Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

["John C. A. Bambenek" <bambenek () CONTROL CSL UIUC EDU>]

http://www.juniata.eu/


It looks like a legit site.

-----Original Message-----
From: Wood, Anne M (wood) [mailto:wood () JUNIATA EDU]
Sent: Thursday, November 16, 2006 2:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

Hi John,

Our domain is www.juniata.edu and when I do a look up of www.juniata.eu, I
get the response below.  Is this the same problem that you mentioned and
would you happen to be able to tell me what the appropriate action is for
something like this?

> www.juniata.eu
Server:  cohiba.juniata.edu
Address:  172.16.17.16

Non-authoritative answer:
Name:    www.juniata.eu
Address:  81.169.145.86

Sorry to contact you directly, I was hoping you could help me understand
what I am seeing.  If you don't have time to reply, I understand.

Sincerely,
Anne Wood
Director of Campus Network and Security
Juniata College
Huntingdon, PA 16652
(814)641-5310



-----Original Message-----
From: John C. A. Bambenek [mailto:bambenek () CONTROL CSL UIUC EDU]
Sent: Thursday, November 16, 2006 2:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures
for some .edu's

All-

We just discovered that there is a machine in the Netherlands that is
apparently running a honeypot and is mirroring entire DNS structures for
some .edu domains.

For instance, our webserver www.csl.uiuc.edu resolves to 130.126.136.140,
but www.csl.uiuc.eu resolves to 212.79.243.140.  It mirrors every DNS name
under our domain to that IP.  After taking a look, I found about 6 others
.edu domains that are being fully mirrored after doing a quick check with
nslookup.

It appears the attempt is to grab credentials for later re-use. Take a look
to see if your domains are being mirrored and take appropriate action.

j