[Operators] Let's start some witch-hunt

Martin Sebald msebald at hot-chilli.net
Tue Jun 15 18:00:07 CDT 2010


Hello viq!

>> Maybe I'm stating the obvious here, but this really sounds like a
>> virus-originated botnet using XMPP as the control channel.
> I am thinking it would be interesting to see some of the content they are
> sending. I wonder if it would be feasible to set up a 'honeypot' server
> for them, just for the purpose of observing the traffic and what they are
> doing - maybe that would let figure out in more details what it is and
> what it does, maybe even it's origin.

The thing is how to make this honeypot server a target.

What I don't understand is that just three servers are affected, all other
known server admins did not experience this. Sure there might be more
affected servers, but how are they targeted? From the public services list
at xmpp.org? Hardly because there are so many servers on this list, and why
they picked jabber.ccc.de and our server plus a third server?

And with ~2000-3000 accounts alltogether on these three servers this would
not make the trojan/virus very effective...

Well, it might be that there are numerous other infected servers, but why
there is just nothing about all this on Google or XMPP related resources
like this list? 

Hm...

Regards,
Martin



More information about the Operators mailing list