[Operators] XMPP DDoS on yax.im today

Nikolay Mitev face at hmel.org
Wed Oct 5 08:19:52 UTC 2016


Hi

On Sat, Sep 03, 2016 at 12:35:04PM -0700, Tony wrote:
> Hi folks,
> 
> In addition to 31.184.194.36 please also watch out for
> 78.36.201.252. A
Just got a registration from 78.36.201.252 for user
mfextezede at hmel.org

what's the best way to handle the situation? Ban the ip, delete user?

cheers,
/f

> 'whois' shows very similar info to the IP Georg pointed out. I started
> noticing a suspicious registration pattern coming from 78.36.201.252
> dated 2016-08-29. The accounts would get registered, but most would not
> immediately login. Some accounts never logged in.
> 
> Here are some examples
> --
> cagayledgen1 at kode.im
> thehacks at kode.im
> fna4dan at im.koderoot.net
> lewski24 at im.koderoot.net
> gipimenta2009 at kode.im
> marisvatboys at im.koderoot.net
> hahaha54321 at kode.im
> postmanbutters at im.koderoot.net
> 18653430081 at kode.im
> luckywimalasena at im.koderoot.net
> jasbirsimghsidhu at im.koderoot.net
> koreshkofff at kode.im
> king at kode.im
> 
> Last logout: 2016-08-29 04:53:58
> IP address: 78.36.201.252
> Last logout: 2016-08-28 14:36:50
> IP address: 78.36.201.252
> Last logout: 2016-08-29 04:57:09
> IP address: 78.36.201.252
> Last logout: 2016-08-29 08:34:26
> IP address: 78.36.201.252
> Last logout: 2016-08-29 08:34:12
> IP address: 78.36.201.252
> Last logout: 2016-08-29 12:24:44
> IP address: 78.36.201.252
> Last logout: 2016-08-29 12:20:51
> IP address: 78.36.201.252
> Last logout: 2016-08-29 08:36:28
> IP address: 149.56.229.16
> Last logout: 2016-08-29 12:22:06
> IP address: 78.36.201.252
> --
> 
> I'm almost certain these 2 IPs are related. From the looks of it, they
> were once again attempting to build a big enough list of accounts to
> continue their attacks.
> 
> Cheers,
> T
> 
> 
> On 9/3/16 9:36 AM, Georg Lukas wrote:
> > Hi, I know this is getting boring...
> >
> > yax.im has been DDoSed every day since the first report, with 6h-12h of
> > traffic every day. The traffic patterns and JID structures are all the
> > same, but I have some more insights to contribute.
> >
> > Some of the zombies were registered on my server as well, with their IBR
> > timestamp on 2016-06-27.
> >
> > The registrations and the logins originated from the IP 31.184.194.36
> > which looks like an outdated Debian box at a Russian hosting company.
> > I've sent an abuse report but my hopes aren't high.
> >
> > Please block 31.184.194.36 in your firewalls and delete accounts
> > registered via that IP, to get rid of this one kiddie. Again, the list
> > of domains is attached to this email and you can request the list of
> > JIDs for your domain.
> >
> > Regarding possible mitigations, this is what I do on yax.im now from a
> > cron job:
> >
> > prosodyctl mod_list_inactive yax.im 1day event | \
> >         grep ' registered' | \
> > 	awk '{ print "user:delete\"" $1 "\"" }' | \
> > 	nc localhost 5582
> >
> > This requires the mod_lastlog module to be enabled for users' last
> > activity timestamps, it dumps the list of JIDs that were registered more
> > than 24h ago and never logged in, and pipes their deletion to
> > mod_admin_telnet.
> >
> >
> > Have a nice weekend,
> >
> >
> > Georg
> 





More information about the Operators mailing list