Hello fellow XMPP operators.
I've just discovered 1000 (exactly) bot accounts on my server
(creep.im). Since the last update of ejabberd, from version 16.02 to
16.03, I've noticed a drastic spike of CPU load. After inspecting the
log I discovered, that a lot of accounts with strange usernames fail to
authorize, causing the crash of cyrsasl_plain module. I suppose these
are bots and they have broken authentication implementation which is not
compatible with the latest ejabberd version.
I've collected affected JIDs and discovered that there are exactly 1000
algorithmically generated accounts and they are registered in the early
2015. Here is the entire list, feel free to check if the same usernames
are registered on your server: http://pastebin.ca/3653763. Probably
these are unique to creep.im, but feel free to check from your side.
If you found the bots on your server, you can easily ban them with such
BASH script (ejabberd specific): http://pastebin.ca/3653765.
Additionally, I've grabbed the roster contents of all bots and extracted
unique JIDs from it. I'm not sure that all of the JIDs are malicious,
but at least thisisy...@xmpp.jp, thisisyos...@draugr.us and
tess...@exploit.im entries in ejabberd log showed strong signs of some
interaction with the large number of the aforementioned bots. I banned
all such accounts for now, if there will be any complains, I'll resolve
them on a case-by-case basis. Here is a full list of these JIDs:
http://pastebin.ca/3653768 and the same list in ejabberd config (YAML)
ban format: http://pastebin.ca/3653770.
To mitigate the constant crashing one can use mod_fail2ban module.
Feel free to share any valuable information if you found some similar
patterns with your public service.
A
