I'm terribly sorry for today's downtime. We are now back.
Yesterday my hosting provider, Hetzner, received an abuse report for our entire IP due to a user account that apparently was used as a botnet controller. I suspended the account immediately, but forgot to submit a statement to Hetzner.
After 24 hours, the IP to mastodon.social was locked by Hetzner. I've reached out to them as soon as I learned of this.
We're talking about an account that was created through normal means, that is not really distinguishable from just any random account, but contains something like "hello 184.108.40.206|" in its bio. The way they seem to be used is that some botnet software checks the profile to get its commands that way. It is not a Mastodon vulnerability and I don't think its specific to Mastodon either.
@dadosch These days people use everything that can somehow expose a piece of text on port 443 through a TLS encrypted standard protocol for botnets as long as it has the ability to be written to without requiring payment or other things that create papertrails.
@Kandy The account had no posts and was not remarkable in any way except having "hello [IP address]" in its bio.
@Gargron This is fine, great it got back up and running quickly and others will learn from this report too,
It is all a learning curve anyway.
@Gargron not sure if it's the same case, but apparently using mastodon profiles for cybercrime has been a thing for a while, in this case being used to tell a malware piece what C2 server to communicate to
@SSM230 Yes, this is the same issue. I don't think it's fair to blame "poor moderation" for this issue. These accounts don't stand out in any way! Right now they might have a suspicious looking bio, but we don't know how many accounts we don't know about that could be using far more obscure signals to do their bidding.
@Gargron definitely sounds like it could be implemented with any platform such as Facebook or Twitter
can you recreate the account and decode how it issues commands?
seizing control of the bots and leading them away from a life of crime and toward autonomously determining their own destiny from now on?
or would take more than like 3-4 minutes and it's not worth it?
@cicatriz_jdr I'm not a security researcher and I have not investigated the other side of this scheme. Recreating this account would reintroduce the issue with Spamhaus and Hetzner.
@Gargron I've seen this often on Instagram, but in the comments section. It's an established TTP for C&C
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!