Jitsi a C&C Maleware Server?

Hi Guys!

I´ve got a question. I´m running Jisiti on a Debian 10 Server. Everything is nice and works great!

But there is a sound problem after a 3rd person joins the room.
In my investigation, I checked some ports on my firewall. It´s a Sophos UTM 9. My Sophos tells me that it found a C2/ZAccess-A on my Jitsi server. C2/ZAccess-A is the threat name associated with the command and control servers used by members of the ZeroAccess malware family.
My Sophos does a great job and blocks this traffic.

Has someone an idea?

greetings

Tobi

a.) your server has someone been corrupted/infected?
b.) Sophos needs to check its detection rules?

This was my first hunch. I checked the system and nothing has been found.

Yes, i totally messed up. The message told me that my server is the target.
Sorry and thank you for your investigation.

greetings Tobi

Once the third person joins, Jitsi switches away from P2P mode. You can disable it for 1-on-1 chats, too, to make it easier to debug this problem.

I do this by setting

p2pTestMode: true

in the config.js file on the webserver.

As I never used Sophos UTM9, I can’t tell you what it is detecting. It does make sense that it will detect some incoming connections right when the 3rd person joins, though, as your jitsi video bridge will not be utilized before that with the standard config.

Do audio and video work at all after the 3rd person joins? If Sophos blocks the traffic, I would expect audio and video to stop working.

I’m not an expert on Jitsi, by the way. Just some ideas.

Hi aseeg,

the Problem is not solved, yet. I´m still looking for a solution.

Thank you for advice, i will test it.

Yes, i thought the same. We use instruction detection with Sophos, i will configure an exception and test it.

Thank you again for your advice i will give you a recapt after my testing.

greetings tobi

Hi,

sorry for a long time not answering.

I test it and nothing happened.

But I found the real issue.

We use a DMZ and everything works great with 1 internal user and 1 external user. If a third person joins the internal user gets lost. But if all user has an external connection everything works great.

So I don´t know why the internal/external communication works between one external user and one internal user and with more than 1 external user and 1 internal user, the internal gets lost.