[Operators] XMPP DDoS on yax.im today

Thomas Camaran camaran at gmail.com
Mon Sep 5 09:13:37 UTC 2016


It's possible to give me the cronjob, you have scheduled every day?

2016-09-03 21:35 GMT+02:00 Tony <tony at koderoot.net>:

> Hi folks,
>
> In addition to 31.184.194.36 please also watch out for 78.36.201.252. A
> 'whois' shows very similar info to the IP Georg pointed out. I started
> noticing a suspicious registration pattern coming from 78.36.201.252 dated
> 2016-08-29. The accounts would get registered, but most would not
> immediately login. Some accounts never logged in.
>
> Here are some examples
> --
> cagayledgen1 at kode.im
> thehacks at kode.im
> fna4dan at im.koderoot.net
> lewski24 at im.koderoot.net
> gipimenta2009 at kode.im
> marisvatboys at im.koderoot.net
> hahaha54321 at kode.im
> postmanbutters at im.koderoot.net
> 18653430081 at kode.im
> luckywimalasena at im.koderoot.net
> jasbirsimghsidhu at im.koderoot.net
> koreshkofff at kode.im
> king at kode.im
>
> Last logout: 2016-08-29 04:53:58
> IP address: 78.36.201.252
> Last logout: 2016-08-28 14:36:50
> IP address: 78.36.201.252
> Last logout: 2016-08-29 04:57:09
> IP address: 78.36.201.252
> Last logout: 2016-08-29 08:34:26
> IP address: 78.36.201.252
> Last logout: 2016-08-29 08:34:12
> IP address: 78.36.201.252
> Last logout: 2016-08-29 12:24:44
> IP address: 78.36.201.252
> Last logout: 2016-08-29 12:20:51
> IP address: 78.36.201.252
> Last logout: 2016-08-29 08:36:28
> IP address: 149.56.229.16
> Last logout: 2016-08-29 12:22:06
> IP address: 78.36.201.252
> --
>
> I'm almost certain these 2 IPs are related. From the looks of it, they
> were once again attempting to build a big enough list of accounts to
> continue their attacks.
>
> Cheers,
> T
>
>
> On 9/3/16 9:36 AM, Georg Lukas wrote:
>
> Hi, I know this is getting boring...
> yax.im has been DDoSed every day since the first report, with 6h-12h of
> traffic every day. The traffic patterns and JID structures are all the
> same, but I have some more insights to contribute.
>
> Some of the zombies were registered on my server as well, with their IBR
> timestamp on 2016-06-27.
>
> The registrations and the logins originated from the IP 31.184.194.36
> which looks like an outdated Debian box at a Russian hosting company.
> I've sent an abuse report but my hopes aren't high.
>
> Please block 31.184.194.36 in your firewalls and delete accounts
> registered via that IP, to get rid of this one kiddie. Again, the list
> of domains is attached to this email and you can request the list of
> JIDs for your domain.
>
> Regarding possible mitigations, this is what I do on yax.im now from a
> cron job:
>
> prosodyctl mod_list_inactive yax.im 1day event | \
>         grep ' registered' | \
> 	awk '{ print "user:delete\"" $1 "\"" }' | \
> 	nc localhost 5582
>
> This requires the mod_lastlog module to be enabled for users' last
> activity timestamps, it dumps the list of JIDs that were registered more
> than 24h ago and never logged in, and pipes their deletion to
> mod_admin_telnet.
>
>
> Have a nice weekend,
>
>
> Georg
>
>
>


-- 
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
=
Thomas Camaran
N° Cellulare: +39 393 8352896
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
=
Questo messaggio e i suoi allegati sono indirizzati
esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione
o diffusione non autorizzata sono rigorosamente vietate.
Qualora il presente messaggio Le fosse pervenuto per errore, Le saremmo
grati se ne distruggesse ogni copia e comunicasse al mittente l'errata
ricezione.
camaran at gmail.com
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160905/8aa25fbd/attachment.html>


More information about the Operators mailing list