Honeypot in Netherlands mirroring entire DNS structures for some .edu's

["John C. A. Bambenek" <bambenek () CONTROL CSL UIUC EDU>]

All-

We just discovered that there is a machine in the Netherlands that is
apparently running a honeypot and is mirroring entire DNS structures for
some .edu domains.

For instance, our webserver www.csl.uiuc.edu resolves to 130.126.136.140,
but www.csl.uiuc.eu resolves to 212.79.243.140.  It mirrors every DNS name
under our domain to that IP.  After taking a look, I found about 6 others
.edu domains that are being fully mirrored after doing a quick check with
nslookup.

It appears the attempt is to grab credentials for later re-use. Take a look
to see if your domains are being mirrored and take appropriate action.

j