2006-11-18 Woozle tech log
Suspicious redirect
I noticed that when I tried to load this URL:
I got redirected to http://0.0.0.0, regardless of the exact path or whether there was a www. in the domain.
So I did some tests, and found that it was only on one computer. Then I did a wget on each computer, to compare the results:
woozle@rizzo:~$ wget http://theage.com.au --09:30:01-- http://theage.com.au/ => `index.html' Resolving theage.com.au... 203.26.51.42 Connecting to theage.com.au|203.26.51.42|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.theage.com.au/ [following] --09:30:01-- http://www.theage.com.au/ => `index.html' Resolving www.theage.com.au... 203.26.51.42 Reusing existing connection to theage.com.au:80. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] ... 09:30:03 (100.89 KB/s) - `index.html' saved [134981] |
woozle@gonzo:~$ wget http://theage.com.au --09:34:02-- http://theage.com.au/ => `index.html' Resolving theage.com.au... 203.26.51.42 Connecting to theage.com.au|203.26.51.42|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.theage.com.au/ [following] --09:34:02-- http://www.theage.com.au/ => `index.html' Resolving www.theage.com.au... 216.234.246.150 Connecting to www.theage.com.au|216.234.246.150|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://0.0.0.0/ [following] --09:34:02-- http://0.0.0.0/ => `index.html' Connecting to 0.0.0.0:80... failed: Connection refused. |
Who the freep is 216.234.246.150, and why am I getting redirected to them?? It's apparently someone who gets their hosting through ThePlanet:
whois
woozle@gonzo:~$ whois 216.234.246.150
OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ReferralServer: rwhois://rwhois.theplanet.com:4321 NetRange: 216.234.224.0 - 216.234.255.255 CIDR: 216.234.224.0/19 NetName: THEPLANET-BLK-1 NetHandle: NET-216-234-224-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS1.THEPLANET.COM NameServer: NS2.THEPLANET.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1999-08-31 Updated: 2000-10-10
traceroute
woozle@gonzo:~$ traceroute 216.234.246.150
- traceroute to 216.234.246.150 (216.234.246.150), 30 hops max, 40 byte packets
- 1 192.168.0.1 (192.168.0.1) 0.626 ms 0.395 ms 0.222 ms
- 2 10.40.64.1 (10.40.64.1) 7.927 ms 7.518 ms 7.984 ms
- 3 srp8-0.rlghnca-rtr2.nc.rr.com (24.25.2.163) 7.762 ms 6.048 ms 6.542 ms
- 4 pos14-0.rlghncrdc-rtr2.nc.rr.com (24.25.0.9) 7.971 ms 11.334 ms 8.169 ms
- 5 son1-0-1.chrlncsa-rtr6.carolina.rr.com (24.93.64.81) 12.656 ms 15.095 ms 21.170 ms
- 6 tenge-1-3.car1.Charlotte1.Level3.net (4.71.124.1) 18.333 ms tenge-1-4.car1.Charlotte1.Level3.net (4.71.124.5) 22.878 ms 18.346 ms
- 7 ae-4-4.ebr1.Atlanta2.Level3.net (4.69.132.162) 28.189 ms * *
- 8 * * *
- 9 ae-14-51.car4.Dallas1.Level3.net (4.68.122.16) 41.518 ms ae-14-53.car4.Dallas1.Level3.net (4.68.122.80) 45.108 ms ae-14-55.car4.Dallas1.Level3.net (4.68.122.144) 38.409 ms
- 10 THE-PLANET.car4.Dallas1.Level3.net (4.71.122.2) 46.355 ms 59.596 ms 49.206 ms
- 11 te9-2.dsr01.dllstx3.theplanet.com (70.87.253.14) 41.971 ms 41.573 ms 41.397 ms
- 12 vl22.dsr02.dllstx2.theplanet.com (70.85.127.76) 47.399 ms 43.952 ms 41.928 ms
- 13 vl1.car02.dllstx2.theplanet.com (12.96.160.12) 45.374 ms 134.767 ms 162.767 ms
- 14 96.f6.ead8.static.theplanet.com (216.234.246.150) 55.133 ms 43.531 ms 43.024 ms
Googling
A quick search finds a lot of pages mentioning this IP address.
- It seems to be a DNS server used by the Windows worm Win32.Buchon.B
- A number of other domains (e.g. foo.com) resolve to that IP, so it may be a web server configured for name-based hosting; apparently, any unrecognized domain gets redirected to 0.0.0.0