[unisog] Honeypot in Netherlands mirroring entire DNSstructures for some .edu's

Paul FM paulfm at me.umn.edu
Thu Nov 16 22:25:05 GMT 2006


If you are running isc.org's bind as YOUR dns server (the one you connect to 
when you do dns lookups), you might want to add this option to its config:

root-delegation-only exclude { "de"; "lv"; "museum"; "us"; };

We have had it on or slaves since the whole *.com fiasco some time ago.
(I am considering not having any exclusion list).


scott hollatz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>> Right, I saw that just after I sent the email... It's wildcard.
>>
>> Because of the shear number of .edu's it's squating on, and the wildcards
>> I'm assuming malicious.  Best case, you have legit users typo'ing stuff
>> (like say, SSH connections) and giving their password to someone else.
>>
>> So far there is about a dozen, I've found.
>  	[stuff deleted]
> 
> And try other TLDs:
> 
>  	% dig +short ibm.cm
>  	72.51.27.58
> 
>  	% dig +short cisco.cm
>  	72.51.27.58
> 
>  	% dig +short microsoft.cm
>  	72.51.27.58
> 
> - --
> scott hollatz                                        net shollatz at d.UMn.eDu
> information technology systems and services          tel +1 218 726 8851
> university of minnesota duluth mn usa                fax +1 218 726 7674
>                                                                           --
>                                                "Asn aD ta zlAp em uT zt33rg"
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (SunOS)
> 
> iD8DBQFFXNly4og1WWfEVRsRAnqPAJsHr5KGVKt37Gfy8z1jZpxa3ZNpgwCgm3+E
> uQfpPjPu1O0IE+QM335zry8=
> =WaSX
> -----END PGP SIGNATURE-----
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list