Post ADxzkBThwVc6cdOfOS by Kandy@the.goofs.space
 (DIR) More posts by Kandy@the.goofs.space
 (DIR) Post #ADxry1KBgtVTYJ1xE8 by Gargron@mastodon.social
       2021-12-01T15:49:17Z
       
       3 likes, 11 repeats
       
       I'm terribly sorry for today's downtime. We are now back.Post-mortem:Yesterday my hosting provider, Hetzner, received an abuse report for our entire IP due to a user account that apparently was used as a botnet controller. I suspended the account immediately, but forgot to submit a statement to Hetzner.After 24 hours, the IP to mastodon.social was locked by Hetzner. I've reached out to them as soon as I learned of this.
       
 (DIR) Post #ADxrzpzWnZ7iyxEYDI by stux@mstdn.social
       2021-12-01T15:52:58Z
       
       1 likes, 0 repeats
       
       @Gargron Holy shit.. We had the same thing!! Only i responded and its resolved!
       
 (DIR) Post #ADxuazlrbJGTw5gj9U by Hyolobrika@fedi.club
       2021-12-01T16:22:12.637450Z
       
       0 likes, 0 repeats
       
       @Gargron Now you know how it feels
       
 (DIR) Post #ADxzkBThwVc6cdOfOS by Kandy@the.goofs.space
       2021-12-01T16:05:58Z
       
       0 likes, 0 repeats
       
       @Gargron Is there a way to prevent that, or to spot this kind of account ?
       
 (DIR) Post #ADxzkCFv3GB729xAXY by Gargron@mastodon.social
       2021-12-01T16:17:13Z
       
       0 likes, 1 repeats
       
       @Kandy The account had no posts and was not remarkable in any way except having "hello [IP address]" in its bio.
       
 (DIR) Post #ADxzl5SvmaGaGRSpxQ by stux@mstdn.social
       2021-12-01T17:19:43Z
       
       0 likes, 0 repeats
       
       @Gargron @Kandy Same here..
       
 (DIR) Post #ADxzsz7bFmLwuBFijo by stux@mstdn.social
       2021-12-01T17:21:19Z
       
       0 likes, 0 repeats
       
       @Gargron @Kandy I don't really get they could block our total IP for such a thing.. mstdn.social got the exact same mail with the same account that was an issue. They also warned us they would take action if we didn't remove the account 🤔
       
 (DIR) Post #ADy0MJpPLVcRWVjNQG by pthenq1@mastodon.la
       2021-12-01T17:26:39Z
       
       0 likes, 0 repeats
       
       @stux @Gargron @Kandy What was the offensive account name?I would like to check if it is in our instance
       
 (DIR) Post #ADy0hQtwFA1nXcuyie by stux@mstdn.social
       2021-12-01T17:30:27Z
       
       0 likes, 0 repeats
       
       @pthenq1 @Gargron @Kandy Just checked and I see 2 toots from the account but otherwise nothing weird. It did had the same  bio: "Hello [IP]" the accountname was "@/anapa@/mstdn.social" which is suspended now
       
 (DIR) Post #ADy8ZcSWBgoIhgsTEO by palindromi@troet.cafe
       2021-12-01T18:58:41Z
       
       0 likes, 0 repeats
       
       @stux @Kandy @Gargron @pthenq1 I think it‘s this methodhttps://www.bleepingcomputer.com/news/security/vidar-stealer-abuses-mastodon-to-silently-get-c2-configuration/
       
 (DIR) Post #ADy8ifCdM6RNoslCrI by stux@mstdn.social
       2021-12-01T19:00:18Z
       
       0 likes, 0 repeats
       
       @palindromi @Kandy @Gargron @pthenq1 Ahh! Thanks, let me check
       
 (DIR) Post #ADyEqX2MCOPGXH5Yg4 by Gargron@mastodon.social
       2021-12-01T20:06:32Z
       
       0 likes, 1 repeats
       
       We're talking about an account that was created through normal means, that is not really distinguishable from just any random account, but contains something like "hello 1.2.3.4|" in its bio. The way they seem to be used is that some botnet software checks the profile to get its commands that way. It is not a Mastodon vulnerability and I don't think its specific to Mastodon either.
       
 (DIR) Post #ADyGOqbE4ZA70WKDVg by dadosch@social.tchncs.de
       2021-12-01T16:02:33Z
       
       0 likes, 0 repeats
       
       @gargron people are using Mastodon accounts to control botnets? What a world we live in…
       
 (DIR) Post #ADyGOrSkrXypgXMxwe by fikran@thebag.social
       2021-12-01T20:26:30.696765Z
       
       0 likes, 0 repeats
       
       @dadosch @Gargron People do/did that with Twitter too.
       
 (DIR) Post #ADyHK7ICgEt7HpjfMW by Gargron@mastodon.social
       2021-12-01T20:35:35Z
       
       1 likes, 0 repeats
       
       @fikran @dadosch I don't doubt it. Though it may be harder for them to do it with Twitter due to Twitter requiring phone numbers for new accounts. However, requiring phone numbers is really bad for privacy so we can't really do that here.
       
 (DIR) Post #ADyMCU9CK3p7cihgYq by lars@fulda.social
       2021-12-01T21:29:54Z
       
       0 likes, 0 repeats
       
       @palindromiHoly shit@stux @Kandy @Gargron @pthenq1
       
 (DIR) Post #ADyMCUk46zJXT3x81g by stux@mstdn.social
       2021-12-01T21:31:19Z
       
       0 likes, 0 repeats
       
       @lars @palindromi @Kandy @Gargron @pthenq1 See this :ablobwink:​https://mastodon.social/@Gargron/107373474124118844
       
 (DIR) Post #ADyTlqEKuUe1vWugfA by lars@fulda.social
       2021-12-01T22:56:12Z
       
       0 likes, 0 repeats
       
       @stuxSame problem on your instance@palindromi @Kandy @Gargron @pthenq1
       
 (DIR) Post #ADyU3UFDOLNox3jpuy by stux@mstdn.social
       2021-12-01T22:59:23Z
       
       0 likes, 0 repeats
       
       @lars Yes, we got kinda the same abuse report and the same-ish accounts where active. After suspension a write back fixed the issue for them it seemed. On mas.to there where also 2 i believe, they're gone now@palindromi @Kandy @Gargron @pthenq1
       
 (DIR) Post #ADyUPmnj4y9IsIVua0 by lars@fulda.social
       2021-12-01T23:03:26Z
       
       0 likes, 0 repeats
       
       @stuxThe reason why new users must answer an question why they would use my Instance. Many fakeaccounts filtered out. @palindromi @Kandy @Gargron @pthenq1
       
 (DIR) Post #AEJfbgdcMa7RpoE1E8 by SSM230@wetdry.world
       2021-12-01T20:12:03Z
       
       0 likes, 0 repeats
       
       @Gargron not sure if it's the same case, but apparently using mastodon profiles for cybercrime has been a thing for a while, in this case being used to tell a malware piece what C2 server to communicate to https://www.bleepingcomputer.com/news/security/vidar-stealer-abuses-mastodon-to-silently-get-c2-configuration/
       
 (DIR) Post #AEJfbh9ATHM9PezDP6 by Gargron@mastodon.social
       2021-12-01T20:15:49Z
       
       0 likes, 0 repeats
       
       @SSM230 Yes, this is the same issue. I don't think it's fair to blame "poor moderation" for this issue. These accounts don't stand out in any way! Right now they might have a suspicious looking bio, but we don't know how many accounts we don't know about that could be using far more obscure signals to do their bidding.
       
 (DIR) Post #AEJfbhfQXLA11i4yga by TurdFerguson@noagendasocial.com
       2021-12-12T04:17:52Z
       
       0 likes, 0 repeats
       
       @Gargron @SSM230 it would be cool to have a data scientist that is familiar with statistics take a look at all the data points from the bad accounts at time of creation and time of deletion/disabled and run some analysis on then to find the common values so you can run a scan right after creation
       
 (DIR) Post #AEJfjTCiC6aSUELqqW by TurdFerguson@noagendasocial.com
       2021-12-12T04:19:18Z
       
       0 likes, 0 repeats
       
       @Gargron @SSM230 it would be cool to have a data scientist that is familiar with statistics take a look at all the data points from the bad accounts at time of creation and time of deletion/disabled and run some analysis on then to find the common values so you can run a scan right after a new account is created. I would imagine that it would not be too hard to run it anytime against the full user list on a server