Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

[Chris Bennett <bennetc () LCC EDU>]

Lansing Community College (lcc.edu) also has www.lcc.eu pointed at
212.79.243.140.  I also find an MX record for lcc.eu pointing at
mail.verkeerspark.nl that can take our mistyped email.  I also wonder if
they follow DNS serial number standards and 2006033108 means that the
lcc.eu record has been in place since March of this year.

H. Morrow Long wrote:
> yale.eu is registered (by  ASSA ABLOY AB  in Sweden-- I believe they
> own the Yale Lock company in the US now) but is not 'mirrored'.
>
> I think you are seeing a domain name squatter on uiuc.eu  -- it is
> registered (at www.eurid.eu <http://www.eurid.eu>) to:
>
> % WHOIS uiuc
> Domain:      uiuc
> Status:      REGISTERED
> Registered:  Fri Apr  7 2006
>
> Registrant:
>    Please visit www.eurid.eu <http://www.eurid.eu> for webbased whois.
>
> Agent Technical Contacts:
>    Phone:         +31.314399933
>    Fax:           +31.314399934
>    Email:         support () nl cleanport com
> <mailto:support () nl cleanport com>
>
> Registrar:
>    Name:      CleanPort
>    Website:   www.cleanport.com <http://www.cleanport.com>
>
> Nameservers:
>    dns4.blixem.nl
>    dns5.blixem.nl
>
> %
> [ http://www2.whois.eu/whois/GetWhois.htm;jsessionid=F1D5F2E773414D12F7414CD5E513DCB4
> ]
>
> Domain details
> Domain
> Name uiuc
> Status REGISTERED
> Registered 07 April 2006
> Last update 07 April 2006 11:21
> Registrant
> Name B.H.M. van der Heijden
> Organisation Parknet BV
> Language Dutch
> Address address
> Phone phone
> Email email
> Registrar technical contacts
> Name Afdeling Support
> Organisation CleanPort BV
> Language Dutch
> Address Gildenbroederslaan 1
> 7005 BM Doetinchem
> Netherlands
> Phone +31.314399933
> Fax +31.314399934
> Email support () nl cleanport com <mailto:support () nl cleanport com>
> Registrar
> Organisation CleanPort
> Website www.cleanport.com
> Nameservers
>
>
>
> dns4.blixem.nl
> dns5.blixem.nl
> History
>
>
>
>
> Table footer
>
> - H. Morrow Long, CISSP, CISM, CEH
>   University Information Security Officer
>   Director -- Information Security Office
>   Yale University, ITS
>
>
>
> On Nov 16, 2006, at 2:57 PM, John C. A. Bambenek wrote:
>
> > All-
> >
> > We just discovered that there is a machine in the Netherlands that is
> > apparently running a honeypot and is mirroring entire DNS structures for
> > some .edu domains.
> >
> > For instance, our webserver www.csl.uiuc.edu
> > <http://www.csl.uiuc.edu> resolves to 130.126.136.140,
> > but www.csl.uiuc.eu <http://www.csl.uiuc.eu> resolves to
> > 212.79.243.140.  It mirrors every DNS name
> > under our domain to that IP.  After taking a look, I found about 6 others
> > .edu domains that are being fully mirrored after doing a quick check with
> > nslookup.
> >
> > It appears the attempt is to grab credentials for later re-use. Take
> > a look
> > to see if your domains are being mirrored and take appropriate action.
> >
> > j

--
Chris Bennett, GSNA, GSEC
Director of Information Security
Lansing Community College
517-483-5264

"Nothing strengthens the judgment and quickens the conscience
like individual responsibility." -- Elizabeth Cady Stanton