in Meddling, MT.Net |

U.S. Government networks thoroughly penetrated

I saw this in my webserver logs today, from the U.S. Nuclear Regulatory Agency. Clearly it’s a botnet bot.

148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /wp-content/themes/mtdotnet
/images/kubrickfooter.jpg HTTP/1.1” 200 2443 “http://www.markturner.net/2009/10/01/michael-jordans-net-worth/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/10/02/oculan-in-the-news/feed/ HTTP/1.1” 200 797 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/10/02/u2-yesterday-and-today/ HTTP/1.1” 200 6617 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/09/30/juggling-breakthrough/feed/ HTTP/1.1” 200 2083 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:44 -0400] “GET /2009/09/30/netflixs-plan-to-take-over-the-world/ HTTP/1.1” 200 6419 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:45 -0400] “GET /2009/10/02/u2-yesterday-and-today/feed/ HTTP/1.1” 200 1375 “-” “Mozilla/4.0 (compatible;)”
148.184.174.62 – – [13/Oct/2009:12:25:45 -0400] “GET /2003/07/27/action-packed-weekend/feed/ HTTP/1.1” 200 1260 “-” “Mozilla/4.0 (compatible;)”


I saw practically identical hits from the FAA’s network the other day:

162.58.82.136 – – [09/Oct/2009:10:09:32 -0400] “GET /2007/04/02/raleigh-police-bike-patrols/ HTTP/1.1” 200 7814 “http://www.google.com/search?hl=en&source=hp&q=raleigh+police+bike&aq=f&oq=&aqi=g3” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)”
162.58.82.136 – – [09/Oct/2009:10:09:33 -0400] “GET /xmlrpc.php?rsd HTTP/1.1″ 200 846 http://www.markturner.net/2007/04/02/raleigh-police-bike-patrols/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)”
162.58.82.136 – – [09/Oct/2009:10:09:33 -0400] “GET /2007/04/02/raleigh-police-bike-patrols/feed/ HTTP/1.1” 200 3782 “http://www.markturner.net/2007/04/02/raleigh-police-bike-patrols/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)”
162.58.82.136 – – [09/Oct/2009:10:09:34 -0400] “GET /wp-content/themes/mtdotnet/style.css HTTP/1.1” 200 10345 “http://www.markturner.net/2007/04/02/raleigh-police-bike-patrols/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)”
162.58.82.136 – – [09/Oct/2009:10:09:33 -0400] “GET /xmlrpc.php HTTP/1.1” 200 42 “http://www.markturner.net/2007/04/02/raleigh-police-bike-patrols/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)”
162.58.82.136 – – [09/Oct/2009:10:09:34 -0400] “GET /feed/ HTTP/1.1” 200 26022 “http://www.markturner.net/2007/04/02/raleigh-police-bike-patrols/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)”
162.58.82.136 – – [09/Oct/2009:10:09:34 -0400] “GET /comments/feed/ HTTP/1.1″ 200 7687 http://www.markturner.net/2007/04/02/raleigh-police-bike-patrols/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)”

That traffic looked normal, but then this happened:

162.58.82.136 – – [09/Oct/2009:10:09:35 -0400] “GET /2003/07/28/blimps-and-other-things-bizarre/ HTTP/1.1” 200 5094 “-” “Mozilla/4.0 (compatible;)”
162.58.82.136 – – [09/Oct/2009:10:09:35 -0400] “GET /2007/04/03/more-doctors-dump-unitedhealthcare/ HTTP/1.1” 200 7048 “-” “Mozilla/4.0 (compatible;)”
162.58.82.136 – – [09/Oct/2009:10:09:36 -0400] “GET /wp-includes/images/smilies/icon_sad.gif HTTP/1.1” 200 171 “-” “Mozilla/4.0 (compatible;)”
162.58.82.136 – – [09/Oct/2009:10:09:36 -0400] “GET /2007/04/04/aw-yeah/ HTTP/1.1” 200 6958 “-” “Mozilla/4.0 (compatible;)”
162.58.82.136 – – [09/Oct/2009:10:09:36 -0400] “GET /2007/04/03/more-doctors-dump-unitedhealthcare/feed/ HTTP/1.1” 200 2248 “-” “Mozilla/4.0 (compatible;)”

The browser name changes and the “user” began jumping around to random posts, which is not normal.

It leads me to believe that U.S. Government networks are completely vulnerable to hackers. And thus our enemies. U.S. cybersecurity is pathetic.

(By the way, I have yet to get a response from the FAA about the strange traffic.)

Published