[nsp-sec] need a little info about .... www.wowio.net
Chris Morrow
morrowc at ops-netman.net
Wed Nov 17 00:35:52 EST 2010
So... long story short, someone seems to be playing dns games with a
google IP. www.wowio.net is variously pointed at:
CNAME google1.wowio.net
CNAME baidu.wowio.net
CNAME google2.wowio.net
CNAME google.wowio.net
>From what we can tell this hostname (www.wowio.net) seems like it's
being aimed at places where the owner thinks he can get hosting... only
until the hosting provider kicks them off for the ~1gbps of traffic they
seem to like to attract.
I recall seeing wowio.net in the past (~3-4 yrs ago, dimly I remember)
but I can't dig up anything else from my recollection. I believe it was
being aimed around as it is now, in a futile attempt to find 'hosting'
or perhaps as the pointy end of a ddos stick used to flood people :(
(hard to tell from my perspective).
We see, currently, two distinct botnets poking at this /32, both using
full HTTP GET requests, and actually seemingly sending more than one GET
per packet (after three-way setup, of course). One botnet seems to fake
Baidu's bot useragent, the other useragent in use is MS IE6.0.
Does anyone else recall seeing this host before? (or maybe I'm just
misremembering)
thnx!
-Chris
(one of 3 google-security-folks here)
More information about the nsp-security
mailing list