have me singing and dancing through a field of posies... except that my broke ass can't afford anything but the bottom run in Cox's cable net speeds... 2MB. 3 Mbps (Megabits per second) is my ceiling, even when "Speed-boost" is in effect. Curious about this seemingly fortuitous turn of events, I decided
to run a speed test. I chose a different site today, based on a recommendation of a friend. To my complete, slack-jawed, flabbergasted surprise I clocked in at a download rate of 25MBps.
For those of you that are not familiar with TCP/IP communications, that's enough bandwidth to run a small to mid-sized company; both telephony and net services. It's also the maximum bandwidth available to consumer level Cox Communications net subscribers.
Well what exactly (or who) was the "internet fairy" so graciously sprinkling me with magic web dust? The answer, as it usually turns out, was too good to be true. After doing several relatively nerdy things with a command prompt (I'll spare you the details), I identified an established, keep-
alive connection in my route path. My internet is being re-directed, so to speak... and not by a government or law enforcement agency. No sir, this ip traced to a rural farmhouse outside of Potwin, Ks. Farmhouse? Wth? I have a very hard time believing farmer Johnny needs server stacks and T1 lines, "heavy" and expensive hardware for a business, let alone a private residence. Usually being re-directed by your ISP slows you down, bottlenecks you. I've been increased by upwards of 5X what I pay for... so a capitalizing company is obviously not the culprit.
Following even more eyeball twisting research, I found several sites with people complaining loudly of someone traced from this farmhouse sending scary emails, hacking Facebook accounts, and random forms of other internet shadiness... but I could find no reference to complete data stream hijacking. Many of these complaints go back to mid 2011... hard to stay the outlaw in the digital age these days; let alone hijacking and entire ISP trunk line.
The physical address information associated with the IP is as follows.
Suspicious IP: 70.183.71.66 ---only IP ID'd with tracert not associated with Cox Communications. IP address connected to me was immediately changed from 70.183 subnet to the usual 68.1xx, but still on a different subnet than standard Cox servers. Additionally, domain registration info stayed the same, identifying as follows:
dukedsrj01-ge-210.0.rd.at.cox.net
This change happened as soon as I noticed it, after emailing an address I found online for a blogger dealing with this issue for the last few years. Which is then indicating an active attention to my network activity)
Associated geotag Address: 8689 County Road 576, also known as 8653 NW 120th St and
all geomaps point to the same real estate parcel. Standard people search has some info, but none all that helpful. Most info I've found are most likely falsified, such as recycling the identity of the recently deceased. Info as follows:
Thelma Hinnen Vogelman, Andy Nellans, James Arnold. Searches on Vogelman elude to this man having intimate knowledge of the Keystone pipeline project, which is a significant oil pipeline stemming from Alberta, Canada. Vogelman died in 1998, yet his name continues to be used... a prime account to land for an identity thief.
After much deliberation, I've decided on 3 theories.
1. A few years ago, a virus began circulating that would re-direct internet away from secured ISP backbones into private networks. It was not malicious, except for the network re-direction, so most people never even knew they had it. There was a URL in the article I read to a government funded/ran website that would identify a tampered route, with instructions for removal. I have since lost both the article AND the website, which is odd in and of itself. I use Gmail, I haven't deleted a single email since 2004. If anyone remembers that article and happens to know the site, I would appreciate a heads up. My searches are coming up empty for some reason, with stuff that should be there just simply deciding not to exist anymore.
*update- Ruled this out, not malware related. Someone sent me the link to the FBI's rogue DNS verification page, found here: https://forms.fbi.gov/check-
2. My second theory is a bit more far fetched... (as the only logical explanation I can conceive of is above) I can only imagine what I did to piss off an apparently wealthy networking genius, because it would take nothing short of that. Since it's not a federal/county/local civic building, I can rule out law
enforcement or government. That means that someone went out of their way to hijack my data stream, undetected to boot.
3. My only other theory on the matter would be a plot out of "Live Free or Die Hard". ISP redirection is used as a metaphorical chess piece is a plot called a "Fire Sale"... which is a massive
electronic attack on all communication/technology/banking/civil law/etc services at once, designed to cripple an entire economy in a matter of days. Although the technology exists, and the theory is valid, It would be more likely if I was abducted by aliens before I finish typing this paragraph.
So I suppose this is both a warning/FYI to my clients, and a venting session for myself; but moreover the first techie question I've had to ask the net community in years. Any information you might have about who/why/how on this would just be deliriously helpful, and I would invite those with such info to email me the stories. I'm gathering data on everything I find on my encrypted drive, and if I get enough together I have blogger buddies who I'm sure would perpetuate the info, as there seems to be 0 awareness on this matter at the moment.
I would suggest jumping in your preferred internet vehicle (any browser) and heading to www.dslreports.com/speedtests. Follow the instructions to get an accurate reading of your current
upload/download rates. The rate your paying for should be listed on the bill. If the rate is close to or less than your paid rate, then you're fine. If it's much different, it's a sign of re-direction.
If you or anyone you know should happen upon a similar situation, or receive any FB/email/social app hacking traced to that address, I would greatly appreciate a heads up. I'm currently shopping free
proxy server that would be safe enough to support secured browsing, which is the only way to force a re-direct. Pickings are slim in that area, but I'm sure I'll find something. As for the obvious question, "Why don't you call the ISP"?... if this turns out to be nothing, then I'm just an incredibly lucky guy with a bunch of free internet, and don't feel like being to hasty calling attention to it with the party poopers and their bottlenecks.
I would love to believe that I'm just being paranoid, but the lack of info on this is giving me the damned willies. So, as James Franco once so eloquently put it: "Safety First. Safety first, then teamwork".
-Matt McClellan
SimianTech IT Services
contact info:
simiantech@gmail.com
darthmonkey2004@gmail.com
620-204-0386 (mobile)
1 (785) 260-7633 (free web based texting through Pinger.com
links to information I was able to find:
MorganStanleyGate: Others Mysteriously Contacted Via Computer Connection Traced To SAME Farm House in Potwin, KS
http://www.ip-adress.com/whois/70.183.71.66 (basic IP registry info, I was able to use that to get an address, leading to the farm house.
*Update
Upon extended and rigorous research, I have decided this is the work of an ID hacker, an identity thief. My theory is he's somehow siphoning off traffic from local network service machines.. I would imagine it's automated network load relief exploit. ISPs stay busy, and sometimes need to drop data routing jobs off on other networks, happens all the time. it's done by an overloaded router simply deciding on a specific sub-netted group to drop from "Active" route to "Passive". Meaning it can forward it on and allocate it's bandwidth to it's Active routes. This is how the net works, passing through machines on the way to the one you want to talk to. He (She, they... it?) also appear to be using a network of "ghosted" DNS servers; virtual servers that spoof all incoming and outgoing packets with false IP/MAC/network hardware info. This way an admin can run a test on his route, and it would still appear legitimate at first glance. Upon closer inspection you see key differences: Domain info that should exist for an active route is missing, this means that your default gateway/DNS server is told to forward you on, rather than handle your routing; effectively changing you from an active route to a passive/anonymous multicast traffic. As long as the spoofed IP/mac is taken from a legitimate ISP Service machine, it's MAC address alone is enough to authenticate it. it's automatically passed on and assumed to be legit... no alarms, no red flags. Normally there is a latency monitoring method to find spoofed addresses. It takes time for a machine to intercept, alter, and forward the packet to it's original destination. latency is constantly computed with virtually every connection, automatically. When one person's latency is significantly higher than someone he's directly connected to, this is sometimes a sign of ghosting. It's not proof at all though, merely conjecture. Most servers deal with severe latency fluctuation by simply closing the connection and then routing them to a different subnet when they reconnect. Still, no warnings, no alarms. These events do get logged, but is classified as generic log info, rather than a flagged event. However, he fixes this problem by guaranteeing that 25 Mbps rate (which happens to be the maximum available data rate for consumer class Cox Cable internet. with enterprise level routing hardware, and what I can only assume is a series of fiber optics backing his network. This minimizes the increase in latency, tailoring it to permissible levels based on the level of latency sensitivity of the machine your spoofing. Tricky stuff, probably took years to work out the kinks.
The reasoning for all of this is obvious. Receiving, managing, and forwarding public internet traffic is the easiest method to access the data stream directly. Even https can't really help you here. Because, when your machine decided on an encryption key to use with the server it's talking to, that info is encoded in a packet. It gets intercepted, and is relatively easy to decode keys/credentials/passwords. The data stream then turns encrypted, preventing passive/anonymous connections from prying. but that is no worries for a hacker if they have the key.
All in all, this is a very expensive and labor intensive venture. The techniques employed in this scheme are state of the art, finding the tiniest flaws in modern tech and using it to hide while you sit back and capture mass quantities of data. At the very least you have cookie/web history info from surfers all over the world... there are people that will pay for enough of that. Then every once in a while you land a big fish, like the aforementioned Vogelman. Those are being kept to himself for use in obtaining the hardware/network access he needs. The Google map data is very lacking in pretty much all rural areas, and this particular area appears to be devoid of cellphone towers/communication arrays, and cellular "black spot". It would be easy to erect a 30 foot antenna that can broadcast line of sight for miles. And with no towers in the area, you can't triangulate the signal. Just because the info is registered to that address doesn't mean this guy doesn't live 5 miles away.
It's actually quite elegant, a lot of thought and time has been put into this. Leads me to think it's a team of people, working together. Although if it is just one man, I suppose that would be pretty impressive, if not a bit exhausting for him.
I'll continue to update as new information is made available.
12 comments:
Hi I am not sure you even check this blog however I found it when I did a search on the Kansas address. Whoever lives here is up to no good again and is targeting the photographer community. You can read about it here: http://www.katforder.com/2015/02/23/bad-review-photographer-scam-update/
I received the email and traced the headers to the Kansas address. I'm not sure you can do anything with this information but yours was the only normal site I found -- all the others were just bizarre!
I also have traced back an IP address that lands directly next to this odd place. I have not any signs of misuse or any problems. *knock on wood* x 100,000,000,000 lol. How would I be a part of any of this? I am just your basic internet user. I have one blog page, and one website for saunas, and wine cellars... Nothing unusual.. What should I do about this?
I tracked an IP to this address from a google+ member by the name of Mikael "The Sleaze" Akerstache
He is a vile individulal and worth checking out.
I've been receiving numerous unidentified emails from an IP address identified at this Kansas address. I suspect that the computer, if one exists, at this farm house is a zombie probably unprotected and hacked by some Ping Pong in China or Vodka soaked hack in some gulag in Siberia with mountains of spare time. One mistake some recipients may make is clicking on the links contained in these bogus e-mails with likely redirect the sucker to some drive by infested web site while collecting your IP address for further exploitation. Just my humble opinion. SiSancho
Their IP is 198.54.12.97
Their ISP is SpotXchange.
Their hostname is tg2-den.search.spotxchange.com (looks their the 2nd server in their setup) Domain resolves to spotxchange.com
They are on ASN backbone AS62693.
The last update to this server was on 2015-08-21T11:50:16.856453
They are running CentOS and using Apache version 2.2.15 for their webserver.
Interesting thing is they are using a newer version of mod_ssl (2.2.23) this is a security module for Apache to prevent most attack (not all) they are also using OpenSSL version 1.0.1e (which is very old and vulnerable to attack) and their server is using an fips based processor.
i have had this location show up on my daughters fb account and i see all these articles and have decided to dig so please contact me on this issue if anyone can tell me any new news or updates as to what is going on. i dont trust this sort of thing. any onfo would be. appreciated,
Jack Dup
i can be reached at facebook under the name, "Jack Dup" or e mail me at iamnotyou@usa.com
Hey, I came across your blog when researching why someone with an ISP in WY was accessing my families netflix account as we live in CO! I was searching the ISP number only to find that same farmhouse you mentioned and also an address in Indiana! The ISP number was 97.43.194.29 and it happened on oct 1st 2015. After reading your blog I am even more concerned. The search I did showed that it belonged to verizon and we also use verizon prepaid phones but have not been in WY in a very long time! Keep up the research, I will be checking back to see what else you have found because I am not only concerned but also rather ticked off. Thanks for the help!
Olivia.
I have had something in my entire home network for at least two years now and have gone everywhere I can think of for help. No one finds anything and I sound crazy. I do not even talk about it anymore because I feel people think I am nuts but I have not stopped trying to find it or prove something is there. I was led to the farmhouse while doing what I have spent 100 of hours doing just tonight. I found you and you are the first validation that there is something there. I want to talk to you but it is too late. I will try tomorrow.
hey Matt you related to encore by chance?
Bet you feel stupid now: http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/
@TerranRich-As a matter of fact, I do not feel silly. Regardless of the basic GEOtag info and the 80 (ish) mile radius... the fact remains that a registered Cox ISP backbone in this area was re-directing entire ISP Trunk lines of traffic... including mine. The fact that the farmhouse just so happened to be located at the center of the ISP service area is irrelevant. Someone, within this range, was (and continues to be) responsible.
Plus, the article said the people living there rent this place. Why, I would ask, if someone was only renting, would they continue to stay through such a "technological terror"? Isn't it more likely they are being paid to stick it out and play the innocent?
Whatever, I would suggest just washing your hands of this, as I have.
@Connie-Not sure who or what encore is, unless you're referring to the premium movie channel, and then I would greet your question with even more confusion.
Hey friends, read the news about the MaxMind database / potwin farmhouse, which is the company that manages the geolocation database for IP addresses. All unattached IP addresses were given a default geolocation in the exact center of the USA. Which happens to be Potwin, Kansas. MaxMind has now redirected the default geolocation into a nearby body of water to prevent future confusion.
Post a Comment