[Operators] Let's start some witch-hunt

Jonathan McDowell noodles at earth.li
Wed Jun 16 02:56:52 CDT 2010


On Wed, Jun 16, 2010 at 01:00:07AM +0200, Martin Sebald wrote:
> >> Maybe I'm stating the obvious here, but this really sounds like a
> >> virus-originated botnet using XMPP as the control channel.
> > I am thinking it would be interesting to see some of the content they are
> > sending. I wonder if it would be feasible to set up a 'honeypot' server
> > for them, just for the purpose of observing the traffic and what they are
> > doing - maybe that would let figure out in more details what it is and
> > what it does, maybe even it's origin.
> 
> The thing is how to make this honeypot server a target.
> 
> What I don't understand is that just three servers are affected, all other
> known server admins did not experience this. Sure there might be more
> affected servers, but how are they targeted? From the public services list
> at xmpp.org? Hardly because there are so many servers on this list, and why
> they picked jabber.ccc.de and our server plus a third server?

I'm seeing about 300 active sessions at any time from "Smack" users on
jabber.earth.li, starting from about 4 weeks ago. If the consensus is
that they are malicious in nature then I'll sort out blocking them, but
so far they haven't been causing me issues.

J.

-- 
                                            xmpp:noodles at earth.li
Is it real, or is it Mimozine?


More information about the Operators mailing list