Hi folks, In addition to 31.184.194.36 please also watch out for 78.36.201.252. A 'whois' shows very similar info to the IP Georg pointed out. I started noticing a suspicious registration pattern coming from 78.36.201.252 dated 2016-08-29. The accounts would get registered, but most would not immediately login. Some accounts never logged in.
Here are some examples -- [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Last logout: 2016-08-29 04:53:58 IP address: 78.36.201.252 Last logout: 2016-08-28 14:36:50 IP address: 78.36.201.252 Last logout: 2016-08-29 04:57:09 IP address: 78.36.201.252 Last logout: 2016-08-29 08:34:26 IP address: 78.36.201.252 Last logout: 2016-08-29 08:34:12 IP address: 78.36.201.252 Last logout: 2016-08-29 12:24:44 IP address: 78.36.201.252 Last logout: 2016-08-29 12:20:51 IP address: 78.36.201.252 Last logout: 2016-08-29 08:36:28 IP address: 149.56.229.16 Last logout: 2016-08-29 12:22:06 IP address: 78.36.201.252 -- I'm almost certain these 2 IPs are related. From the looks of it, they were once again attempting to build a big enough list of accounts to continue their attacks. Cheers, T On 9/3/16 9:36 AM, Georg Lukas wrote: > Hi, I know this is getting boring... > > yax.im has been DDoSed every day since the first report, with 6h-12h of > traffic every day. The traffic patterns and JID structures are all the > same, but I have some more insights to contribute. > > Some of the zombies were registered on my server as well, with their IBR > timestamp on 2016-06-27. > > The registrations and the logins originated from the IP 31.184.194.36 > which looks like an outdated Debian box at a Russian hosting company. > I've sent an abuse report but my hopes aren't high. > > Please block 31.184.194.36 in your firewalls and delete accounts > registered via that IP, to get rid of this one kiddie. Again, the list > of domains is attached to this email and you can request the list of > JIDs for your domain. > > Regarding possible mitigations, this is what I do on yax.im now from a > cron job: > > prosodyctl mod_list_inactive yax.im 1day event | \ > grep ' registered' | \ > awk '{ print "user:delete\"" $1 "\"" }' | \ > nc localhost 5582 > > This requires the mod_lastlog module to be enabled for users' last > activity timestamps, it dumps the list of JIDs that were registered more > than 24h ago and never logged in, and pipes their deletion to > mod_admin_telnet. > > > Have a nice weekend, > > > Georg
signature.asc
Description: OpenPGP digital signature
