Difference between revisions of "2006-11-18 Woozle tech log"
Jump to navigation
Jump to search
m (tech logs -> tech notes; hypertwins -> hypertwins network) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Suspicious redirect== | ==Suspicious redirect== | ||
− | [[category:tech | + | [[category:tech notes]][[category:hypertwins network]]I noticed that when I tried to load this URL: |
http://www.theage.com.au/news/world/spy-says-alqaeda-tricked-us-into-war/2006/11/17/1163266782059.html | http://www.theage.com.au/news/world/spy-says-alqaeda-tricked-us-into-war/2006/11/17/1163266782059.html | ||
Line 44: | Line 44: | ||
|} | |} | ||
Who the freep is 216.234.246.150, and why am I getting redirected to them?? It's apparently someone who gets their hosting through ThePlanet: | Who the freep is 216.234.246.150, and why am I getting redirected to them?? It's apparently someone who gets their hosting through ThePlanet: | ||
− | + | ===whois=== | |
'''woozle@gonzo''':~$ whois 216.234.246.150 | '''woozle@gonzo''':~$ whois 216.234.246.150 | ||
Line 69: | Line 69: | ||
RegDate: 1999-08-31 | RegDate: 1999-08-31 | ||
Updated: 2000-10-10 | Updated: 2000-10-10 | ||
+ | ===traceroute=== | ||
+ | woozle@gonzo:~$ traceroute 216.234.246.150 | ||
+ | :traceroute to 216.234.246.150 (216.234.246.150), 30 hops max, 40 byte packets | ||
+ | : 1 192.168.0.1 (192.168.0.1) 0.626 ms 0.395 ms 0.222 ms | ||
+ | : 2 10.40.64.1 (10.40.64.1) 7.927 ms 7.518 ms 7.984 ms | ||
+ | : 3 srp8-0.rlghnca-rtr2.nc.rr.com (24.25.2.163) 7.762 ms 6.048 ms 6.542 ms | ||
+ | : 4 pos14-0.rlghncrdc-rtr2.nc.rr.com (24.25.0.9) 7.971 ms 11.334 ms 8.169 ms | ||
+ | : 5 son1-0-1.chrlncsa-rtr6.carolina.rr.com (24.93.64.81) 12.656 ms 15.095 ms 21.170 ms | ||
+ | : 6 tenge-1-3.car1.Charlotte1.Level3.net (4.71.124.1) 18.333 ms tenge-1-4.car1.Charlotte1.Level3.net (4.71.124.5) 22.878 ms 18.346 ms | ||
+ | : 7 ae-4-4.ebr1.Atlanta2.Level3.net (4.69.132.162) 28.189 ms * * | ||
+ | : 8 * * * | ||
+ | : 9 ae-14-51.car4.Dallas1.Level3.net (4.68.122.16) 41.518 ms ae-14-53.car4.Dallas1.Level3.net (4.68.122.80) 45.108 ms ae-14-55.car4.Dallas1.Level3.net (4.68.122.144) 38.409 ms | ||
+ | :10 THE-PLANET.car4.Dallas1.Level3.net (4.71.122.2) 46.355 ms 59.596 ms 49.206 ms | ||
+ | :11 te9-2.dsr01.dllstx3.theplanet.com (70.87.253.14) 41.971 ms 41.573 ms 41.397 ms | ||
+ | :12 vl22.dsr02.dllstx2.theplanet.com (70.85.127.76) 47.399 ms 43.952 ms 41.928 ms | ||
+ | :13 vl1.car02.dllstx2.theplanet.com (12.96.160.12) 45.374 ms 134.767 ms 162.767 ms | ||
+ | :14 96.f6.ead8.static.theplanet.com (216.234.246.150) 55.133 ms 43.531 ms 43.024 ms | ||
+ | ===Googling=== | ||
+ | A quick [[google:216.234.246.150|search]] finds a lot of pages mentioning this IP address. | ||
+ | * It seems to be a DNS server used by the Windows worm [http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=40491 Win32.Buchon.B] | ||
+ | * A number of other domains (e.g. foo.com) resolve to that IP, so it may be a web server configured for [[name-based hosting]]; apparently, any unrecognized domain gets redirected to 0.0.0.0 |
Latest revision as of 00:53, 17 April 2007
Suspicious redirect
I noticed that when I tried to load this URL:
I got redirected to http://0.0.0.0, regardless of the exact path or whether there was a www. in the domain.
So I did some tests, and found that it was only on one computer. Then I did a wget on each computer, to compare the results:
woozle@rizzo:~$ wget http://theage.com.au --09:30:01-- http://theage.com.au/ => `index.html' Resolving theage.com.au... 203.26.51.42 Connecting to theage.com.au|203.26.51.42|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.theage.com.au/ [following] --09:30:01-- http://www.theage.com.au/ => `index.html' Resolving www.theage.com.au... 203.26.51.42 Reusing existing connection to theage.com.au:80. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] ... 09:30:03 (100.89 KB/s) - `index.html' saved [134981] |
woozle@gonzo:~$ wget http://theage.com.au --09:34:02-- http://theage.com.au/ => `index.html' Resolving theage.com.au... 203.26.51.42 Connecting to theage.com.au|203.26.51.42|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.theage.com.au/ [following] --09:34:02-- http://www.theage.com.au/ => `index.html' Resolving www.theage.com.au... 216.234.246.150 Connecting to www.theage.com.au|216.234.246.150|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://0.0.0.0/ [following] --09:34:02-- http://0.0.0.0/ => `index.html' Connecting to 0.0.0.0:80... failed: Connection refused. |
Who the freep is 216.234.246.150, and why am I getting redirected to them?? It's apparently someone who gets their hosting through ThePlanet:
whois
woozle@gonzo:~$ whois 216.234.246.150
OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ReferralServer: rwhois://rwhois.theplanet.com:4321 NetRange: 216.234.224.0 - 216.234.255.255 CIDR: 216.234.224.0/19 NetName: THEPLANET-BLK-1 NetHandle: NET-216-234-224-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS1.THEPLANET.COM NameServer: NS2.THEPLANET.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1999-08-31 Updated: 2000-10-10
traceroute
woozle@gonzo:~$ traceroute 216.234.246.150
- traceroute to 216.234.246.150 (216.234.246.150), 30 hops max, 40 byte packets
- 1 192.168.0.1 (192.168.0.1) 0.626 ms 0.395 ms 0.222 ms
- 2 10.40.64.1 (10.40.64.1) 7.927 ms 7.518 ms 7.984 ms
- 3 srp8-0.rlghnca-rtr2.nc.rr.com (24.25.2.163) 7.762 ms 6.048 ms 6.542 ms
- 4 pos14-0.rlghncrdc-rtr2.nc.rr.com (24.25.0.9) 7.971 ms 11.334 ms 8.169 ms
- 5 son1-0-1.chrlncsa-rtr6.carolina.rr.com (24.93.64.81) 12.656 ms 15.095 ms 21.170 ms
- 6 tenge-1-3.car1.Charlotte1.Level3.net (4.71.124.1) 18.333 ms tenge-1-4.car1.Charlotte1.Level3.net (4.71.124.5) 22.878 ms 18.346 ms
- 7 ae-4-4.ebr1.Atlanta2.Level3.net (4.69.132.162) 28.189 ms * *
- 8 * * *
- 9 ae-14-51.car4.Dallas1.Level3.net (4.68.122.16) 41.518 ms ae-14-53.car4.Dallas1.Level3.net (4.68.122.80) 45.108 ms ae-14-55.car4.Dallas1.Level3.net (4.68.122.144) 38.409 ms
- 10 THE-PLANET.car4.Dallas1.Level3.net (4.71.122.2) 46.355 ms 59.596 ms 49.206 ms
- 11 te9-2.dsr01.dllstx3.theplanet.com (70.87.253.14) 41.971 ms 41.573 ms 41.397 ms
- 12 vl22.dsr02.dllstx2.theplanet.com (70.85.127.76) 47.399 ms 43.952 ms 41.928 ms
- 13 vl1.car02.dllstx2.theplanet.com (12.96.160.12) 45.374 ms 134.767 ms 162.767 ms
- 14 96.f6.ead8.static.theplanet.com (216.234.246.150) 55.133 ms 43.531 ms 43.024 ms
Googling
A quick search finds a lot of pages mentioning this IP address.
- It seems to be a DNS server used by the Windows worm Win32.Buchon.B
- A number of other domains (e.g. foo.com) resolve to that IP, so it may be a web server configured for name-based hosting; apparently, any unrecognized domain gets redirected to 0.0.0.0