5th Signal Command is trying to get thru my Firewall

I decided to check my Firewall Logs
this IP address is listed under High Rated
on multiple occasions
Zone Alarm says they were blocked

Why is the 5th Signal Command trying to get thru my Firewall




Search results for: 136.219.38.1


OrgName: HQ, 5th Signal Command
OrgID: H5SC
Address: DCSOPS DNCC
Address: ASE-OP-OF
City: APO
StateProv: AE
PostalCode: 09056
Country: US

NetRange: 136.219.0.0 - 136.219.255.255
CIDR: 136.219.0.0/16
NetName: USAREUR4
NetHandle: NET-136-219-0-0-1
Parent: NET-136-0-0-0-0
NetType: Direct Assignment
NameServer: NS01.ARMY.MIL
NameServer: NS02.ARMY.MIL
NameServer: NS03.ARMY.MIL
Comment:
RegDate: 1991-06-19
Updated: 2005-07-06

RTechHandle: BS291-ARIN
RTechName: Schork, Brigitte
RTechPhone: +1-621-730-4031
RTechEmail: BRIGS@hq.5sigcmd.army.mil

OrgTechHandle: BS291-ARIN
OrgTechName: Schork, Brigitte
OrgTechPhone: +1-621-730-4031
OrgTechEmail: BRIGS@hq.5sigcmd.army.mil

# ARIN WHOIS database, last updated 2006-01-27 19:10

There have been a few times in the past that some clown was going through another in order to bang on our door.

I don't get this why are they showing up in my logs
High rated no less.

5th Signal Command is a Forward-Deployed Theater Signal Command providing Tactical to Strategic Communications across the full range of military operations, within the USAREUR and USEUCOM Area of Operations. 5th Signal Command is located at Funari Barracks, Mannheim, Germany. Mannheim is located along the Rhein River approximately 20 Miles from Worms and 10 Miles from Heidelberg.

The 5th Signal Command Modernization Plan is a group of new system program plans, existing equipment modernization plans, and guidance documents that explain 5th Signal Command and USAREUR DCSIM Plans for fulfilling USAREUR Information needs. The Modernization Plan will: Insure DOIM RSC/CSC representatives implement solutions that comply with future plans by making them aware of future plans; Allow 5th Signal Command commanders/managers to prepare for new systems (hire new personnel, train on hand personnel, modify descriptions); Explain the interdependencies of various programs and threrefore simplify funding prioritization.

http://www.globalsecurity.org/military/agency/army/5sigcmd.htm

Bush should give us all the thesaurus...

Are you knowledgeable in this area tocqueville?

This is kind of creeping me out.

not very knowledgeable but there is no reason to try to get at you through UDP since the protocoll is mostly used for internal network connections. Make sure your Netbios is disabled or at least port 135-137 closed. (Check Zone Alarm settings). A random port scan goes normally through TCP.

Shields up at Gibson Research
says my machine is stealthed & none of my ports respond to their probes
My ZA settings look good all attempts to access have been blocked according to ZA.

A dear friend is visiting her 94 year old father in Hiroshima. She is a survivor and had been my friend for 20 years. When the call came I heard a short series of odd clicks and then she said, "hello?" I told her to be careful, that we may be wiretapped! She laughed and asked if I had been fighting "fa shi sim" all day, again! She knows me well! I told her about Kerry and all the calls, faxes and emails to the Senators.

She then told me about her shopping trip for fabric and sewing notions. She designs handbags. We talked about her fathers gardens, his failing health and her old neighbors. She had been to a funeral.

I hope *they* were bored stiff, if they were listening.

We talk with several customers in Europe and I have never heard such clicks.

I am probably paranoid.

I should go check the stats on our website.

Everyone at DU should check their firewall logs and see who's been trying to get through.

I'm still in the process of checking mine.

Peace

I also heard a series of short clicks. If the apparatchiks were listening, no doubt they were bored with my conversation as well.

May be someone screwing around, or it could be someone masking his IP to make it look like their line. When I worked at Genuity we had people calling all the time to bitch us out for hacking their computers because someone masked his IP to look like Genuity.

I just checked my logs and didn't find any government snoops, but some creep in Alaska has been trying to hack me for the last several days...and I have hundreds of attempts from China.


edit: Also found 92 attempts from SETEL

SouthEast Telephone
PO Box 1001
Pikeville, KY 41502
US

Domain Name: SETEL.COM

Administrative Contact:
System Administrator mailto:admin@setel.com
SouthEast Telephone
301 E Main St Suite 620
Lexington, Kentucky 40507
US
Phone: 606-444-3000
Fax: 606-444-3100
Technical Contact:
System Administrator mailto:admin@setel.com
SouthEast Telephone
301 E Main St Suite 620
Lexington, Kentucky 40507
US
Phone: 606-444-3000
Fax: 606-444-3100
Billing Contact:
System Administrator mailto:admin@setel.com
SouthEast Telephone
301 E Main St Suite 620
Lexington, Kentucky 40507
US
Phone: 606-444-3000
Fax: 606-444-3100

Record updated on 2002-12-02 16:23:32
Record created on 1999-01-04
Record expires on 2007-01-04
Database last updated on 2006-01-28 03:38:47 EST

Domain servers in listed order:

NS1.SE-TEL.COM 66.63.192.2
NS2.SE-TEL.COM 66.63.192.3

Maybe we should start a forum where we can compare firewall logs and see if we find any matches...

vulnerable PC's to infect. IP's can be spoofed as you already know. When Messenger spam (the MS service, not the IM program) was a big deal (easily blocked by having a firewall or a NAT router), there were reports that spoofed DOD IP's were often used. And on occasion there are even misconfigured network PC's that are broadcasting on the net.

The point for the average person is that if your PC is secure and your firewall is working, there's really not much point to looking at firewall logs. For those who want to participate in some serious analysis of tracking infected PC's and turning them into their ISP's (sometimes the ISP's at least here in the US do eventually shut them down) there are free services such as MyNetWatchman and DShield.

http://www.mynetwatchman.com/
http://www.dshield.org/

Here is the correct phone number 859 253-1084. that's in the white pages, there is no SouthEast Telephone listed in the Yellow pages. There is a Southeast communications in Richmond Ky.

As I remember, it is a non-descript office building. If I go downtown in the morning. I will take a picture of the building.

the 606 area code is no longer used here.

That's how my mind has been dismissing the weird telephone stuff going on here for a month or so. Then I read this thread, and think back on the calls.

"Hello?hello? are you still there?", and the reply from one end or the other..."I don't know what happened, just a click, thought I'd lost you."

"My phone's okay, must be yours." "No, I haven't been having problems with other calls, must be your phone."

:think:

using tracert to occasionally try to trace back to see who is attempting to attack my computer, but it often doesn't tell much.

(copy and paste IP Address )
http://ws.arin.net/cgi-bin/whois.pl

and here

http://www.whois.net/

inetnum: 60.11.0.0 - 60.11.255.255
netname: CNCGROUP-HL
descr: CNCGROUP Heilongjiang Province Network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
admin-c: CH444-AP
tech-c: BG63-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HL
mnt-routes: MAINT-CNCGROUP-RR
changed: hm-changed@apnic.net 20041231
changed: hm-changed@apnic.net 20050218
source: APNIC

route: 60.11.0.0/16
descr: CNC Group CHINA169 Heilongjiang Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060118
source: APNIC

person: CNCGroup Hostmaster
nic-hdl: CH444-AP
e-mail: abuse@cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
phone: +86-10-82993155
fax-no: +86-10-82993144
country: CN
changed: abuse@cnc-noc.net 20041220
mnt-by: MAINT-CNCGROUP
source: APNIC

person: Binghui Gao
nic-hdl: BG63-AP
e-mail: gaobh@mail.hl.cn
address: Communication Corporation Internet Enterprise Division of HLJ
phone: +86-451-2804465
fax-no: +86-451-2804442
country: CN
changed: gaobh@mail.hl.cn 20030221
mnt-by: MAINT-CNCGROUP-HL
source: APNIC

I expect to see that.

I've got different branches of the military and the NCTC showing up in
my Firewall logs

see my post down thread

was similar to the first.

Maybe contact the ACLU on what you can do, or the EFF Electronic Frontier Foundation.

http://action.aclu.org/

http://www.eff.org/

I get them from other places, too, but a ton of them from all over China.

China is our fourth largest readership in the world behind USA, Canada, and UK, for our cartoon Neil Lisst. I suspect that is a reason I get so many attempts on my system from China, probably military.

US government agencies go directly to the cartoon, usually through DU. NSA, SAC headquarters, and IRS headquarters all came through DU to my cartoon this past week.

Not spying on Americans, my ass!

infections. It's not all a superduper secure network. Just recently a guy pled guilty for using military computers as part of his bot network for profit. http://www.techworld.com/networking/news/index.cfm?NewsID=5225

It happens. You just usually don't hear about it unless someone's busted and it makes the news via a legal proceeding.

and came across the following

Search results for: 33.62.136.174:0


OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US

NetRange: 33.0.0.0 - 33.255.255.255
CIDR: 33.0.0.0/8
NetName: DCMC-1
NetHandle: NET-33-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: CON1R.NIPR.MIL
NameServer: AAA-KELLY.NIPR.MIL
NameServer: AAA-VAIHINGEN.NIPR.MIL
NameServer: AAA-WHEELER.NIPR.MIL
Comment: DOD Network Information Center
Comment: 7990 Science Applications Court
Comment: Vienna, VA 22183-7000 US
RegDate:
Updated: 2006-01-27

RTechHandle: ZD41-ARIN
RTechName: DOD Network Information Center
RTechPhone: +1-800-365-3642
RTechEmail: HOSTMASTER@nic.mil

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil

# ARIN WHOIS database, last updated 2006-01-28 19:10


I googled NCTC as far as I can tell it's the National Counterterrorism Center

Search results for: 138.165.14.33:0


OrgName: NCTC
OrgID: NCTC-1
Address: 130 West Avenue Suite D
City: Pensacola
StateProv: FL
PostalCode: 32508-5111
Country: US

NetRange: 138.165.0.0 - 138.165.255.255
CIDR: 138.165.0.0/16
NetName: REGION-CS1
NetHandle: NET-138-165-0-0-1
Parent: NET-138-0-0-0-0
NetType: Direct Assignment
Comment:
RegDate: 1990-05-07
Updated: 2001-02-15

RTechHandle: SCG-ARIN
RTechName: Greunke, Steve
RTechPhone: +1-850-452-7560
RTechEmail: GREUNKES@spawar.navy.mil

OrgTechHandle: RS2224-ARIN
OrgTechName: Smith, Richard
OrgTechPhone: +1-850-452-7570
OrgTechEmail: RSMITH@ncts.navy.mil

# ARIN WHOIS database, last updated 2006-01-28 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


earch results for: 164.158.20.80:0


OrgName: Naval Surface Warfare Center
OrgID: NSWC-7
Address: Port Hueneme Division Louisville
Address: Detachment 160 Rochester Drive
City: Louisville
StateProv: KY
PostalCode: 40214-5000
Country: US

NetRange: 164.158.0.0 - 164.158.255.255
CIDR: 164.158.0.0/16
NetName: NOSL-SEA06
NetHandle: NET-164-158-0-0-1
Parent: NET-164-0-0-0-0
NetType: Direct Assignment
NameServer: HERMES.NSWCL.NAVY.MIL
NameServer: MERCURY.NSWCL.NAVY.MIL
Comment:
RegDate: 1993-03-19
Updated: 1999-02-03

RTechHandle: GL47-ARIN
RTechName: Levay, Glenn
RTechPhone: +1-502-364-5560
RTechEmail: LevayGH@nswcl.navy.mil



earch results for: 25.0.121.104:29897


OrgName: DINSA, Ministry of Defence
OrgID: DMD-16
Address: HQ DCSA, Copenacre, c/o Basil Hill Barracks,
City: Corsham
StateProv: Wiltshire
PostalCode: SN13 9NR
Country: GB

NetRange: 25.0.0.0 - 25.255.255.255
CIDR: 25.0.0.0/8
NetName: RSRE-EXP
NetHandle: NET-25-0-0-0-1
Parent:
NetType: Direct Assignment
NameServer: NS1.CS.UCL.AC.UK
NameServer: RELAY.MOD.UK
Comment:
RegDate: 1985-01-28
Updated: 2005-09-06

OrgTechHandle: MNE30-ARIN
OrgTechName: Newton, Mathew
OrgTechPhone: +44 1225 813191
OrgTechEmail: mathew.newton643@mod.uk

# ARIN WHOIS database, last updated 2006-01-28 19:10





Search results for: 11.15.140.139:0


OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US

NetRange: 11.0.0.0 - 11.255.255.255
CIDR: 11.0.0.0/8
NetName: DODIIS
NetHandle: NET-11-0-0-0-1
Parent:
NetType: Direct Allocation
Comment: DoD Intel Information Systems
Comment: Defense Intelligence Agency
Comment: Washington, DC 20301 US
RegDate: 1984-01-19
Updated: 1998-09-26

RTechHandle: MIL-HSTMST-ARIN
RTechName: Network DoD
RTechPhone: +1-800-365-3642
RTechEmail: HOSTMASTER@nic.mil

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil

# ARIN WHOIS database, last updated 2006-01-28 19:10

I realize infected comp's at all these places can scan my ports but what are the odds
the NCTC one is creeping me out.

Thanks for your input.

FYI I'm an ordinary everyday person who is left of center and hangs at the DU and other progressive sites.

I marched 2 times against the Iraq invasion.

What good do you think is achieved by anyone banging against a firewalled port? Absolutely nothing.

As had been said long before, and now proven, if the gov't wants to know what you're up to, they tap in at the pipe (with the cooperation of the telcos and ISP's) and can pick up traffic there without the subject of surveillance being any the wiser. That's effective and leaves no traces that the subject can discern. (Not to mention the "sneak and peek" whereby the Feds can physically come into your place and check out your stuff and bug when your're out of your home.)

Portscanning simply isn't effective for anything against a firewalled PC and is much more readily explained by the widespread phenomena previously described: IP spoofing, misconfigured networked PC's and infected machines automatically portscanning netblocks. If the gov't is really snooping on you electronically, you wouldn't have calling cards on your firewall log. (Or even hear a click on your phone either, that's old technology.)

"As had been said long before, and now proven, if the gov't wants to know what you're up to, they tap in at the pipe (with the cooperation of the telcos and ISP's) and can pick up traffic there without the subject of surveillance being any the wiser."

years ago that they were being spied on because of their firewall logs. Now, unfortunately, we know we were right. That's precisely the kind of stuff this gang has been doing. (According to published reports and not just the claims of those of us with our tinfoil hats at the ready. ;) )

Anyway, that's why I don't sweat firewall logs. Doesn't mean no one may be checking you out in some other fashion if you're an "activist" like a Quaker peacenik or a vegan or some other "suspect" group, just that portscans in themselves don't do squat as long as you're firewalled. The gov't has more efficient ways of tracking your activities. Not exactly a comfort, eh?

Gads, what we've come to as a nation.....:cry:

A computer at www.democraticunderground.com has attempted an unsolicited connection to TCP port 2014 on your computer.

A computer at www.freerepublic.com has attempted an unsolicited connection to TCP port 3212 on your computer.

A computer at www.freerepublic.com has attempted an unsolicited connection to TCP port 3212 on your computer.

A computer at www.freerepublic.com has attempted an unsolicited connection to TCP port 3040 on your computer.
TCP port 3040 is commonly used by the "Tomato Springs" service or program.

A computer at www.freerepublic.com has attempted an unsolicited connection to TCP port 3038 on your computer.
TCP port 3038 is commonly used by the "Santak UPS" service or program.

A computer at www.freerepublic.com has attempted an unsolicited connection to TCP port 3037 on your computer.
TCP port 3037 is commonly used by the "HP SAN Mgmt" service or program.

A computer at www.freerepublic.com has attempted an unsolicited connection to TCP port 3034 on your computer.
TCP port 3034 is commonly used by the "Osmosis AEEA" service or program.


Ahhh!

Set up a honeypot box to respond to make it look like one of their exploits worked. Then log what they do. Then maybe you'll know what they are after. Or maybe you'll just find yourself the proud new owner of some military-grade rootkit code. :evilgrin:

annoyed when I'd see how many times one IP address kept trying to get past my firewall.

So I'd do a tracert or trace to see if I could see who it was. And sometimes I'd ping them a few times to let them know I noticed them.

That did tend to make them back off.

I just now set my new computer like I had my old one, to block any communication from anyone trying to intrude 48 hours rather than the default 30 minutes in my Norton Internet Security.

I reckon some folks use the Windows firewall.

hit them back with DDOS. who are they going to complain to since you have logs of them trying to hack you??

Every time you start surfing, it is wise to do a netstat once in a while. Pull up your command prompt (DOS Prompt for those still on 98/98SE) and just type in "netstat" without the ""quotes. You should see 3 to 4 connections, depending on what all applications you are running such as yahoo or AOL messengers and so. It should give the names. Then just type "netstat -n" without the quotes and it gives the IP addresses of the connections.

Hmmm... maybe there IS a reason I have the side off of my computer and a magnet close by! :headbang:

:hippie: PEACE! It's not just for hippies anymore! :hippie:

it seems like my firewall is blocking connection attemps on port 6881 (used for bittorrent, i have azureus running at the moment) and port 1900 (not sure what this one is for?). using the whois lookup in mac os x's network utility, it seems like most of them are from ISPs, including "DSL Extreme" and Bell South. :shrug:

I figure there's always someone out there trying to pick up information.

"Sniffing" maybe.

I took some Cryptography courses, both prior to 911. There was a lot of stuff about various kinds of attacks etc, so I know they're out there. I don't know how exactly they do it, but there was a lotta material in those courses.

If your IP address changes 6881 traffic could be normal -- old bittorrent seeds not noticing that a server that used to have your IP has dropped out of the torrent.