Educause Security Discussion mailing list archives
Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Thu, 16 Nov 2006 16:37:52 -0500
yale.eu is registered (by ASSA ABLOY AB in Sweden-- I believe they own the Yale Lock company in the US now) but is not 'mirrored'. I think you are seeing a domain name squatter on uiuc.eu -- it is registered (at www.eurid.eu) to: % WHOIS uiuc Domain: uiuc Status: REGISTERED Registered: Fri Apr 7 2006 Registrant: Please visit www.eurid.eu for webbased whois. Agent Technical Contacts: Phone: +31.314399933 Fax: +31.314399934 Email: support () nl cleanport com Registrar: Name: CleanPort Website: www.cleanport.com Nameservers: dns4.blixem.nl dns5.blixem.nl % [ http://www2.whois.eu/whois/ GetWhois.htm;jsessionid=F1D5F2E773414D12F7414CD5E513DCB4 ] Domain details Domain Name uiuc Status REGISTERED Registered 07 April 2006 Last update 07 April 2006 11:21 Registrant Name B.H.M. van der Heijden Organisation Parknet BV Language Dutch Address address Phone phone Email email Registrar technical contacts Name Afdeling Support Organisation CleanPort BV Language Dutch Address Gildenbroederslaan 1 7005 BM Doetinchem Netherlands Phone +31.314399933 Fax +31.314399934 Email support () nl cleanport com Registrar Organisation CleanPort Website www.cleanport.com Nameservers dns4.blixem.nl dns5.blixem.nl History Table footer - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS On Nov 16, 2006, at 2:57 PM, John C. A. Bambenek wrote:
All- We just discovered that there is a machine in the Netherlands that is apparently running a honeypot and is mirroring entire DNS structures for some .edu domains. For instance, our webserver www.csl.uiuc.edu resolves to 130.126.136.140, but www.csl.uiuc.eu resolves to 212.79.243.140. It mirrors every DNS name under our domain to that IP. After taking a look, I found about 6 others .edu domains that are being fully mirrored after doing a quick check with nslookup. It appears the attempt is to grab credentials for later re-use. Take a look to see if your domains are being mirrored and take appropriate action. j
Current thread:
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Wood, Anne M (wood) (Nov 16)
- <Possible follow-ups>
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Pace, Guy (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's H. Morrow Long (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Chris Bennett (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Gary Flynn (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 18)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
(Thread continues...)