[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] DoD ...and r57(!?)

To: t0hitsugu <tohitsugu@xxxxxxxxx>
Subject: Re: [Full-disclosure] DoD ...and r57(!?)
From: coderman <coderman@xxxxxxxxx>
Date: Sat, 28 May 2011 14:10:08 -0700

On Sat, May 28, 2011 at 6:13 AM, t0hitsugu <tohitsugu@xxxxxxxxx> wrote:
>...
> I noticed my connection had suddenly slowed to a crawl and did a scan on
> myself (running bt5 gnome 32) and was quite surprised to see I had around 18
> open ports, most of them connected to a server with the ip of
> 26.195.181.202. Curious, I did  a GET on one of them 33644 and saw the r57
> spider pop up. I tried to ncat a couple more in hopes of getting a bind to
> trace but they all closed shortly after.
>
> According to wireshark, nmap and whois they werent being spoofed. The server
> also happens to be registered to the DoD...lol.
>
> Has anyone ever encountered something like this before? Seems a lot of
> trouble youd be risking borrowing the address of a military/gov domain.

how do you know they weren't being spoofed? a local attacker on
wireless can pretend to be any endpoint in your path.

bet you weren't watching arp tables. (static arp; an oldie but goodie...)

wpa2 is a fig leaf, and wifi carries far beyond the walls of your
coffee shop. you need kismet not wireshark for these situations.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] DoD ...and r57(!?)
  - From: t0hitsugu

Prev by Date: Re: [Full-disclosure] Online Base64 Decoder & Encoder with ASCII/Hex Output
Next by Date: Re: [Full-disclosure] DoD ...and r57(!?)
Previous by thread: Re: [Full-disclosure] DoD ...and r57(!?)
Next by thread: Re: [Full-disclosure] DoD ...and r57(!?)
Index(es):
- Date
- Thread