This makes me think of two things. First, lop, or LoP, gives me some links to LikedProcess, some "Distributed processing over XMPP"
Second, "Tool Automates Social Engineering In Man-In-The-Middle Attack" http://www.darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?articleID=225600304 On Wed, Jun 16, 2010 at 1:57 AM, Adam Seabrook <[email protected]> wrote: > I had 5,000 accounts registered on chatmask.com and about 1,000 concurrent > logins after which the server would block them. Banned all of them but they > continue to try and log in but have stopped creating accounts. I personally > think it is not a bot but some type of free messaging application as I > captured some of the traffic and all it was is messages like this: > > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:2 > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:05 AM] 1273938324173lmc: 8017038491:8016548939:0:what's up > cutie > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:2 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:2 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:06 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:07 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:07 AM] 1273938324173lmc: 8017038491:8016548939:0:what's up > cutie > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:2 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:08 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:0:this app is > kinda messed up you should text me on my phone > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:10 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:1 > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > [9:18 AM] 1273938324173lmc: 8017038491:8016548939:1:0 > > All of the connections seem to send a keep alive message of 1 or 0 every > second and after a while they connect to another account on the server and > exchange messages or another server. > > I can see the accounts have been created on the following servers: > jabber.linux.it > jabber.cc > jabber.no > jabber.meta.net.nz > > I suggest someone try to send messages to the accounts they have logged in > and see if they can get a response from the users so we can find out what > app it is. > > On 15/06/10 6:00 PM, Martin Sebald wrote: >> >> Hello viq! >> >>>> Maybe I'm stating the obvious here, but this really sounds like a >>>> virus-originated botnet using XMPP as the control channel. >>> >>> I am thinking it would be interesting to see some of the content they are >>> sending. I wonder if it would be feasible to set up a 'honeypot' server >>> for them, just for the purpose of observing the traffic and what they are >>> doing - maybe that would let figure out in more details what it is and >>> what it does, maybe even it's origin. >> >> The thing is how to make this honeypot server a target. >> >> What I don't understand is that just three servers are affected, all other >> known server admins did not experience this. Sure there might be more >> affected servers, but how are they targeted? From the public services list >> at xmpp.org? Hardly because there are so many servers on this list, and >> why >> they picked jabber.ccc.de and our server plus a third server? >> >> And with ~2000-3000 accounts alltogether on these three servers this would >> not make the trojan/virus very effective... >> >> Well, it might be that there are numerous other infected servers, but why >> there is just nothing about all this on Google or XMPP related resources >> like this list? >> >> Hm... >> >> Regards, >> Martin >> > -- viq
