[unisog] Honeypot in Netherlands mirroring entire DNS structures for some .edu's
John C. A. Bambenek
bambenek at control.csl.uiuc.edu
Thu Nov 16 19:59:11 GMT 2006
We just discovered that there is a machine in the Netherlands that is
apparently running a honeypot and is mirroring entire DNS structures for
some .edu domains.
For instance, our webserver www.csl.uiuc.edu resolves to 22.214.171.124,
but www.csl.uiuc.eu resolves to 126.96.36.199. It mirrors every DNS name
under our domain to that IP. After taking a look, I found about 6 others
.edu domains that are being fully mirrored after doing a quick check with
It appears the attempt is to grab credentials for later re-use. Take a look
to see if your domains are being mirrored and take appropriate action.
More information about the unisog