[Operators] Let's start some witch-hunt

viq vicviq at gmail.com
Tue Jun 15 17:43:31 CDT 2010


On Tue, Jun 15, 2010 at 11:37 PM, Andreas Monitzer
<xmppoperator at monitzer.com> wrote:
> On Jun 15, 2010, at 23:31, Peter Schwindt wrote:
>
>> Martin (of hot-chilli.*) was the first to publicly (on jadmin-ML, about
>> 2 weeks ago) mention a bunch of weird registrations. The accounts to be
>> considered all look nearly the same: A posix timestamp + ("LOP" or
>> "LMC") + server part (i.e. 1275746522321lmc at jabber.ccc.de). And there
>> were lots of them. Right now I (administering jabber.ccc.de) see about
>> 1k of them on my server.
>
> Maybe I'm stating the obvious here, but this really sounds like a
> virus-originated botnet using XMPP as the control channel.

I am thinking it would be interesting to see some of the content they
are sending. I wonder if it would be feasible to set up a 'honeypot'
server for them, just for the purpose of observing the traffic and
what they are doing - maybe that would let figure out in more details
what it is and what it does, maybe even it's origin.

> Regards,
> Andreas
>
>



-- 
viq


More information about the Operators mailing list