Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - Honeypot Mirroring .edu domains under .eu / Active Threat InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Honeypot Mirroring .edu domains under .eu / Active Threat

Published: 2006-11-16
Last Updated: 2006-11-16 20:50:04 UTC
by John Bambenek (Version: 1)
0 comment(s)
The .eu top-level domain is relatively new and in the build-up phase and had a co-worker notice something fun.

When ssh'ing to a local server, he typo'd and finished the DNS name as .eu, it connected with an SSH handshake (it was a new server so the key warning wasn't considered a big deal) and took a password. The individual immediately recognized the problem when the password wasn't accepted and we investigated.

It appears any DNS name at ourdomain.eu would resolve to this machine.  Not only that, but the machine in question was hosting at least 7 other domains under .eu that would map to an educational institution. For instance, for "fake" educational institution at ufoo.edu you could search for ufoo.eu and get a response to this machine.

nslookup www.ufoo.edu
response: 111.222.111.222 (good)

nslookup www.ufoo.eu
response: 200.100.200.100 (bad)

nslookup XXX.ufoo.eu (XXX = anything whether or not it exists on the .edu side)
response: 200.100.200.100 (bad)

It appears that this machine will take anything from certain domains and resolve it, whether or not the dnsname actually exists on your end. (i.e. wildcard)

What is appears, for the moment, is that this machine is running a honeypot to capture passwords for people who typo .edu as .eu.  However, with a little ingenuity they could turn this enterprise into something truly evil. Right now it is only running a few token services and the webpage appears to be hosting "non-content". There are some who think this is "legit".

With this main .edu's pointing to the same place to a box with non-content, I'm not buying it. Incidents like this are a good reason to be cautious, particularly when the mitigation is as non-involved as it is.

Mitigation:

Check your .edu to see if it resolves as an .eu (i.e. nslookup www.yourdomain.eu and see what happens).

If you get 212.79.243.140, they are mirroring your .edu.

Filter that IP in both directions and pursue what other avenues your lawyers think necessary (i.e. lock down the .eu equivalent of your domain).

I'm interested in how wide-spread this is, and would like a report if your .edu is affected.

----
John Bambenek
bambenek /at/ gmail [dot] com
Keywords:
0 comment(s)
Diary Archives