Please, stop sending me these newsletters or whatever you call them. I received 11 yesterday!... It's quite annoying you know. So please send me an unsubscribe link or simply do not waste your time sending me your emails.
> Date: Tue, 15 Jun 2010 19:57:27 -0500 > From: [email protected] > To: [email protected] > Subject: Re: [Operators] Let's start some witch-hunt > > It seems like an IM spam bot to me. I don't run a public server yet > but have been considering it for some ideas I have. > > Dieter Lunn > http://www.coder2000.ca > > > > On Tue, Jun 15, 2010 at 6:57 PM, Adam Seabrook <[email protected]> wrote: > > I had 5,000 accounts registered on chatmask.com and about 1,000 concurrent > > logins after which the server would block them. Banned all of them but they > > continue to try and log in but have stopped creating accounts. I personally > > think it is not a bot but some type of free messaging application as I > > captured some of the traffic and all it was is messages like this: > > > > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:2 > > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:0:what's up > > cutie > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:2 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:2 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:07 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:07 AM] 1273938324173lmc: 8017038491:8016548939:0:what's up > > cutie > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:2 > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:0:this app is > > kinda messed up you should text me on my phone > > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > > > All of the connections seem to send a keep alive message of 1 or 0 every > > second and after a while they connect to another account on the server and > > exchange messages or another server. > > > > I can see the accounts have been created on the following servers: > > jabber.linux.it > > jabber.cc > > jabber.no > > jabber.meta.net.nz > > > > I suggest someone try to send messages to the accounts they have logged in > > and see if they can get a response from the users so we can find out what > > app it is. > > > > On 15/06/10 6:00 PM, Martin Sebald wrote: > >> > >> Hello viq! > >> > >>>> Maybe I'm stating the obvious here, but this really sounds like a > >>>> virus-originated botnet using XMPP as the control channel. > >>> > >>> I am thinking it would be interesting to see some of the content they are > >>> sending. I wonder if it would be feasible to set up a 'honeypot' server > >>> for them, just for the purpose of observing the traffic and what they are > >>> doing - maybe that would let figure out in more details what it is and > >>> what it does, maybe even it's origin. > >> > >> The thing is how to make this honeypot server a target. > >> > >> What I don't understand is that just three servers are affected, all other > >> known server admins did not experience this. Sure there might be more > >> affected servers, but how are they targeted? From the public services list > >> at xmpp.org? Hardly because there are so many servers on this list, and > >> why > >> they picked jabber.ccc.de and our server plus a third server? > >> > >> And with ~2000-3000 accounts alltogether on these three servers this would > >> not make the trojan/virus very effective... > >> > >> Well, it might be that there are numerous other infected servers, but why > >> there is just nothing about all this on Google or XMPP related resources > >> like this list? > >> > >> Hm... > >> > >> Regards, > >> Martin > >> > > _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
