It's possible to give me the cronjob, you have scheduled every day? 2016-09-03 21:35 GMT+02:00 Tony <[email protected]>:
> Hi folks, > > In addition to 31.184.194.36 please also watch out for 78.36.201.252. A > 'whois' shows very similar info to the IP Georg pointed out. I started > noticing a suspicious registration pattern coming from 78.36.201.252 dated > 2016-08-29. The accounts would get registered, but most would not > immediately login. Some accounts never logged in. > > Here are some examples > -- > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > > Last logout: 2016-08-29 04:53:58 > IP address: 78.36.201.252 > Last logout: 2016-08-28 14:36:50 > IP address: 78.36.201.252 > Last logout: 2016-08-29 04:57:09 > IP address: 78.36.201.252 > Last logout: 2016-08-29 08:34:26 > IP address: 78.36.201.252 > Last logout: 2016-08-29 08:34:12 > IP address: 78.36.201.252 > Last logout: 2016-08-29 12:24:44 > IP address: 78.36.201.252 > Last logout: 2016-08-29 12:20:51 > IP address: 78.36.201.252 > Last logout: 2016-08-29 08:36:28 > IP address: 149.56.229.16 > Last logout: 2016-08-29 12:22:06 > IP address: 78.36.201.252 > -- > > I'm almost certain these 2 IPs are related. From the looks of it, they > were once again attempting to build a big enough list of accounts to > continue their attacks. > > Cheers, > T > > > On 9/3/16 9:36 AM, Georg Lukas wrote: > > Hi, I know this is getting boring... > yax.im has been DDoSed every day since the first report, with 6h-12h of > traffic every day. The traffic patterns and JID structures are all the > same, but I have some more insights to contribute. > > Some of the zombies were registered on my server as well, with their IBR > timestamp on 2016-06-27. > > The registrations and the logins originated from the IP 31.184.194.36 > which looks like an outdated Debian box at a Russian hosting company. > I've sent an abuse report but my hopes aren't high. > > Please block 31.184.194.36 in your firewalls and delete accounts > registered via that IP, to get rid of this one kiddie. Again, the list > of domains is attached to this email and you can request the list of > JIDs for your domain. > > Regarding possible mitigations, this is what I do on yax.im now from a > cron job: > > prosodyctl mod_list_inactive yax.im 1day event | \ > grep ' registered' | \ > awk '{ print "user:delete\"" $1 "\"" }' | \ > nc localhost 5582 > > This requires the mod_lastlog module to be enabled for users' last > activity timestamps, it dumps the list of JIDs that were registered more > than 24h ago and never logged in, and pipes their deletion to > mod_admin_telnet. > > > Have a nice weekend, > > > Georg > > > -- = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Thomas Camaran N° Cellulare: +39 393 8352896 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Questo messaggio e i suoi allegati sono indirizzati esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione o diffusione non autorizzata sono rigorosamente vietate. Qualora il presente messaggio Le fosse pervenuto per errore, Le saremmo grati se ne distruggesse ogni copia e comunicasse al mittente l'errata ricezione. [email protected] = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
