Educause Security Discussion mailing list archives
Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's
From: "John C. A. Bambenek" <bambenek () CONTROL CSL UIUC EDU>
Date: Thu, 16 Nov 2006 14:30:31 -0600
http://www.juniata.eu/ It looks like a legit site. -----Original Message----- From: Wood, Anne M (wood) [mailto:wood () JUNIATA EDU] Sent: Thursday, November 16, 2006 2:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures for some .edu's Hi John, Our domain is www.juniata.edu and when I do a look up of www.juniata.eu, I get the response below. Is this the same problem that you mentioned and would you happen to be able to tell me what the appropriate action is for something like this?
www.juniata.eu
Server: cohiba.juniata.edu Address: 172.16.17.16 Non-authoritative answer: Name: www.juniata.eu Address: 81.169.145.86 Sorry to contact you directly, I was hoping you could help me understand what I am seeing. If you don't have time to reply, I understand. Sincerely, Anne Wood Director of Campus Network and Security Juniata College Huntingdon, PA 16652 (814)641-5310 -----Original Message----- From: John C. A. Bambenek [mailto:bambenek () CONTROL CSL UIUC EDU] Sent: Thursday, November 16, 2006 2:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures for some .edu's All- We just discovered that there is a machine in the Netherlands that is apparently running a honeypot and is mirroring entire DNS structures for some .edu domains. For instance, our webserver www.csl.uiuc.edu resolves to 130.126.136.140, but www.csl.uiuc.eu resolves to 212.79.243.140. It mirrors every DNS name under our domain to that IP. After taking a look, I found about 6 others .edu domains that are being fully mirrored after doing a quick check with nslookup. It appears the attempt is to grab credentials for later re-use. Take a look to see if your domains are being mirrored and take appropriate action. j
Current thread:
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Wood, Anne M (wood) (Nov 16)
- <Possible follow-ups>
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Pace, Guy (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's H. Morrow Long (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Chris Bennett (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Gary Flynn (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 18)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
(Thread continues...)