790 Science Applicationis Crt.,

    30.24.31.218 = DoD Network Information Center. Defense Information Systems Agency

    30.206.181.23 = DoD Network Information Center. Defense Information Systems Agency

    33.93.174.249 = DoD Network Information Center. Science Applications Court

    22.217.191.1 = DoD Network Information Center. Defense Information Systems Agency

    205.89.200.165 = DoD Network Information Center. Space and Naval Warfare Systems

    214.113.53.146 = DoD Network Information Center. DoD Network Information Center

    214.110.18.240 = DoD Network Information Center.


    131.35.215.17 = Fairchild Air Force Base WA. NameServer: CITS-DNS1.FAIRCHILD.AF.MIL

    25.146.13.180 = DINSA, Ministry of Defence. HQ DCSA, Copenacre, c/o Basil Hill Barracks. Corsham Wiltshire. RELAY.MOD.UK

    192.150.222.107 = Lajes Field, Azores, Portugal. The 65th Air Base Wing largest U.S. military organization in the Azores

    192.16.210.106 = OrgName: Defense Research Establishment Ottawa

    164.141.87.75 = Police Administration in Finland

    56.110.177.125 = OrgName: U.S. Postal Service

    56.87.158.99 = OrgName: U.S. Postal Service

    152.85.33.115 = Tennessee Valley Authority. NameServer: INFO.TVA.GOV

    65.252.209.237 = UUNET Technologies, Inc. StateProv: VA

    63.45.48.121 = UUNET Technologies, Inc.

    144.171.91.248 = National Academy of Sciences


    StevieO
  7. nadirah
    Offline

    nadirah Registered Member

    Those that come from the universities are really malicious, perhaps there is a hacker among the students. As for those coming from the authorities, has the US government started using these tactics to spy on people? Or the computers at the Pentagon are infected or something or some soldier's fooling around with the computer at the base!

    164.141.87.75 = Police Administration in Finland

    Is the police officer up to something? :cautious:

    StevieO consider reporting them here: http://www.mynetwatchman.com/
    I don't give a damn who the hell is conducting port scans, even if they're from the government.
  8. noway
    Offline

    noway Registered Member

    Pretty strange. I would go outside and see if there is a flying saucer on the roof just in case your
    firewall is blocking an important message like this:

    Attached Files:

    Last edited: Feb 4, 2006
  9. nadirah
    Offline

    nadirah Registered Member

    LOL. :ninja:*puppy*
  10. Arup
    Offline

    Arup Guest

    Actually I get scanned daily, Peer Guardian blocks them.
  11. StevieO-
    Offline

    StevieO- Guest

    noway

    That's pretty funny lol, and i like the alert box too.

    One of the curious things about all of this, is that i'm on a dynamic IP. So either they are scanning thousands and thousands of port ranges, which seems very dumb and a complete waste of time so i can't believe that is happening, or they are specifically targetting people/someone. For what reasons i have no idea, but they won't get in here anyway no matter how many times they try, or through any of the 65,000 + ports, as i'm stealthed.

    I'll keep watching on and off to see if keeps happening, and if the tactics change etc. It's a bit like James Bond, or would that be the Matrix, but for real lol


    StevieO
  12. AvianFlux
    Offline

    AvianFlux Registered Member

    I get quite a few of those DoD probes on the same ports. I'm pretty sure they're botted computers sending out Windows Messenger spam.
  13. nadirah
    Offline

    nadirah Registered Member

    My prediction is that those botted computers are being used by hackers to send out messenger spam and they spoof the name and content of the message to make the end-user think its from the government or some other authorised agency.
  14. betauser2
    Offline

    betauser2 Guest

    Yes I've also done that wood stuff (seems to be a ridiculous tradition) last week, but I'm waiting for the Feds to knock on my door LOL
  15. StevieO
    Offline

    StevieO Registered Member

    They could be botted computers sending out stuff on Windows Messenger ports, but i never see the messages as i have WM etc disabled. So if they do spoof the name and content of the message, it doesn't apply to me.

    All my ports are stealthed by my FW and block everything, apart from the ones i'm using to surf of course.

    If they were bots how could they actually utilise all those IP numbers like the official DOD ones etc ?


    StevieO
Thread Status:
Not open for further replies.