Someone from a NASA facility tried to breach my old Email Address and I want to know why.
1 2018-09-19 by keptfloatin707
Yesterday morning I wake up to a email from google saying someone with an " Unknown Device " and gave me the IP address of 35.242.216.1 and when I ran a reverse IP it popped up with a location that is
" NASA Ames Building T-20G Mountain View, CA 94043 "
Now a friend of mine suggested it could have been a spoof location by swiping the access of their internet to attempt the hack, I find it a little suspect why would they want to hack a GOV agency to hack me.
I assure you any one reading I am not that interesting. The email account they tried to breach illegally was one from almost a decade ago that from what I can tell in the archives was mainly used for Myspace. ( yeah remember that? )
Any way, If anyone cares or this thread picks up and people want proof I have the screen shots I can upload them if anyone finds this interesting.
46 comments
1 asdf2100asd 2018-09-19
among other things, they work on AI there
but it also could just be someone using the wifi, if there is wifi there
1 Sk33tshot 2018-09-19
"I find it a little suspect why would they want to hack a GOV agency to hack me." They don't have to hack anything to spoof an IP address.
1 infocom6502 2018-09-19
maybe they got hacked and hacker is using a hacked unix account to operate?
1 Sk33tshot 2018-09-19
unix account is not necessary for spoofing IP.
1 gerryn 2018-09-19
Please enlighten us how to "spoof an ip", because it definitely doesn't work the way you think it does.
1 Sk33tshot 2018-09-19
There are many ways, but I'd assume this was an older infrastructure and the TCP sequence numbers were guessed correctly to spoof the location/IP address.
1 Sk33tshot 2018-09-19
The fact that there are multiple people reporting the same kind of attack leads me to pull back on my "probably trolling" statement.
1 keptfloatin707 2018-09-19
interesting
1 keptfloatin707 2018-09-19
well shows how little i know but why would they spoof it for something that could get them flagged easier? is it harder or the same just for troll sakes?
1 Sk33tshot 2018-09-19
most likely trolling
1 jefffrey32 2018-09-19
That doesn't makes any sense, if you spoofed your IP address, you wouldn't even be able to complete the TCP 3 way handshake, let alone the HTTPS stuff, as it would send data back to this spoofed IP
Someone below said SSH was open, I'd guess they have proxied into a Google VPS, have somehow obtained a list of comprised accounts maybe from another site getting breached, and are trying to login to people's gmail accounts unsuccessfully.
1 Sk33tshot 2018-09-19
Was a Google employee, its mainstream news now.
1 MrMarmot 2018-09-19
Same thing happened yesterday to my daughter. Then, she randomly asked a guy repairing her phone screen about it, and he said he received the same message. She traced her intrusion to a NASA center in Ashburn VA.
Another IP trace went to Merit Network in Ann Arbor. Could be the hosting co. for the software they're using?
There's fuckery afoot. Wondering if it's related to the messaging from the gov't going on tomorrow.
1 TrapLord1989 2018-09-19
What messaging from the govt going on tomorrow ?
1 MrMarmot 2018-09-19
Link provided by another Redditor on this thread.
1 pantsonakangaroo 2018-09-19
The emergency alert test has been called off and postponed for a few weeks. They didn't want any add confusion while dealing with the aftermath of Hurricane Florence.
https://www.cbs46.com/archives/emergency-alert-test-delayed-due-to-hurricane-florence/article_572d9102-48a4-5df4-ae66-d66f6d1779f6.html
1 applextrent 2018-09-19
Can you provide the IP?
Happened to my friend yesterday and Ashburn Virginia came up but it was a dead end. Curious to see how she was able to figure out her attacker from a NASA facility in the area.
1 MrMarmot 2018-09-19
35.241.196.144
That's the one from her initial alert that her account had an attempted hack.
1 im_dslyexci 2018-09-19
I just had a google alert about someone trying to sign in from the same place the other day. That’s weird.
1 applextrent 2018-09-19
Yeah this seems to be a coordinated attack potentially coming through someone using Google as an ISP that traces to an unknown likely government facility and zip code.
1 keptfloatin707 2018-09-19
got any screen shots?
1 gerryn 2018-09-19
Most probable explanation is there is a proxy server running on those machines at NASA that bots are using to do what they always do. NASA has historically had very poor it security, looks like that's still the case.
1 UncleSnake3301 2018-09-19
Ann Arbor is a HUGE intel/cyber security hub. There are all kinds of gov contractors based there.
1 Jasondbaker31 2018-09-19
Thursday is the National EAS test.
1 UncleSnake3301 2018-09-19
They pushed it back till October 2
1 no_muslim 2018-09-19
Screenshot?
1 keptfloatin707 2018-09-19
in OP now.
1 infocom6502 2018-09-19
you may have googled wrong, it locates to detroit area / ann arbor:
ipaddress.is/35.242.216.1
1 keptfloatin707 2018-09-19
idk i've used multiple services all pointed me to the same place with the same info..
1 applextrent 2018-09-19
Ok this is fucking weird.
I got a call from a buddy yesterday because someone tried to hack into his Gmail. The IP is different but similar and 3 of the tracebacks lead to Moffett Field in Mountain View which is leased by Google https://www.google.com/amp/s/www.mercurynews.com/2015/03/31/google-takes-over-aging-moffett-field-and-its-airship-hangars/amp/. The 4th location traced back to Ashburn Virginia to a zip code with no addresses.
The longitude and latitude that IP traces to is near a BBQ place in Ashburn. The IP shows up as being a Google ISP, so I searched the BBQ places address to see if Google Fiber is available in the area and it is not. Meaning there is no publicly available Google ISP in the area, and given the fact it’s listed with its own zip code I can only assume it’s like how some buildings in New York or even prisons have their own zip codes for a single building or facility.
Meaning there’s likely an unknown facility with its own zip code that has Google as an ISP as its provider thats potentially not publicly available. That computer system is then probing Gmail accounts to hack into them, and one of Google’s security systems is being triggered reporting Google and this Google ISP location as the source of the hack.
I port scanned the IP and the only thing open was SSH for remote access using some secure encryption. So this isn’t some random web app or server. It’s possible someone is just running this on Google Cloud but there’s no proxy, no VPN, and it’s traceable to a zip code that doesn’t exist and a BBQ place. Also I’m not sure why it would be tracing back to the Moffett Field data center. Most of Google Clouds facilities are located elsewhere.
My original guess was this was civilian, possibly corporate someone with ties to Google, maybe some kind of political operative. Now I don’t know. This could be deeper than that.
The fact I know this is now a coordinated attack is fascinating. My friend believes he’s being targeted for political reasons. I can’t disclose the situation but I can assure you he has reason to believe this and it is serious.
Anyone else who was targeted in this hack have any reason why they might be targeted?
Also if you know someone who has been targeted instruct them to turn on two step authentication to secure their accounts and prevent a second attempt on their accounts. Any IPs or other info you can provide would be useful.
I’m seriously interested in maybe writing about this publicly and seeing if we can figure out wtf is going on.
1 keptfloatin707 2018-09-19
yeah the google ISP is whats getting me rn consistent ip look ups all say the same thing and you'd think googles got a govt' contracts
1 rednaskal 2018-09-19
Geolocation is not that accurate that you could pinpoint it to specific building. It's Google's IP in Mountain View, CA. and in use by Google Cloud. Who/what used that could be anyone. I would try to contact google and ask.
I tried to geolocate my own IP. Seems to be over 100miles from my home in the middle of nature reserve.
1 keptfloatin707 2018-09-19
Idk what to tell you I ran it thru various sites and they all came back the same, I searched mine and it nailed my city location was off a mile or so
1 rednaskal 2018-09-19
https://www.iplocation.net/geolocation-accuracy
1 Pianu_Keys 2018-09-19
Trump has to backdoor into your phone before he can text you on Thursday.
1 mailord1 2018-09-19
They got cha my dude, watch out and good look <3
1 129321 2018-09-19
protip : government networks are easy to compromise
​
someone has made a botnet out of NASAs datacenter and they are using it to scam and exploit, they must have complete remote access pretty neat.
1 Ballsdeepinreality 2018-09-19
This was my conclusion.
Would explain Sunspot being closed if that was where they uploaded it?
1 129321 2018-09-19
view my profile history for a writeup on sunspot, they were not spammers, it was advanced espionage, likely done by a foreign nation.
​
​
1 Ballsdeepinreality 2018-09-19
It could be just as likely CIA, trying to frame Russia with a "cyber attack".
Add in the explosions in the NE from the gas lines (cyber attack on infrastructure), bam, you've got a Tom Clancy novel.
1 defiant224 2018-09-19
Since it's an old account, the password was probably hacked sometime if you used the same password for multiple sites. Check your address at https://haveibeenpwned.com/ and other sites to see. A botnet can harvest these and test them and it seems that's the most likely explaination.
1 keptfloatin707 2018-09-19
Interesting yeah it says I got pwned a few times on multiple older accounts.
1 battles 2018-09-19
Whois IP 35.242.216.1updated 1 second ago
ARIN WHOIS data and services are subject to the Terms of Use
available at: https://www.arin.net/whois_tou.html
If you see inaccuracies in the results, please report at
https://www.arin.net/resources/whois_reporting/index.html
Copyright 1997-2018, American Registry for Internet Numbers, Ltd.
NetRange: 35.208.0.0 - 35.247.255.255 CIDR: 35.208.0.0/12, 35.240.0.0/13, 35.224.0.0/12 NetName: GOOGLE-CLOUD NetHandle: NET-35-208-0-0-1 Parent: NET35 (NET-35-0-0-0-0) NetType: Direct Allocation OriginAS:
Organization: Google LLC (GOOGL-2) RegDate: 2017-09-29 Updated: 2018-01-24 Comment: *** The IP addresses under this Org-ID are in use by Google Cloud customers *** Comment:
Comment: Direct all copyright and legal complaints to Comment: https://support.google.com/legal/go/report Comment:
Comment: Direct all spam and abuse complaints to Comment: https://support.google.com/code/go/gce_abuse_report Comment:
Comment: For fastest response, use the relevant forms above. Comment:
Comment: Complaints can also be sent to the GC Abuse desk Comment: (email@google.com) Comment: but may have longer turnaround times. Ref: https://rdap.arin.net/registry/ip/35.208.0.0
OrgName: Google LLC OrgId: GOOGL-2 Address: 1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country: US RegDate: 2006-09-29 Updated: 2017-12-21 Comment: *** The IP addresses under this Org-ID are in use by Google Cloud customers *** Comment:
Comment: Direct all copyright and legal complaints to Comment: https://support.google.com/legal/go/report Comment:
Comment: Direct all spam and abuse complaints to Comment: https://support.google.com/code/go/gce_abuse_report Comment:
Comment: For fastest response, use the relevant forms above. Comment:
Comment: Complaints can also be sent to the GC Abuse desk Comment: (email@google.com) Comment: but may have longer turnaround times. Comment:
Comment: Complaints sent to any other POC will be ignored. Ref: https://rdap.arin.net/registry/entity/GOOGL-2
OrgTechHandle: ZG39-ARIN OrgTechName: Google LLC OrgTechPhone: +1-650-253-0000 OrgTechEmail: email@google.com OrgTechRef: https://rdap.arin.net/registry/entity/ZG39-ARIN
OrgAbuseHandle: GCABU-ARIN OrgAbuseName: GC Abuse OrgAbusePhone: +1-650-253-0000 OrgAbuseEmail: email@google.com OrgAbuseRef: https://rdap.arin.net/registry/entity/GCABU-ARIN
OrgNOCHandle: GCABU-ARIN OrgNOCName: GC Abuse OrgNOCPhone: +1-650-253-0000 OrgNOCEmail: email@google.com OrgNOCRef: https://rdap.arin.net/registry/entity/GCABU-ARIN
1 rockmandew 2018-09-19
If you're concerned about your online security, I recommend investing in a physical security key (FIDO U2F), there are many on the market today:
If you're ultra concerned, buy two physical keys and contact Google for "Advanced Protection": https://landing.google.com/advancedprotection/
1 infocom6502 2018-09-19
maybe they got hacked and hacker is using a hacked unix account to operate?
1 keptfloatin707 2018-09-19
well shows how little i know but why would they spoof it for something that could get them flagged easier? is it harder or the same just for troll sakes?
1 jefffrey32 2018-09-19
That doesn't makes any sense, if you spoofed your IP address, you wouldn't even be able to complete the TCP 3 way handshake, let alone the HTTPS stuff, as it would send data back to this spoofed IP
Someone below said SSH was open, I'd guess they have proxied into a Google VPS, have somehow obtained a list of comprised accounts maybe from another site getting breached, and are trying to login to people's gmail accounts unsuccessfully.
1 UncleSnake3301 2018-09-19
They pushed it back till October 2