close

Privacy guaranteed - Your email is not shared with anyone.

comp was probed , look at the backtrace addy...

Discussion in 'Tech Talk' started by m1911a1, Sep 18, 2004.

  1. m1911a1

    m1911a1

    Messages:
    78
    Likes Received:
    0
    Joined:
    Jun 18, 2004
    OrgName: DoD Network Information Center
    OrgID: DNIC
    Address: 7990 Science Applications Ct
    Address: M/S CV 50
    City: Vienna
    StateProv: VA
    PostalCode: 22183-7000
    Country: US

    NetRange: 205.0.0.0 - 205.117.255.255
    CIDR: 205.0.0.0/10, 205.64.0.0/11, 205.96.0.0/12, 205.112.0.0/14, 205.116.0.0/15
    NetName: JMCIS-BLOCK
    NetHandle: NET-205-0-0-0-1
    Parent: NET-205-0-0-0-0
    NetType: Direct Allocation
    NameServer: NCC.NCTS.NAVY.MIL
    NameServer: GATE.NCTS.NAVY.MIL
    Comment: DOD Network Information Center
    Comment: Space and Naval Warfare Systems
    Comment: Washington, DC 20363-5100 US
    RegDate:
    Updated: 2004-04-20

    TechHandle: LS529-ARIN
    TechName: Slade, Lawana
    TechPhone: +1-850-452-7562
    TechEmail: LSLADE@nnic.navy.mil

    OrgTechHandle: MIL-HSTMST-ARIN
    OrgTechName: Network DoD
    OrgTechPhone: +1-703-676-1051
    OrgTechEmail: HOSTMASTER@nic.mil

    # ARIN WHOIS database, last updated 2004-09-17 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.



    anyone care to guess whats going on ?
     
  2. Blah!

    Blah! Guest

    Messages:
    500
    Likes Received:
    0
    Joined:
    Jul 30, 2002
    Location:
    Louisiana

  3. Texas T

    Texas T TX expatriate CLM

    Messages:
    1,939
    Likes Received:
    6
    Joined:
    Jan 25, 2000
    Location:
    Aridzona
    That depends. Is this your personal pc, a company pc, a dod computer, a state computer, etc?

    When I worked for an ISP we had a state government office complain that someone was probing them and it was coming from one of our customers. When we tracked it back we finally found out that one of our customers was a White Hat who was contracted by the state to hack various departments to see the reactions. The complaining department did everything by the book and received high kudos for their speed and intensity and awareness.
     
  4. Jtemple

    Jtemple Geek

    Messages:
    788
    Likes Received:
    0
    Joined:
    Jan 13, 2002
    Location:
    NE
    This caught my eye:

    NetName: JMCIS-BLOCK

    JMCIS stands for Joint Maritime Command Information System. I was a part-time JMCIS operator when I was in the Navy. Here's a little bit of info about JMCIS:

    "JMCIS Ashore provides a single integrated Command, Control, Communications, Computers and Intelligence (C4I) system that receives, processes, displays, maintains and assesses the unit characteristics, employment scheduling, materiel condition, combat readiness, warfighting capabilities, positional information and disposition of own and Allied forces, and allows decision makers to optimize the allocation of resources. JMCIS Ashore provides current geolocational information on hostile and neutral land, sea and air forces integrated with intelligence and environmental information, and near real time weapons targeting data to submarines as part of the Shore Targeting Terminal (STT) replacement effort. JMCIS Ashore supports real time tasking of Maritime Patrol Aircraft (MPA) assets in conjunction with the Force High Level Terminal (FHLT) replacement effort, force scheduling requirements of the Navy (from CNO to the squadron level), and Navy Status of Forces (NSOF) responsibilities as part of the Navy Worldwide Military Command and Control System (WWMCCS) Software Standardization (NWSS) replacement effort."

    You can read more here:
    http://www.fas.org/irp/program/core/jmcis.htm

    In a nutshell, it's a real-time tracking and messaging system for military units. I can't think of any reason why a probe on your system would have any tie to JMCIS. That is, unless you live in a destroyer. :)
     
  5. m1911a1

    m1911a1

    Messages:
    78
    Likes Received:
    0
    Joined:
    Jun 18, 2004
    i get some of the strangest backtraces 'snooping' around this comp...
    its just a laptop with no info of any kind stored on it other than some photos and some files i keep for reference ...
    these people are beginning to annoy me tho :66.81.63.134 , they've been trying to get in for a month now .and whois gives no results ...
     
  6. fastvfr

    fastvfr Ancient Tech

    Messages:
    2,344
    Likes Received:
    0
    Joined:
    Mar 28, 2001
    Location:
    SW Oregon
    That IP is currently registered to:

    NeoTrace Professional Version 3.25 Results

    Target: 66.81.63.134
    Date: 9/20/2004 (Monday), 7:03:37 PM
    Nodes: 2


    Node Data
    Node Net Reg IP Address Location Node Name
    2 1 1 66.81.63.134 Sacramento host-66-81-63-134.rev.o1.com


    Packet Data
    Node High Low Avg Tot Lost
    2 ---- ---- ---- 2 2


    Network Data
    Network id#: 1
    01.com NETBLK-O1-BLK1 (NET-66-81-0-0-1)
    66.81.0.0 - 66.81.255.255
    O1 Dialup Services NETBLK-66-81-16-79 (NET-66-81-16-0-1)
    66.81.16.0 - 66.81.79.255

    ARIN WHOIS database, last updated 2004-09-20 19:10


    Registrant Data
    Registrant id#: 1
    NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
    database through the use of high-volume, automated, electronic processes. The
    Data in Network Solutions' WHOIS database is provided by Network Solutions for information
    purposes only, and to assist persons in obtaining information about or related
    to a domain name registration record. Network Solutions does not guarantee its accuracy.
    By submitting a WHOIS query, you agree to abide by the following terms of use:
    You agree that you may use this Data only for lawful purposes and that under no
    circumstances will you use this Data to: (1) allow, enable, or otherwise support
    the transmission of mass unsolicited, commercial advertising or solicitations
    via e-mail, telephone, or facsimile; or (2) enable high volume, automated,
    electronic processes that apply to Network Solutions (or its computer systems). The
    compilation, repackaging, dissemination or other use of this Data is expressly
    prohibited without the prior written consent of Network Solutions. You agree not to use
    high-volume, automated, electronic processes to access or query the WHOIS
    database. Network Solutions reserves the right to terminate your access to the WHOIS
    database in its sole discretion, including without limitation, for excessive
    querying of the WHOIS database or for failure to otherwise abide by this policy.
    Network Solutions reserves the right to modify these terms at any time.


    Registrant:
    Option One Communications (O126-DOM)
    770 L Street, Suite 960
    Sacramento, CA 95814
    US

    Domain Name: O1.COM

    Administrative Contact, Technical Contact:
    Jenkins, Brad (BJ146) mhadsell@o1.com
    O1 Communications
    1515 K Street Suite 100
    SACRAMENTO, CA 95814
    US
    888-444-1111 fax: 916-554-2180

    Record expires on 03-Mar-2005.
    Record created on 03-Mar-1999.
    Database last updated on 20-Sep-2004 22:00:30 EDT.

    Domain servers in listed order:

    NS1.O1.COM 66.81.0.251
    _____
    NeoTrace Copyright ©1997-2001 NeoWorx Inc

    Does that help?;)
     
  7. thaclient

    thaclient aequitas

    Messages:
    45
    Likes Received:
    0
    Joined:
    Apr 22, 2003
    Location:
    Miami
    Question for you guys: What are you using to see who is trying to contact your machines? Are you just pulling it off of firewall hits or is there another way. Just curious :, thanks in advance.
     
  8. 308endurdebate

    308endurdebate

    Messages:
    118
    Likes Received:
    3
    Joined:
    Oct 12, 2003
    Location:
    Arlington, VA
    What did your software say was the type of probe? Many lightweight (ie. home firewall software) only properly detect the simplest of attacks and mis-interpret other traffic. Since it is common for people to spoof other addresses, perhaps someone was using your ip as a faked source address the return traffic from a real host back to you.

    If you are truly concerned, contact the DoD CERT (www.cert.mil).

    V/r
    Ken
     
  9. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,802
    Likes Received:
    255
    Joined:
    Dec 28, 2000
    Yeah, a computer at a DoD (Navy) was either cracked or someone was screwing around with scanning software and "oops"d it.

    That's the top level domain for all .mil addresses physical address.

    I would call the contact and follow up with an email to LSLADE@nnic.navy.mil and tell them what you have. They probably do not know.

    DanH
     
  10. soflasmg

    soflasmg

    Messages:
    368
    Likes Received:
    1
    Joined:
    Sep 3, 2004
    Location:
    Meeyaami
    It's a hacker spoof.
     
  11. fastvfr

    fastvfr Ancient Tech

    Messages:
    2,344
    Likes Received:
    0
    Joined:
    Mar 28, 2001
    Location:
    SW Oregon
    ThaClient:

    As my post shows, I use NeoTrace Pro 3.25.

    It has been around awhile, is free yet still good. Will not work through a proxy server.

    Shows you a worldmap view of the traceroute to the target, and a complete list of nodes. Also gives a load of info about the registration of the IP or domain of each individual node...pretty neat.

    Ought to be on downloads dot com or somewhere similar...try google.

    Best regards,

    FastVFR
     
  12. thaclient

    thaclient aequitas

    Messages:
    45
    Likes Received:
    0
    Joined:
    Apr 22, 2003
    Location:
    Miami
    fastvfr:

    Thanks for the reply. I downloaded the free version and have started using it. Do you guys typically just investigate the hits off of a firewall or is there another method to see the IP's that have had access attempts?