Educause Security Discussion mailing list archives
Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's
From: Chris Bennett <bennetc () LCC EDU>
Date: Fri, 17 Nov 2006 08:37:56 -0500
Lansing Community College (lcc.edu) also has www.lcc.eu pointed at 212.79.243.140. I also find an MX record for lcc.eu pointing at mail.verkeerspark.nl that can take our mistyped email. I also wonder if they follow DNS serial number standards and 2006033108 means that the lcc.eu record has been in place since March of this year. H. Morrow Long wrote:
yale.eu is registered (by ASSA ABLOY AB in Sweden-- I believe they own the Yale Lock company in the US now) but is not 'mirrored'. I think you are seeing a domain name squatter on uiuc.eu -- it is registered (at www.eurid.eu <http://www.eurid.eu>) to: % WHOIS uiuc Domain: uiuc Status: REGISTERED Registered: Fri Apr 7 2006 Registrant: Please visit www.eurid.eu <http://www.eurid.eu> for webbased whois. Agent Technical Contacts: Phone: +31.314399933 Fax: +31.314399934 Email: support () nl cleanport com <mailto:support () nl cleanport com> Registrar: Name: CleanPort Website: www.cleanport.com <http://www.cleanport.com> Nameservers: dns4.blixem.nl dns5.blixem.nl % [ http://www2.whois.eu/whois/GetWhois.htm;jsessionid=F1D5F2E773414D12F7414CD5E513DCB4 ] Domain details Domain Name uiuc Status REGISTERED Registered 07 April 2006 Last update 07 April 2006 11:21 Registrant Name B.H.M. van der Heijden Organisation Parknet BV Language Dutch Address address Phone phone Email email Registrar technical contacts Name Afdeling Support Organisation CleanPort BV Language Dutch Address Gildenbroederslaan 1 7005 BM Doetinchem Netherlands Phone +31.314399933 Fax +31.314399934 Email support () nl cleanport com <mailto:support () nl cleanport com> Registrar Organisation CleanPort Website www.cleanport.com Nameservers dns4.blixem.nl dns5.blixem.nl History Table footer - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS On Nov 16, 2006, at 2:57 PM, John C. A. Bambenek wrote:All- We just discovered that there is a machine in the Netherlands that is apparently running a honeypot and is mirroring entire DNS structures for some .edu domains. For instance, our webserver www.csl.uiuc.edu <http://www.csl.uiuc.edu> resolves to 130.126.136.140, but www.csl.uiuc.eu <http://www.csl.uiuc.eu> resolves to 212.79.243.140. It mirrors every DNS name under our domain to that IP. After taking a look, I found about 6 others .edu domains that are being fully mirrored after doing a quick check with nslookup. It appears the attempt is to grab credentials for later re-use. Take a look to see if your domains are being mirrored and take appropriate action. j
-- Chris Bennett, GSNA, GSEC Director of Information Security Lansing Community College 517-483-5264 "Nothing strengthens the judgment and quickens the conscience like individual responsibility." -- Elizabeth Cady Stanton
Current thread:
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Wood, Anne M (wood) (Nov 16)
- <Possible follow-ups>
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Pace, Guy (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's H. Morrow Long (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Chris Bennett (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Gary Flynn (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 18)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
(Thread continues...)