[Operators] Let's start some witch-hunt

Kevin Smith kevin at kismith.co.uk
Wed Jun 16 03:02:59 CDT 2010


On Wed, Jun 16, 2010 at 8:56 AM, Jonathan McDowell <noodles at earth.li> wrote:
> On Wed, Jun 16, 2010 at 01:00:07AM +0200, Martin Sebald wrote:
>> >> Maybe I'm stating the obvious here, but this really sounds like a
>> >> virus-originated botnet using XMPP as the control channel.
>> > I am thinking it would be interesting to see some of the content they are
>> > sending. I wonder if it would be feasible to set up a 'honeypot' server
>> > for them, just for the purpose of observing the traffic and what they are
>> > doing - maybe that would let figure out in more details what it is and
>> > what it does, maybe even it's origin.
>>
>> The thing is how to make this honeypot server a target.
>>
>> What I don't understand is that just three servers are affected, all other
>> known server admins did not experience this. Sure there might be more
>> affected servers, but how are they targeted? From the public services list
>> at xmpp.org? Hardly because there are so many servers on this list, and why
>> they picked jabber.ccc.de and our server plus a third server?
>
> I'm seeing about 300 active sessions at any time from "Smack" users on
> jabber.earth.li, starting from about 4 weeks ago. If the consensus is
> that they are malicious in nature then I'll sort out blocking them, but
> so far they haven't been causing me issues.

Smack's just a Java API (the one used by the Spark client). Certainly
blocking based on a resource of Smack seems inappropriate.

/K


More information about the Operators mailing list