Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

["Pace, Guy" <gpace () CIS CTC EDU>]

I believe what you are seeing is the EU equivalent of some of the domain
registration sites. When you miss-type a URL, you'll sometimes get a
domain registration or some odd advertising site stating the domain is
available. I tried what you suggested and got connected to a site at
ServControl (http://217.69.231.27/.servcontrol/scmw.pl) where you can go
to register a domain name in Europe. The site is in German.

John got a similar location in The Netherlands. Anne got a legitimate
domain registered in the EU, about Maine Coon cats.

There are very likely sites in the EU registered with similar naming,
just the .eu at the end.

Here is the whois from the ServControl site:

inetnum:        217.69.230.0 - 217.69.231.255
netname:        MARIDAN
descr:          MARIDAN IT-Service GmbH
descr:          Internet Presence Provider
descr:          Value added webhosting for resellers, companies and
descr:          private customers
descr:          Zoerbiger Str. 17
descr:          06749 Bitterfeld
country:        DE
remarks:        For abuse issues, please use only *****@maridan.net
notify:         ******@maridan.de
notify:         **********@hlkomm.de
admin-c:        HR547-RIPE
tech-c:         MH726-RIPE
status:         Assigned PA
mnt-by:         HL-KOMM-MNT
mnt-lower:      MARIDAN-MNT
mnt-routes:     HL-KOMM-MNT
changed:        **********@hlkomm.de 20040914
source:         RIPE


Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724

gpace () cis ctc edu


-----Original Message-----
From: John C. A. Bambenek [mailto:bambenek () CONTROL CSL UIUC EDU] 
Sent: Thursday, November 16, 2006 12:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

http://www.juniata.eu/


It looks like a legit site.

-----Original Message-----
From: Wood, Anne M (wood) [mailto:wood () JUNIATA EDU]
Sent: Thursday, November 16, 2006 2:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

Hi John,

Our domain is www.juniata.edu and when I do a look up of www.juniata.eu,
I get the response below.  Is this the same problem that you mentioned
and would you happen to be able to tell me what the appropriate action
is for something like this?

> www.juniata.eu
Server:  cohiba.juniata.edu
Address:  172.16.17.16

Non-authoritative answer:
Name:    www.juniata.eu
Address:  81.169.145.86

Sorry to contact you directly, I was hoping you could help me understand
what I am seeing.  If you don't have time to reply, I understand.

Sincerely,
Anne Wood
Director of Campus Network and Security
Juniata College
Huntingdon, PA 16652
(814)641-5310



-----Original Message-----
From: John C. A. Bambenek [mailto:bambenek () CONTROL CSL UIUC EDU]
Sent: Thursday, November 16, 2006 2:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

All-

We just discovered that there is a machine in the Netherlands that is
apparently running a honeypot and is mirroring entire DNS structures for
some .edu domains.

For instance, our webserver www.csl.uiuc.edu resolves to
130.126.136.140, but www.csl.uiuc.eu resolves to 212.79.243.140.  It
mirrors every DNS name under our domain to that IP.  After taking a
look, I found about 6 others .edu domains that are being fully mirrored
after doing a quick check with nslookup.

It appears the attempt is to grab credentials for later re-use. Take a
look to see if your domains are being mirrored and take appropriate
action.

j