[unisog] Honeypot in Netherlands mirroring entire DNS structures for some .edu's

John C. A. Bambenek bambenek at control.csl.uiuc.edu
Thu Nov 16 19:59:11 GMT 2006


We just discovered that there is a machine in the Netherlands that is
apparently running a honeypot and is mirroring entire DNS structures for
some .edu domains.

For instance, our webserver www.csl.uiuc.edu resolves to,
but www.csl.uiuc.eu resolves to  It mirrors every DNS name
under our domain to that IP.  After taking a look, I found about 6 others
.edu domains that are being fully mirrored after doing a quick check with

It appears the attempt is to grab credentials for later re-use. Take a look
to see if your domains are being mirrored and take appropriate action.


More information about the unisog mailing list