IBM’s computer archives

As a kid I remember my dad taking us to his office at IBM on an occasional weekend. While he’d fetch something from his office we’d all look around at the technology around us. The darkened offices were full of mysterious, silent computer displays and massive copiers. In those days before the IBM PC these strange, exciting boxes always fascinated me.

I recently stumbled again upon IBM’s Computer Exhibits Archives, where IBM’s earlier computers still live on, if only as webpages. It was fun checking out the hardware I remember as a kid.

Another mystery bot example

Here’s another example of bizarre hits. Two hits for this six-year-old page coming in within 30 minutes of each other:

138.162.8.57 – – [15/Oct/2009:12:12:16 -0400] “GET /2003/07/28/blimps-and-other-things-bizarre/ HTTP/1.1” 200 5094 “-” “Mozilla/4.0 (compatible;)”

[snip]

138.163.106.72 – – [15/Oct/2009:12:44:33 -0400] “GET /2003/07/28/blimps-and-other-things-bizarre/ HTTP/1.1” 200 5094 “-” “Mozilla/4.0 (compatible;)”

The first resolves to gate2-jacksonville.nmci.navy.mil and the second resolves to gate2-bremerton.nmci.navy.mil. It looks like there’s a full-scale botnet attack going on behind the DoD firewalls right now.

Big names in sources of suspicious traffic

Wow. I knew there were some heavy hitters involved in the mysterious web traffic I’ve been seeing, but I had no idea of the scope of the web visitors. Check out this list:

figment22.gs.com
stl-proxy-07.boeing.com
cache4.nccr.epa.gov
proxyAladdin.meteo.fr
gate1-norfolk.nmci.navy.mil
gate3-norfolk.nmci.navy.mil
gate4-norfolk.nmci.navy.mil
gate6-norfolk.nmci.navy.mil
Continue reading →

More clues in the government botnet mystery

The plot thickens in the government botnet mystery I recently wrote about. This morning I got hits from the Navy-Marine Corps-Internet, specifically a host identified as gate3-norfolk.nmci.navy.mil:

Again, it started off innocently with a Google search, with the browser properly identified:

138.162.0.41 – – [15/Oct/2009:08:36:27 -0400] “GET /2008/12/19/beware-the-police-protective-fund/ HTTP/1.1” 200 6377 “http://www.google.com/search?hl=en&source=hp&q=police+protective+fund&aq=f&oq=&aqi=g10” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)”

A few more hits down, I see the random jumping around I’d seen before:

138.162.0.41 – – [15/Oct/2009:08:36:30 -0400] “GET /2008/12/20/a-mange-in-a-wager/ HTTP/1.1” 200 4191 “-” “Mozilla/4.0 (compatible;)”
138.162.0.42 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/29/goodbye-bplog-hello-drupal/ HTTP/1.1” 200 14042 “-” “Mozilla/4.0 (compatible;)”
138.162.0.44 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/27/action-packed_weekend/ HTTP/1.1” 200 4371 “-” “Mozilla/4.0 (compatible;)”
138.162.0.43 – – [15/Oct/2009:08:36:30 -0400] “GET /2003/07/24/keys_keys_keys/ HTTP/1.1” 200 5531 “-” “Mozilla/4.0 (compatible;)”
138.162.0.45 – – [15/Oct/2009:08:36:31 -0400] “GET /2008/12/18/progress/feed/ HTTP/1.1” 200 1973 “-” “Mozilla/4.0 (compatible;)”

My site is apparently being indexed by computers on a government-run network, but the question is exactly what is indexing it? Is this some sort of proxy technology that government gateways are now using, sampling websites that government users are viewing to ensure that these websites don’t have questionable content? Or, is this a botnet of compromised government computers as I recently suggested? Or (tinfoil hats, please), is this a secret spidering project run by a three-letter agency that uses the gateways of various government departments as cover?

The bottom line is these hits are inconsistent with a human browser. Beyond that I’m not sure what to make of them.