You are moved temporarily to 'aurora-balaena'. Welcome.

[path_finder]

Dear Scott,
Since few weeks there is an important delay after the validation of a post.
Looking at what happens, it seems the packets are first redirected trough another server, like this one (74.53.235.2):

[Requête en cours whois.arin.net]
[Redirigé vers rwhois.theplanet.com:4321]
[Requête en cours rwhois.theplanet.com]
[rwhois.theplanet.com]
%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-14
network:Auth-Area:74.52.0.0/14
network:Network-Name:TPIS-BLK-74-53-235-0
network:IP-Network:74.53.235.0/27
network:IP-Network-Block:74.53.235.0 - 74.53.235.31
network:Organization-Name:WebsiteWelcome
network:Organization-City:Boca Raton
network:Organization-State:FL
network:Organization-Zip:33496
network:Organization-Country:USA
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20081104
network:Updated:20081105

When this arrives the traffic is suspended, and the first TCP/IP packet indicates:
HTTP/1.1 302 Moved temporarily
aurora-balaena > http [ACK]

The 302 code is the most popular redirect code of HTTP protocol.
This seems to be a standard result of many attacks, like seen here:
http://projects.webappsec.org/HTTP-Response-Splitting

Related data on 'aurora-balaena' are available here: http://62.233.102.200/Balaena/binMedia/ ... izTech.pdf
'www.besslerwheel.com' web site does use this product? If yes for what purposes?
If not do you have any idea this is coming from? Who are these guys?

[scott]

Hm, sorry Path_Finder, I have no idea. Maybe it has something to do with your location?