[Operators] Let's start some witch-hunt

Peter Schwindt operators at schwindt-net.de
Tue Jun 15 16:31:12 CDT 2010


Dear fellow Operators,

let's do some real stuff on this ML instead of only receiving
low-traffic server listing requests ;-)

Martin (of hot-chilli.*) was the first to publicly (on jadmin-ML, about
2 weeks ago) mention a bunch of weird registrations. The accounts to be
considered all look nearly the same: A posix timestamp + ("LOP" or
"LMC") + server part (i.e. 1275746522321lmc at jabber.ccc.de). And there
were lots of them. Right now I (administering jabber.ccc.de) see about
1k of them on my server.

I did some serious sniffing, look at some IPs, contacted Jeroen (of
12jabber.com and others) yesterday since I saw that some of the (bot?
mmorpg?) accounts were talking to likewise accounts on his servers and
later the day I compiled all the information I knew and put it on the
jabber.ccc.de weblog (http://web.jabber.ccc.de/?p=183, unfortunately in
German, if you need a translation I can provide it).

Jeroen helped me remember some great ejabberd features like ACLs on
registration and c2s connections, so starting yesterday I've been
blocking *LMC and *LOP account registrations and client connections. The
accounts are still there but cannot be used anymore.

I can provide even more information:
* All accounts have a resource called "Smack", so this really smells
like Java, maybe even J2ME?
* Checking the networks/providers the accounts were connecting from this
looks like something starting in the US. I had nearly all large
providers: T-Mobile US, Verizon Wireless, Sprint Nextel. Maybe a J2ME
bot (net)? Or simply a new game noone knows of? Some of the newer
registrations have been seen from European networks like Bouygtel (.fr)
and even Orange's (.fr) GPRS net. This really sounds like something
infecting mobile devices. Could still be mobile computers with wireless
modems.
* Not a single of these accounts uses its roster. There must be some
hard-coded C&C data.

Let's discuss this. NOW.

Peter

P.S.: PGP Key available (0x5C5CDEEA)


More information about the Operators mailing list