Interesting thing is this address is also a frequent visitor to West Virginia University. Possibly taking classes there? I've emailed the abuse department, have not heard back yet.
<tinfoil hat> Could it be related to my complaint about beef inspection? Maybe they are confusing me with my cousin who is a cattle rustler? (just kidding all you secret policemen out there) Hey Doesn't Brian K. work for these people? ;') </tinfoil hat>
It could also be a friend of mine playing a joke on me. He investigates cattle rustling and such stuff for the USDA people. Yeah, cattle rustling is big business in the US, it just doesn't make headlines much. I don't put much stock in this theory though. He's got better things to do at 3am.
My bet is the ip is spoofed somehow, or one of the USDAs networks has been compromised. In any event, I'd recommend anyone who has a PC visible to the net to block this address. So far it's the only one in that block I've seen. I've got 24 entries in my blacklist.
-----Original Message----- From: Jeremy Turner
On Fri, October 29, 2004 10:17 am, Brian Densmore said:
OrgTechHandle: ZU20-ARIN OrgTechName: USDA - Office of the ChiefInformation Officer OrgTechPhone: +1-970-295-5277 OrgTechEmail: Network.Operations@usda.gov
So they really are out to get you? =)
That or some cracker is using zombie software to do the dirty work.
Jeremy
-----Original Message----- From: kclug-bounces@kclug.org [mailto:kclug-bounces@kclug.org] On Behalf Of Brian Densmore Sent: Friday, October 29, 2004 11:45 AM To: KCLUG Subject: RE: Crack attempt
[snip]
It could also be a friend of mine playing a joke on me. He investigates cattle rustling and such stuff for the USDA people. Yeah, cattle rustling is big business in the US, it just doesn't make headlines much. I don't put much stock in this theory though. He's got better things to do at 3am.
Not much stock... no pun intended I presume? ;)
My bet is the ip is spoofed somehow, or one of the USDAs networks has been compromised. In any event, I'd recommend anyone who has a PC visible to the net to block this address. So far it's the only one in that block I've seen. I've got 24 entries in my blacklist.
Immediately after I replied to your earlier post, I thought to myself, "I really aught to ask Brian what the traffic looked like." If it's UDP, I'd almost wholesale expect it is spoofed. Same applies to ICMP, but if you're looking at genuine TCP traffic, with an established three-way-handshake, it's a different story. (If you're working solely on the basis of what you find in syslog and the like, you might not be able to answer the question either. [Insert soapbox about logging all packets that traverse the border here.])
It's also entirely possible you're machine is being targeted with USDA spoofed, in hopes that you and several others targeted in the same fashion will respond with ICMP unreachable or prohibited messages. Enough of these, and USDA will feel the wrath, so to speak.
Hope this helps out... /me wanders off to see if that IP was noteworthy on any of his sensors.
Dustin