[Operators] Some 1000 Bots Discovered

A a at creep.im
Fri Jul 1 16:42:17 UTC 2016


Hello fellow XMPP operators.

I've just discovered 1000 (exactly) bot accounts on my server 
(creep.im). Since the last update of ejabberd, from version 16.02 to 
16.03, I've noticed a drastic spike of CPU load. After inspecting the 
log I discovered, that a lot of accounts with strange usernames fail to 
authorize, causing the crash of cyrsasl_plain module. I suppose these 
are bots and they have broken authentication implementation which is not 
compatible with the latest ejabberd version.

I've collected affected JIDs and discovered that there are exactly 1000 
algorithmically generated accounts and they are registered in the early 
2015. Here is the entire list, feel free to check if the same usernames 
are registered on your server: http://pastebin.ca/3653763. Probably 
these are unique to creep.im, but feel free to check from your side.

If you found the bots on your server, you can easily ban them with such 
BASH script (ejabberd specific): http://pastebin.ca/3653765.

Additionally, I've grabbed the roster contents of all bots and extracted 
unique JIDs from it. I'm not sure that all of the JIDs are malicious, 
but at least thisisyoga at xmpp.jp, thisisyoshka at draugr.us and 
tessa88 at exploit.im entries in ejabberd log showed strong signs of some 
interaction with the large number of the aforementioned bots. I banned 
all such accounts for now, if there will be any complains, I'll resolve 
them on a case-by-case basis. Here is a full list of these JIDs: 
http://pastebin.ca/3653768 and the same list in ejabberd config (YAML) 
ban format: http://pastebin.ca/3653770.

To mitigate the constant crashing one can use mod_fail2ban module.

Feel free to share any valuable information if you found some similar 
patterns with your public service.

A



More information about the Operators mailing list