Please, stop sending me these newsletters or whatever you call them. I received 11 yesterday!... It's quite annoying you know. So please send me an unsubscribe link or simply do not waste your time sending me your emails.
> Date: Tue, 15 Jun 2010 18:57:01 -0500 > From: [email protected] > To: [email protected]; [email protected] > Subject: Re: [Operators] Let's start some witch-hunt > > I had 5,000 accounts registered on chatmask.com and about 1,000 > concurrent logins after which the server would block them. Banned all of > them but they continue to try and log in but have stopped creating > accounts. I personally think it is not a bot but some type of free > messaging application as I captured some of the traffic and all it was > is messages like this: > > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:2 > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:0:what's up cutie > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:2 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:2 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:07 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:07 AM] 1273938324173lmc: 8017038491:8016548939:0:what's up cutie > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:2 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:0:this app is > kinda > messed up you should text me on my phone > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > All of the connections seem to send a keep alive message of 1 or 0 every > second and after a while they connect to another account on the server > and exchange messages or another server. > > I can see the accounts have been created on the following servers: > jabber.linux.it > jabber.cc > jabber.no > jabber.meta.net.nz > > I suggest someone try to send messages to the accounts they have logged > in and see if they can get a response from the users so we can find out > what app it is. > > On 15/06/10 6:00 PM, Martin Sebald wrote: > > Hello viq! > > > >>> Maybe I'm stating the obvious here, but this really sounds like a > >>> virus-originated botnet using XMPP as the control channel. > >> I am thinking it would be interesting to see some of the content they are > >> sending. I wonder if it would be feasible to set up a 'honeypot' server > >> for them, just for the purpose of observing the traffic and what they are > >> doing - maybe that would let figure out in more details what it is and > >> what it does, maybe even it's origin. > > > > The thing is how to make this honeypot server a target. > > > > What I don't understand is that just three servers are affected, all other > > known server admins did not experience this. Sure there might be more > > affected servers, but how are they targeted? From the public services list > > at xmpp.org? Hardly because there are so many servers on this list, and why > > they picked jabber.ccc.de and our server plus a third server? > > > > And with ~2000-3000 accounts alltogether on these three servers this would > > not make the trojan/virus very effective... > > > > Well, it might be that there are numerous other infected servers, but why > > there is just nothing about all this on Google or XMPP related resources > > like this list? > > > > Hm... > > > > Regards, > > Martin > > _________________________________________________________________ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
