Educause Security Discussion mailing list archives
Honeypot in Netherlands mirroring entire DNS structures for some .edu's
From: "John C. A. Bambenek" <bambenek () CONTROL CSL UIUC EDU>
Date: Thu, 16 Nov 2006 13:57:26 -0600
All- We just discovered that there is a machine in the Netherlands that is apparently running a honeypot and is mirroring entire DNS structures for some .edu domains. For instance, our webserver www.csl.uiuc.edu resolves to 130.126.136.140, but www.csl.uiuc.eu resolves to 212.79.243.140. It mirrors every DNS name under our domain to that IP. After taking a look, I found about 6 others .edu domains that are being fully mirrored after doing a quick check with nslookup. It appears the attempt is to grab credentials for later re-use. Take a look to see if your domains are being mirrored and take appropriate action. j
Current thread:
- Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 16)