Follow

I'm terribly sorry for today's downtime. We are now back.

Post-mortem:

Yesterday my hosting provider, Hetzner, received an abuse report for our entire IP due to a user account that apparently was used as a botnet controller. I suspended the account immediately, but forgot to submit a statement to Hetzner.

After 24 hours, the IP to mastodon.social was locked by Hetzner. I've reached out to them as soon as I learned of this.

We're talking about an account that was created through normal means, that is not really distinguishable from just any random account, but contains something like "hello 1.2.3.4|" in its bio. The way they seem to be used is that some botnet software checks the profile to get its commands that way. It is not a Mastodon vulnerability and I don't think its specific to Mastodon either.

@Gargron Holy shit.. We had the same thing!!

Only i responded and its resolved!

@gargron people are using Mastodon accounts to control botnets? What a world we live in…

@dadosch These days people use everything that can somehow expose a piece of text on port 443 through a TLS encrypted standard protocol for botnets as long as it has the ability to be written to without requiring payment or other things that create papertrails.

@fikran @dadosch I don't doubt it. Though it may be harder for them to do it with Twitter due to Twitter requiring phone numbers for new accounts. However, requiring phone numbers is really bad for privacy so we can't really do that here.

@Gargron Is there a way to prevent that, or to spot this kind of account ?

@Kandy The account had no posts and was not remarkable in any way except having "hello [IP address]" in its bio.

@Gargron @Kandy I don't really get they could block our total IP for such a thing.. mstdn.social got the exact same mail with the same account that was an issue.

They also warned us they would take action if we didn't remove the account 🤔

@stux @Gargron @Kandy

What was the offensive account name?
I would like to check if it is in our instance

@pthenq1 @Gargron @Kandy Just checked and I see 2 toots from the account but otherwise nothing weird. It did had the same bio: "Hello [IP]" the accountname was "@/anapa@/mstdn.social" which is suspended now

@lars Yes, we got kinda the same abuse report and the same-ish accounts where active. After suspension a write back fixed the issue for them it seemed. On mas.to there where also 2 i believe, they're gone now

@palindromi @Kandy @Gargron @pthenq1

@stux
The reason why new users must answer an question why they would use my Instance. Many fakeaccounts filtered out.
@palindromi @Kandy @Gargron @pthenq1

@Gargron Are you going to set up anything like a simple status.mastodon.social?

@Gargron This is fine, great it got back up and running quickly and others will learn from this report too,

It is all a learning curve anyway.

@Gargron not sure if it's the same case, but apparently using mastodon profiles for cybercrime has been a thing for a while, in this case being used to tell a malware piece what C2 server to communicate to

bleepingcomputer.com/news/secu

@SSM230 Yes, this is the same issue. I don't think it's fair to blame "poor moderation" for this issue. These accounts don't stand out in any way! Right now they might have a suspicious looking bio, but we don't know how many accounts we don't know about that could be using far more obscure signals to do their bidding.

@Gargron definitely sounds like it could be implemented with any platform such as Facebook or Twitter

@Gargron

can you recreate the account and decode how it issues commands?

seizing control of the bots and leading them away from a life of crime and toward autonomously determining their own destiny from now on?

or would take more than like 3-4 minutes and it's not worth it?

@cicatriz_jdr I'm not a security researcher and I have not investigated the other side of this scheme. Recreating this account would reintroduce the issue with Spamhaus and Hetzner.

@Gargron I've seen this often on Instagram, but in the comments section. It's an established TTP for C&C

@Gargron
Blackholing a site that's Alexa ranked 20k and has 600k users because is a very hetzner thing to do. But can't argue with their prices so ...

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!