[Operators] Let's start some witch-hunt

Nikolay Iliev niki_i_iliev at hotmail.com
Wed Jun 16 01:36:48 CDT 2010


Please, stop sending me these newsletters or whatever you call them. I received 11 yesterday!... It's quite annoying you know. So please send me an unsubscribe link or simply do not waste your time sending me your emails. 

> Date: Tue, 15 Jun 2010 18:57:01 -0500
> From: adam at seabrook.me
> To: msebald at hot-chilli.net; operators at xmpp.org
> Subject: Re: [Operators] Let's start some witch-hunt
> 
> I had 5,000 accounts registered on chatmask.com and about 1,000 
> concurrent logins after which the server would block them. Banned all of 
> them but they continue to try and log in but have stopped creating 
> accounts. I personally think it is not a bot but some type of free 
> messaging application as I captured some of the traffic and all it was 
> is messages like this:
> 
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:2
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:05 AM]	1273938324173lmc: 	8017038491:8016548939:0:what's up cutie
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:2
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:2
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:07 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:07 AM]	1273938324173lmc: 	8017038491:8016548939:0:what's up cutie
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:2
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:10 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:10 AM]	1273938324173lmc: 	8017038491:8016548939:0:this app is kinda 
> messed up you should text me on my phone
> [9:10 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:10 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:18 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
> [9:18 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:18 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> [9:18 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
> 
> All of the connections seem to send a keep alive message of 1 or 0 every 
> second and after a while they connect to another account on the server 
> and exchange messages or another server.
> 
> I can see the accounts have been created on the following servers:
> jabber.linux.it
> jabber.cc
> jabber.no
> jabber.meta.net.nz
> 
> I suggest someone try to send messages to the accounts they have logged 
> in and see if they can get a response from the users so we can find out 
> what app it is.
> 
> On 15/06/10 6:00 PM, Martin Sebald wrote:
> > Hello viq!
> >
> >>> Maybe I'm stating the obvious here, but this really sounds like a
> >>> virus-originated botnet using XMPP as the control channel.
> >> I am thinking it would be interesting to see some of the content they are
> >> sending. I wonder if it would be feasible to set up a 'honeypot' server
> >> for them, just for the purpose of observing the traffic and what they are
> >> doing - maybe that would let figure out in more details what it is and
> >> what it does, maybe even it's origin.
> >
> > The thing is how to make this honeypot server a target.
> >
> > What I don't understand is that just three servers are affected, all other
> > known server admins did not experience this. Sure there might be more
> > affected servers, but how are they targeted? From the public services list
> > at xmpp.org? Hardly because there are so many servers on this list, and why
> > they picked jabber.ccc.de and our server plus a third server?
> >
> > And with ~2000-3000 accounts alltogether on these three servers this would
> > not make the trojan/virus very effective...
> >
> > Well, it might be that there are numerous other infected servers, but why
> > there is just nothing about all this on Google or XMPP related resources
> > like this list?
> >
> > Hm...
> >
> > Regards,
> > Martin
> >
 		 	   		  
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20100616/6b40a17e/attachment.htm>


More information about the Operators mailing list