in Follow-Up, Meddling, MT.Net |

More clues in the government botnet mystery

The plot thickens in the government botnet mystery I recently wrote about. This morning I got hits from the Navy-Marine Corps-Internet, specifically a host identified as gate3-norfolk.nmci.navy.mil:

Again, it started off innocently with a Google search, with the browser properly identified:

138.162.0.41 – – [15/Oct/2009:08:36:27 -0400] “GET /2008/12/19/beware-the-police-protective-fund/ HTTP/1.1” 200 6377 “http://www.google.com/search?hl=en&source=hp&q=police+protective+fund&aq=f&oq=&aqi=g10” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)”

A few more hits down, I see the random jumping around I’d seen before:

138.162.0.41 – – [15/Oct/2009:08:36:30 -0400] “GET /2008/12/20/a-mange-in-a-wager/ HTTP/1.1” 200 4191 “-” “Mozilla/4.0 (compatible;)”
138.162.0.42 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/29/goodbye-bplog-hello-drupal/ HTTP/1.1” 200 14042 “-” “Mozilla/4.0 (compatible;)”
138.162.0.44 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/27/action-packed_weekend/ HTTP/1.1” 200 4371 “-” “Mozilla/4.0 (compatible;)”
138.162.0.43 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/24/keys_keys_keys/ HTTP/1.1” 200 5531 “-” “Mozilla/4.0 (compatible;)”
138.162.0.45 – – [15/Oct/2009:08:36:31 -0400] “GET /2008/12/18/progress/feed/ HTTP/1.1” 200 1973 “-” “Mozilla/4.0 (compatible;)”

My site is apparently being indexed by computers on a government-run network, but the question is exactly what is indexing it? Is this some sort of proxy technology that government gateways are now using, sampling websites that government users are viewing to ensure that these websites don’t have questionable content? Or, is this a botnet of compromised government computers as I recently suggested? Or (tinfoil hats, please), is this a secret spidering project run by a three-letter agency that uses the gateways of various government departments as cover?

The bottom line is these hits are inconsistent with a human browser. Beyond that I’m not sure what to make of them.

Published