|
|
|||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
|
Threat Matrix HTML designed by: Ian Livingston
|
||||||||||||||||||||||||||||||||||||||
| This thread has been locked, it will not receive new replies. |
|
Locked on 11/01/2005 7:06:52 PM PST by Sidebar Moderator, reason:
New thread: http://www.freerepublic.com/focus/f-news/1513784/posts |
Posted on 10/01/2005 8:27:27 AM PDT by nwctwx
|
|
|||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
|
Threat Matrix HTML designed by: Ian Livingston
|
||||||||||||||||||||||||||||||||||||||
This does seem very likely. If so the big questions I can think of are
(1) why are they all in the 67 subnet? Some of the big US ISP's are in other subnets as well - 4, 24, and 71 for example. If they're just trying to list a number of addresses or sites on computers connected to US ISP networks this seems just a bit odd.
(2) Why are they sorted from low to high, and why do they just list a few addresses within each ISP? Also why don't any of the ranges seem to correspond with the addresses you'd expect from a valid network mask?
(3) What is the significance of what appear to be dates listed beside each block of numbers?
Of course those are IP ranges, that makes perfect sense. I can't believe that I didn't see that. Groups of four octects in pairs. Good job on figuring that out, and welcome to TM.
They're clearly ranges of some sort - IP ranges sound likely but I'm not quite convinced.
To followup on my previous message, I think given the allocation of Internet addresses, anything starting with 67.* (43 hexadecimal) is likely to be a US ISP address. So if the ranges happen to start out with a 67 (hex 43) for some other reason, it would be quite possible for the ranges to appear to correspond with IP ranges.
But what else could they be? Times? Longitude/Lattitude? They can't be very heavily encrypted because they're just too regular, but that doesn't mean that there couldn't have been some trivial code applied to them. Unfortunately there isn't enough ciphertext to provide a very solid clue other than the (likely good) guess that they're IP addresses.
I think that most geeks (like me) would enjoy that movie quite a bit. :)
" BTW, every watch the movie "Pi"? That's how I feel right now...looking for a pattern in the numbers... :)"
I know what the are because I watched "War Games". Those are launch codes....LOL
The dates are when the messages were posted. Each post (on the given date) was merely the hex code. A hacker doing a sequential scan of IPs, probing for some vulnerability (or previous infection) will most likely find it on computers that are always connected to the internet (like a brodband connection). When one or more "targets" are found, it is reported to the bad guy, but the test needs to be reran to verify the IPs. They must be verified since most broadband connections are using dynamic IPs as opposed to static ones, you are going to come across ranges where one or more infected or vulnerable machines are connected, but over time the IP(s) will change. Hence, if you want to post to a group of partners the computer(s) you found, you can't post an IP for each one but the IP range.
Just saw this...
Washington Monument Evacuated After Bomb Threat
http://www.freerepublic.com/focus/f-news/1501922/posts
Disregard previous post....happened last friday
Looks to be a new incident...please check the thread
sorry for the confusion
Terrorists Strike Again in Russia
October 13, 2005
Terrorists Strike Again in Russia
Insurgents attacked the city of Nalchik, the capital of the Northern Caucasus region of Kabardino-Balkaria in Russia, at 9:00 a.m. today. The attack shut down communications centers and the airport. The main police station and the FSB (successor of the KGB) office also came under attack.
Reports vary on the number of people killed in the attack as well as the number of terrorists. Russian Ministries’ sources report that as many as 600 terrorists carried out the attack in a planned effort to block communications and security. Residents of Nalchik also claim that the number of people killed is higher than what is being reported.
Shamil Basayev, the Chechen warlord who claimed responsibility for the Beslan tragedy in September 2004, has been linked to this attack by Russian news sources. Nalchik is only 60 miles from Beslan.
Our sources in the country also report that cellular communication in the area is spotty at best, but they were able to contact Marina Kudasheva, Russian Ministries’ children’s ministry director in Nalchik. She and her family were able to flee the city before President Vladimir Putin ordered a citywide lock down. The Kudashev family is safe, and waiting for word to return home.
Russian Ministries has been planning to hold seminars for children’s workers in Beslan and the Nalchik area in November. Russian Ministries has a variety of ministries to present the good news of Jesus to Muslims in Nalchik and the surrounding area, including a strong “School Without Walls” training program.
Russian Ministries urges prayer for our workers, ministry partners and churches in this unstable region. Please pray that training seminars and ministry outreach will continue to move forward and that Christians will be a voice of hope and peace in midst of terror and unrest.
Some interesting audio/video links in these posts:
http://groups.yahoo.com/group/Khattab/message/1803
http://groups.yahoo.com/group/Khattab/message/1804
http://groups.yahoo.com/group/Khattab/message/1805
http://www.internet-haganah.us/harchives/005170.html
13 October 2005
"alqa3edah again"
===
===
ON THE NET
http://alqa3edah.5gigs.com
http://alqa3edah.5gigs.com/vb
http://www.altavista.com/web/results?itag=ody&q=alqa3edah&kgs=0&kls=0
Good point, but in that case why don't the ranges correspond to proper network masks? Most ISP's will allocate IP addresses from within an entire network mask rather than from some of the rather odd ranges that don't seem to correspond with any mask numbers.
You can certainly set up a specific DHCP server to return addresses within any range, even those that doesn't correspond with a network mask, but in general a hacker won't know what the specific DHCP ranges are for any particular ISP's servers. However the IP numbers will be allocated to the ISP in network mask ranges, the hacker can't in general know whether or if the ISP's DHCP servers match the network mask.
That's correct.
Thanks you freeperfromnj
Thank you Layoutguru2.
We don't know what is happening on the provider side either, if the bad guy only observed hits in a specific range over a number of days, he will report that range. Other IPs in the subnet can be used for other purposes like servers, static IPs, non-renewing dynamic IPs (not renewing over scan period), etc. Also, they need not be dynamic at all, that is merely the most likely scenario. Given a whole block of static IPs, if you had 20 infected machines dispersed over 100 IPs, rather than listing IPs, you can just list the lowest and highest IPs to give a range where you are likely to get 20 hits when scanned again.
THANK YOU all4one for those links.
Thanks AD.
Looks like they didn't find anything.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
