[unisog] Honeypot in Netherlands mirroring entire DNSstructures for some .edu's

Dave Dittrich dittrich at u.washington.edu
Thu Nov 16 23:42:33 GMT 2006


scott hollatz wrote:
>> Right, I saw that just after I sent the email... It's wildcard.
> 
>> Because of the shear number of .edu's it's squating on, and the wildcards
>> I'm assuming malicious.  Best case, you have legit users typo'ing stuff
>> (like say, SSH connections) and giving their password to someone else.
> 
>> So far there is about a dozen, I've found.
>  	[stuff deleted]
> 
> And try other TLDs:
> 
>  	% dig +short ibm.cm
>  	72.51.27.58
> 
>  	% dig +short cisco.cm
>  	72.51.27.58
> 
>  	% dig +short microsoft.cm
>  	72.51.27.58

I didn't know the Netherlands had moved. ;)  Keep digging...


P.S.  Gotta love the last part:

	"Please note that the provided E-mail addresses ARE VALID
         but will function for only a few days and should not be
         added to any database."


$ jwhois 72.51.27.58
[Querying whois.arin.net]
[whois.arin.net]
Peer 1 Network Inc. PEER1-BLK-08 (NET-72-51-0-0-1)
                                  72.51.0.0 - 72.51.63.255
Nameview Inc PEER1-NAMEVIEW-01 (NET-72-51-27-0-1)
                                  72.51.27.0 - 72.51.27.255

# ARIN WHOIS database, last updated 2006-11-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

$ jwhois NET-72-51-27-0-1
[Querying whois.arin.net]
[whois.arin.net]

CustName:   Nameview Inc
Address:    142-757 W. Hastings, Suite #777
City:       Vancouver
StateProv:  BC
PostalCode: V6C-1A1
Country:    CA
RegDate:    2006-05-09
Updated:    2006-05-09

NetRange:   72.51.27.0 - 72.51.27.255
CIDR:       72.51.27.0/24
NetName:    PEER1-NAMEVIEW-01
NetHandle:  NET-72-51-27-0-1
Parent:     NET-72-51-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2006-05-09
Updated:    2006-05-09

RNOCHandle: ZP55-ARIN
RNOCName:   Peer1 Network Inc.
RNOCPhone:  +1-604-683-7747
RNOCEmail:  net-admin at peer1.net

OrgAbuseHandle: NSA-ARIN
OrgAbuseName:   Peer 1 Network AUP Enforcement
OrgAbusePhone:  +1-604-484-2588
OrgAbuseEmail:  abuse at peer1.net

OrgTechHandle: ZP55-ARIN
OrgTechName:   Peer1 Network Inc.
OrgTechPhone:  +1-604-683-7747
OrgTechEmail:  net-admin at peer1.net

# ARIN WHOIS database, last updated 2006-11-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

$ jwhois nameview.com
[Querying whois.internic.net]
[Redirected to whois.nameview.com]
[Querying whois.nameview.com]
[whois.nameview.com]
Access to the WHOIS database of Nameview, Inc. is for
informational purposes only.  This information is made available
"as is," and its accuracy is not guaranteed.  The
compilation, repackaging, dissemination or other use of
Nameview, Inc.'s WHOIS information in its entirety, or a
substantial portion thereof, is expressly prohibited without
the prior written consent of Nameview, Inc.

By accessing and using our WHOIS information, you agree to these terms.

Domain:  NAMEVIEW.COM

Created: 2001-11-04
Updated: 2006-11-02
Expires: 2007-11-04

This registrant uses an IDentity Shield service to keep some or
all of their information private.

They are reachable at the following addresses only.  Please note that
the provided E-mail addresses ARE VALID but will function for only
a few days and should not be added to any database.
IDentity Shield addresses are CASE SENSITIVE.

    Registrant
       Administrator, Domain
       NameView, Inc.
       142-757 W. Hastings St., Suite #777
       Vancouver, BC
       CA   V6C 1A1

    Administrative Contact
       Administrator, Domain
       NameView, Inc.
       142-757 W. Hastings St., Suite #777
       Vancouver, BC
       CA   V6C 1A1
       E-mail:
x6CbsCCj21HbsRxNAKBhJHQLjVhC8rQ0ijzSeFcg+8trsnZdu38K at identityshield.com
       Phone:  1-309-424-5497
       Fax:    1-309-424-5497

    Technical Contact
       Administrator, Domain
       NameView, Inc.
       142-757 W. Hastings St., Suite #777
       Vancouver, BC
       CA   V6C 1A1
       E-mail:
HerucIaibULYSuivAM4nRChhMReSGOz07kUXPp19ugfFpuGVvuU=@identityshield.com
       Phone:  1-309-424-5497
       Fax:    1-309-424-5497

    Name servers for this domain:

        NS1.NAMEVIEW.COM  72.51.27.53
        NS2.NAMEVIEW.COM  217.68.70.71

E-mail addresses as presented will only work until 2006-11-18
(in the server's time zone).

The use of any automated Whois harvesting tool is a violation of our
terms of service and may result in permanent firewall entries for your
IP space. We do not give warnings or notifications.


-- 
Dave Dittrich                          Information Assurance Researcher,
dittrich at u.washington.edu              The iSchool
http://staff.washington.edu/dittrich   University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5


More information about the unisog mailing list