2006-11-18 Woozle tech log

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to: navigation, search

Suspicious redirect

I noticed that when I tried to load this URL:

http://www.theage.com.au/news/world/spy-says-alqaeda-tricked-us-into-war/2006/11/17/1163266782059.html

I got redirected to http://0.0.0.0, regardless of the exact path or whether there was a www. in the domain.

So I did some tests, and found that it was only on one computer. Then I did a wget on each computer, to compare the results:

woozle@rizzo:~$ wget http://theage.com.au

--09:30:01--  http://theage.com.au/
          => `index.html'
Resolving theage.com.au... 203.26.51.42
Connecting to theage.com.au|203.26.51.42|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.theage.com.au/ [following]
--09:30:01--  http://www.theage.com.au/
          => `index.html'
Resolving www.theage.com.au... 203.26.51.42
Reusing existing connection to theage.com.au:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

...

09:30:03 (100.89 KB/s) - `index.html' saved [134981]

woozle@gonzo:~$ wget http://theage.com.au

--09:34:02--  http://theage.com.au/
          => `index.html'
Resolving theage.com.au... 203.26.51.42
Connecting to theage.com.au|203.26.51.42|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.theage.com.au/ [following]
--09:34:02--  http://www.theage.com.au/
          => `index.html'
Resolving www.theage.com.au... 216.234.246.150
Connecting to www.theage.com.au|216.234.246.150|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://0.0.0.0/ [following]
--09:34:02--  http://0.0.0.0/
          => `index.html'
Connecting to 0.0.0.0:80... failed: Connection refused.

Who the freep is 216.234.246.150, and why am I getting redirected to them?? It's apparently someone who gets their hosting through ThePlanet:

whois

woozle@gonzo:~$ whois 216.234.246.150

OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    1333 North Stemmons Freeway
Address:    Suite 110
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange:   216.234.224.0 - 216.234.255.255
CIDR:       216.234.224.0/19
NetName:    THEPLANET-BLK-1
NetHandle:  NET-216-234-224-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    1999-08-31
Updated:    2000-10-10

traceroute

woozle@gonzo:~$ traceroute 216.234.246.150

traceroute to 216.234.246.150 (216.234.246.150), 30 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.626 ms 0.395 ms 0.222 ms
2 10.40.64.1 (10.40.64.1) 7.927 ms 7.518 ms 7.984 ms
3 srp8-0.rlghnca-rtr2.nc.rr.com (24.25.2.163) 7.762 ms 6.048 ms 6.542 ms
4 pos14-0.rlghncrdc-rtr2.nc.rr.com (24.25.0.9) 7.971 ms 11.334 ms 8.169 ms
5 son1-0-1.chrlncsa-rtr6.carolina.rr.com (24.93.64.81) 12.656 ms 15.095 ms 21.170 ms
6 tenge-1-3.car1.Charlotte1.Level3.net (4.71.124.1) 18.333 ms tenge-1-4.car1.Charlotte1.Level3.net (4.71.124.5) 22.878 ms 18.346 ms
7 ae-4-4.ebr1.Atlanta2.Level3.net (4.69.132.162) 28.189 ms * *
8 * * *
9 ae-14-51.car4.Dallas1.Level3.net (4.68.122.16) 41.518 ms ae-14-53.car4.Dallas1.Level3.net (4.68.122.80) 45.108 ms ae-14-55.car4.Dallas1.Level3.net (4.68.122.144) 38.409 ms
10 THE-PLANET.car4.Dallas1.Level3.net (4.71.122.2) 46.355 ms 59.596 ms 49.206 ms
11 te9-2.dsr01.dllstx3.theplanet.com (70.87.253.14) 41.971 ms 41.573 ms 41.397 ms
12 vl22.dsr02.dllstx2.theplanet.com (70.85.127.76) 47.399 ms 43.952 ms 41.928 ms
13 vl1.car02.dllstx2.theplanet.com (12.96.160.12) 45.374 ms 134.767 ms 162.767 ms
14 96.f6.ead8.static.theplanet.com (216.234.246.150) 55.133 ms 43.531 ms 43.024 ms

Googling

A quick search finds a lot of pages mentioning this IP address.

  • It seems to be a DNS server used by the Windows worm Win32.Buchon.B
  • A number of other domains (e.g. foo.com) resolve to that IP, so it may be a web server configured for name-based hosting; apparently, any unrecognized domain gets redirected to 0.0.0.0