[Tfug] Note to all with .edu servers
Angus Scott-Fleming
angussf at geoapps.com
Fri Nov 17 14:52:20 MST 2006
Seens on SANS yesterday, and many folks here have .edu addresses:
------- Included Stuff Follows -------
Honeypot Mirroring .edu domains under .eu / Active Threat
Published: 2006-11-16,
Last Updated: 2006-11-16 20:50:04 UTC by John Bambenek (Version: 1)
The .eu top-level domain is relatively new and in
the build-up phase and had a co-worker notice
something fun.
When ssh'ing to a local server, he typo'd and
finished the DNS name as .eu, it connected with an
SSH handshake (it was a new server so the key
warning wasn't considered a big deal) and took a
password. The individual immediately recognized the
problem when the password wasn't accepted and we
investigated.
It appears any DNS name at ourdomain.eu would
resolve to this machine. Not only that, but the
machine in question was hosting at least 7 other
domains under .eu that would map to an educational
institution. For instance, for "fake" educational
institution at ufoo.edu you could search for ufoo.eu
and get a response to this machine.
nslookup www.ufoo.edu
response: 111.222.111.222 (good)
nslookup www.ufoo.eu
response: 200.100.200.100 (bad)
nslookup XXX.ufoo.eu (XXX = anything whether or not it
exists on the .edu side)
response: 200.100.200.100 (bad)
--------- Included Stuff Ends ---------
http://isc.sans.org//diary.php?storyid=1866
--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
http://www.geoapps.com/
---------------------------------------------------------
More information about the tfug
mailing list