[Operators] XMPP DDoS on yax.im today

Tony tony at koderoot.net
Sat Sep 3 19:35:04 UTC 2016


Hi folks,

In addition to 31.184.194.36 please also watch out for 78.36.201.252. A
'whois' shows very similar info to the IP Georg pointed out. I started
noticing a suspicious registration pattern coming from 78.36.201.252
dated 2016-08-29. The accounts would get registered, but most would not
immediately login. Some accounts never logged in.

Here are some examples
--
cagayledgen1 at kode.im
thehacks at kode.im
fna4dan at im.koderoot.net
lewski24 at im.koderoot.net
gipimenta2009 at kode.im
marisvatboys at im.koderoot.net
hahaha54321 at kode.im
postmanbutters at im.koderoot.net
18653430081 at kode.im
luckywimalasena at im.koderoot.net
jasbirsimghsidhu at im.koderoot.net
koreshkofff at kode.im
king at kode.im

Last logout: 2016-08-29 04:53:58
IP address: 78.36.201.252
Last logout: 2016-08-28 14:36:50
IP address: 78.36.201.252
Last logout: 2016-08-29 04:57:09
IP address: 78.36.201.252
Last logout: 2016-08-29 08:34:26
IP address: 78.36.201.252
Last logout: 2016-08-29 08:34:12
IP address: 78.36.201.252
Last logout: 2016-08-29 12:24:44
IP address: 78.36.201.252
Last logout: 2016-08-29 12:20:51
IP address: 78.36.201.252
Last logout: 2016-08-29 08:36:28
IP address: 149.56.229.16
Last logout: 2016-08-29 12:22:06
IP address: 78.36.201.252
--

I'm almost certain these 2 IPs are related. From the looks of it, they
were once again attempting to build a big enough list of accounts to
continue their attacks.

Cheers,
T


On 9/3/16 9:36 AM, Georg Lukas wrote:
> Hi, I know this is getting boring...
>
> yax.im has been DDoSed every day since the first report, with 6h-12h of
> traffic every day. The traffic patterns and JID structures are all the
> same, but I have some more insights to contribute.
>
> Some of the zombies were registered on my server as well, with their IBR
> timestamp on 2016-06-27.
>
> The registrations and the logins originated from the IP 31.184.194.36
> which looks like an outdated Debian box at a Russian hosting company.
> I've sent an abuse report but my hopes aren't high.
>
> Please block 31.184.194.36 in your firewalls and delete accounts
> registered via that IP, to get rid of this one kiddie. Again, the list
> of domains is attached to this email and you can request the list of
> JIDs for your domain.
>
> Regarding possible mitigations, this is what I do on yax.im now from a
> cron job:
>
> prosodyctl mod_list_inactive yax.im 1day event | \
>         grep ' registered' | \
> 	awk '{ print "user:delete\"" $1 "\"" }' | \
> 	nc localhost 5582
>
> This requires the mod_lastlog module to be enabled for users' last
> activity timestamps, it dumps the list of JIDs that were registered more
> than 24h ago and never logged in, and pipes their deletion to
> mod_admin_telnet.
>
>
> Have a nice weekend,
>
>
> Georg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160903/8c0812a0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160903/8c0812a0/attachment.sig>


More information about the Operators mailing list