Hi On Sat, Sep 03, 2016 at 12:35:04PM -0700, Tony wrote: > Hi folks, > > In addition to 31.184.194.36 please also watch out for > 78.36.201.252. A Just got a registration from 78.36.201.252 for user [email protected]
what's the best way to handle the situation? Ban the ip, delete user? cheers, /f > 'whois' shows very similar info to the IP Georg pointed out. I started > noticing a suspicious registration pattern coming from 78.36.201.252 > dated 2016-08-29. The accounts would get registered, but most would not > immediately login. Some accounts never logged in. > > Here are some examples > -- > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > > Last logout: 2016-08-29 04:53:58 > IP address: 78.36.201.252 > Last logout: 2016-08-28 14:36:50 > IP address: 78.36.201.252 > Last logout: 2016-08-29 04:57:09 > IP address: 78.36.201.252 > Last logout: 2016-08-29 08:34:26 > IP address: 78.36.201.252 > Last logout: 2016-08-29 08:34:12 > IP address: 78.36.201.252 > Last logout: 2016-08-29 12:24:44 > IP address: 78.36.201.252 > Last logout: 2016-08-29 12:20:51 > IP address: 78.36.201.252 > Last logout: 2016-08-29 08:36:28 > IP address: 149.56.229.16 > Last logout: 2016-08-29 12:22:06 > IP address: 78.36.201.252 > -- > > I'm almost certain these 2 IPs are related. From the looks of it, they > were once again attempting to build a big enough list of accounts to > continue their attacks. > > Cheers, > T > > > On 9/3/16 9:36 AM, Georg Lukas wrote: > > Hi, I know this is getting boring... > > > > yax.im has been DDoSed every day since the first report, with 6h-12h of > > traffic every day. The traffic patterns and JID structures are all the > > same, but I have some more insights to contribute. > > > > Some of the zombies were registered on my server as well, with their IBR > > timestamp on 2016-06-27. > > > > The registrations and the logins originated from the IP 31.184.194.36 > > which looks like an outdated Debian box at a Russian hosting company. > > I've sent an abuse report but my hopes aren't high. > > > > Please block 31.184.194.36 in your firewalls and delete accounts > > registered via that IP, to get rid of this one kiddie. Again, the list > > of domains is attached to this email and you can request the list of > > JIDs for your domain. > > > > Regarding possible mitigations, this is what I do on yax.im now from a > > cron job: > > > > prosodyctl mod_list_inactive yax.im 1day event | \ > > grep ' registered' | \ > > awk '{ print "user:delete\"" $1 "\"" }' | \ > > nc localhost 5582 > > > > This requires the mod_lastlog module to be enabled for users' last > > activity timestamps, it dumps the list of JIDs that were registered more > > than 24h ago and never logged in, and pipes their deletion to > > mod_admin_telnet. > > > > > > Have a nice weekend, > > > > > > Georg >
