Noticed some s2s sessions to servers we don’t usually talk to. Some dark-web related.
We have in-band registration enabled.
Turned on archiving of messages and the thing that sends admin a message when a user registers.
Lo and behold I start to see activity:
A new user with the username ‘urkwresy66lpu6’ just registered.
A new user with the username ‘309xyungivwpfi’ just registered.
Shortly thereafter s2s sessions appear so they are sending messages out!
Now what I found interesting was
-
Only a small number of these accounts ever show up in my user list. (Users/Groups -> Users -> User Summary)
-
While they are registering and sending messages out I do not see them in Sessions -> Active Sessions -> Client Sessions
I turned on message archiving and notice they do not use OTR and they seem to be sending spam or notifications out about some kind of Russian Silk Road TOR site.
Russian SilkRoad / rusilkusru6f57uw.onion- классика криминального рынка в современном исполнении. Забудьте ВСЕ, что Вы видели раньше.
Нужно решить вопрос с должниками, наказать вредителей? - Есть криминальные услуги.
Нужен поддельный документ? - вам в раздел поддельные документы.
Кардинг. Хакинг. Классика ПАВ - амфетамин и его разновидности, шишки, гашиш, бомы, LSD, cocaine и другое.
[…truncated]
My Qs:
-
How can someone do in-band registration and not show in user-list or have a session showing ?
-
Is there a plugin or mechanism we can use to say “if a user sends a message with keyword xyz lock his account” ?