Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

["Wood, Anne M (wood)" <wood () JUNIATA EDU>]

Hi John,

Our domain is www.juniata.edu and when I do a look up of www.juniata.eu,
I get the response below.  Is this the same problem that you mentioned
and would you happen to be able to tell me what the appropriate action
is for something like this?

> www.juniata.eu
Server:  cohiba.juniata.edu
Address:  172.16.17.16

Non-authoritative answer:
Name:    www.juniata.eu
Address:  81.169.145.86

Sorry to contact you directly, I was hoping you could help me understand
what I am seeing.  If you don't have time to reply, I understand.

Sincerely,
Anne Wood
Director of Campus Network and Security
Juniata College
Huntingdon, PA 16652
(814)641-5310



-----Original Message-----
From: John C. A. Bambenek [mailto:bambenek () CONTROL CSL UIUC EDU] 
Sent: Thursday, November 16, 2006 2:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

All-

We just discovered that there is a machine in the Netherlands that is
apparently running a honeypot and is mirroring entire DNS structures for
some .edu domains.

For instance, our webserver www.csl.uiuc.edu resolves to
130.126.136.140,
but www.csl.uiuc.eu resolves to 212.79.243.140.  It mirrors every DNS
name
under our domain to that IP.  After taking a look, I found about 6
others
.edu domains that are being fully mirrored after doing a quick check
with
nslookup.

It appears the attempt is to grab credentials for later re-use. Take a
look
to see if your domains are being mirrored and take appropriate action.

j