[unisog] Honeypot in Netherlands mirroring entire DNSstructures for some .edu's

John C. A. Bambenek bambenek at control.csl.uiuc.edu
Thu Nov 16 21:13:50 GMT 2006

Right, I saw that just after I sent the email... It's wildcard.

Because of the shear number of .edu's it's squating on, and the wildcards
I'm assuming malicious.  Best case, you have legit users typo'ing stuff
(like say, SSH connections) and giving their password to someone else.

So far there is about a dozen, I've found.

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Bill Owens
Sent: Thursday, November 16, 2006 3:07 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Honeypot in Netherlands mirroring entire DNSstructures
for some .edu's

On Thu, Nov 16, 2006 at 01:59:11PM -0600, John C. A. Bambenek wrote:
> All-
> We just discovered that there is a machine in the Netherlands that is 
> apparently running a honeypot and is mirroring entire DNS structures 
> for some .edu domains.

The zone consists of wildcards:

[cookiemonster:~] owens% dig +noall +answer thisisnotarealname.uiuc.eu
thisisnotarealname.uiuc.eu. 86400 IN    A
[cookiemonster:~] owens% dig +noall +answer thisisnotarealname.uiuc.eu mx
thisisnotarealname.uiuc.eu. 86400 IN    MX      5 mail.verkeerspark.nl.

I have no idea whether this activity is malicious or not, but it isn't
'mirroring' domains, only registering them under .eu with the wildcards
above (and possibly others).

unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list