Hi, I know this is getting boring... yax.im has been DDoSed every day since the first report, with 6h-12h of traffic every day. The traffic patterns and JID structures are all the same, but I have some more insights to contribute.
Some of the zombies were registered on my server as well, with their IBR
timestamp on 2016-06-27.
The registrations and the logins originated from the IP 31.184.194.36
which looks like an outdated Debian box at a Russian hosting company.
I've sent an abuse report but my hopes aren't high.
Please block 31.184.194.36 in your firewalls and delete accounts
registered via that IP, to get rid of this one kiddie. Again, the list
of domains is attached to this email and you can request the list of
JIDs for your domain.
Regarding possible mitigations, this is what I do on yax.im now from a
cron job:
prosodyctl mod_list_inactive yax.im 1day event | \
grep ' registered' | \
awk '{ print "user:delete\"" $1 "\"" }' | \
nc localhost 5582
This requires the mod_lastlog module to be enabled for users' last
activity timestamps, it dumps the list of JIDs that were registered more
than 24h ago and never logged in, and pipes their deletion to
mod_admin_telnet.
Have a nice weekend,
Georg
--
|| http://op-co.de ++ GCS d--(++) s: a C+++ UL+++ !P L+++ !E W+++ N ++
|| gpg: 0x962FD2DE || o? K- w---() O M V? PS+ PE-- Y++ PGP+ t+ 5 R+ ||
|| Ge0rG: euIRCnet || X(+++) tv+ b+(++) DI+++ D- G e++++ h- r++ y? ||
++ IRCnet OFTC OPN ||_________________________________________________||
272 0l.de
740 4impact.net.au
6 alltagskotze.net
736 anderson.de
1 armada.im
143 aws-pns-qa-01.primo.me
507 bam.yt
682 bashtel.ru
754 basket.coach
3 chaospott.de
373 chatme.biz
85 chatme.chat
379 chatme.community
406 chatme.education
77 chatme.im
390 chatme.link
40 chatme.lol
605 chatme.sexy
188 chatme.singles
276 chatme.social
54 chatme.top
55 chatme.wiki
522 chatme.xyz
3 chat.mypush.com.br
35 cirr.com
2 coding4coffee.ch
1780 codingteam.net
18 connyolivier.nl
47 copyleftgames.org
173 crypt.am
197 crypt.mn
169 cypherpunks.it
1 daitauha.fr
10 darkdna.net
1 darknet.im
2602 dcgate.org.ua
146 default.rs
1 devolute.org
349 dotchat.me
1829 dukgo.com
1 dzen.im
241 einfachjabber.de
47 entodaspartes.org
47 enviro.cz
47 erleuchtet.org
5 exploit.im
1 farline.ua
1 fasel.me
16 forwork.chat
455 freexmpp.net
214 f-sh.de
626 fuckav.in
1 furry.im
306 getchat.link
584 getchatme.link
19 ghostdub.de
2512 gorod.nu
1 graasmilk.net
24 guardianproject.info
24 hackinq.pl
1 haste.ch
1825 igniterealtime.org
5200 im.flosoft.biz
16 im.meticul.eu
24 im.pboesch.fr
24 im.primo.me
1 infornographie.net
1 injabber.info
1 instalock.pl
24 itns.co.za
24 j3e.de
1 j3ws.biz
1 jabber.bol.ru
23 jabber.c3d2.de
32 jabber.com.de
3023 jabber.co.za
1 jabber.cz
25 jabber.dark-world.de
802 jabber.dol.ru
1 jabber.fdn.fr
116 jabber.icequake.net
48 jabber.ipfire.org
1 jabber.ivanovo.ru
23 jabber.lancs.ac.uk
833 jabber.lg.ua
10 jabber.linux360.ro
23 jabber.logilab.org
686 jabber.me
456 jabber.mipt.ru
312 jabber.mk.ua
23 jabber.nerdbase.de
1 jabber.netzgehirn.de
3 jabberon.ru
716 jabber.ozerki.net
337 jabber.perm.ru
761 jabberpl.org
255 jabber.smash-net.org
81 jabber.tanet.ru
222 jabber.tsk.ru
2 jabbim.com
3 jabbim.cz
1 jabbim.pl
1 jabbim.sk
3 j-talk.me
3332 kdetalk.net
523 oneteam.im
23 palita.net
6518 pandion.im
349 parliamone.club
148 p-h.im
88 probiv.cc
200 probiv.me
349 prv.name
1 rosolina.estate
155 rows.io
199 rusanen.me
357 sj.ms
337 slang.cool
2 sudouser.ru
2 syslinux.ru
292 talk.mipt.ru
846 tigase.im
61 topsec.in
4 ustkut.ru
159 volity.net
29 vsjmaxx.co
84 weather.im
75 westchat.de
2 wirdorange.org
117 wizardtales.com
3 wwh.so
117 www.hda.me
3 www.lunaiten.de
7 xjabber.pro
230 xmpp.cm
2 xmppcomm.com
2 xmpp.elbinario.net
430 xmpp.guru
1492 xmpp.is
272 xmpp.jp
178 xmpp.pro
783 xmpp.su
482 xmpp.technology
189 xsrv.me
9 yax.im
1 zloy.im
signature.asc
Description: Digital signature
