[Operators] Let's start some witch-hunt

Nikolay Iliev niki_i_iliev at hotmail.com
Wed Jun 16 01:36:31 CDT 2010


Please, stop sending me these newsletters or whatever you call them. I received 11 yesterday!... It's quite annoying you know. So please send me an unsubscribe link or simply do not waste your time sending me your emails. 

> Date: Tue, 15 Jun 2010 19:57:27 -0500
> From: coder2000 at gmail.com
> To: operators at xmpp.org
> Subject: Re: [Operators] Let's start some witch-hunt
> 
> It seems like an IM spam bot to me. I don't run a public server yet
> but have been considering it for some ideas I have.
> 
> Dieter Lunn
> http://www.coder2000.ca
> 
> 
> 
> On Tue, Jun 15, 2010 at 6:57 PM, Adam Seabrook <adam at seabrook.me> wrote:
> > I had 5,000 accounts registered on chatmask.com and about 1,000 concurrent
> > logins after which the server would block them. Banned all of them but they
> > continue to try and log in but have stopped creating accounts. I personally
> > think it is not a bot but some type of free messaging application as I
> > captured some of the traffic and all it was is messages like this:
> >
> > [9:05 AM]       1273938324173lmc:       8017038491:8016548939:2
> > [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:05 AM]       1273938324173lmc:       8017038491:8016548939:0:what's up
> > cutie
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:2
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:2
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:07 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:07 AM]       1273938324173lmc:       8017038491:8016548939:0:what's up
> > cutie
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:2
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:10 AM]       1273938324173lmc:       8017038491:8016548939:0:this app is
> > kinda messed up you should text me on my phone
> > [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> > [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> > [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> >
> > All of the connections seem to send a keep alive message of 1 or 0 every
> > second and after a while they connect to another account on the server and
> > exchange messages or another server.
> >
> > I can see the accounts have been created on the following servers:
> > jabber.linux.it
> > jabber.cc
> > jabber.no
> > jabber.meta.net.nz
> >
> > I suggest someone try to send messages to the accounts they have logged in
> > and see if they can get a response from the users so we can find out what
> > app it is.
> >
> > On 15/06/10 6:00 PM, Martin Sebald wrote:
> >>
> >> Hello viq!
> >>
> >>>> Maybe I'm stating the obvious here, but this really sounds like a
> >>>> virus-originated botnet using XMPP as the control channel.
> >>>
> >>> I am thinking it would be interesting to see some of the content they are
> >>> sending. I wonder if it would be feasible to set up a 'honeypot' server
> >>> for them, just for the purpose of observing the traffic and what they are
> >>> doing - maybe that would let figure out in more details what it is and
> >>> what it does, maybe even it's origin.
> >>
> >> The thing is how to make this honeypot server a target.
> >>
> >> What I don't understand is that just three servers are affected, all other
> >> known server admins did not experience this. Sure there might be more
> >> affected servers, but how are they targeted? From the public services list
> >> at xmpp.org? Hardly because there are so many servers on this list, and
> >> why
> >> they picked jabber.ccc.de and our server plus a third server?
> >>
> >> And with ~2000-3000 accounts alltogether on these three servers this would
> >> not make the trojan/virus very effective...
> >>
> >> Well, it might be that there are numerous other infected servers, but why
> >> there is just nothing about all this on Google or XMPP related resources
> >> like this list?
> >>
> >> Hm...
> >>
> >> Regards,
> >> Martin
> >>
> >
 		 	   		  
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20100616/63fa9808/attachment-0001.htm>


More information about the Operators mailing list