|
|
| Author |
Message |
Michael
none
Joined: 18 May 2003
Posts: 48
|
 Posted: Nov 10, 2003 7:52pm Post subject: Some annoying bots |
 |
|
Anybody else getting these bots? They nearly always have a "\" as part of their nick, and the nicks are random characters. The bots join public channels and PM people with a link to a website supposedly with a "webcam."
The bots keep changing nicks to not be tracked, and sometimes try to register the first nick they come on as. Also, the hostmask seems to always be different.
They're not causing too much harm, but are annoying. |
|
| Back to top |
|
 |
SiD
Newbie
Joined: 23 Jun 2003
Posts: 60
Location: Australia
|
| Posted: Nov 10, 2003 8:07pm Post subject: |
|
|
Hi Michael, We've been getting them as well and they have been successfully registering their nick(s) on our net.
| Code: |
-NickServ- Apn]}{Qd{f is qPgtmzlZJ
-NickServ- Last seen address: QBh@[..].nas14.milwaukee1.wi.us.da.qwest.net
-NickServ- Time registered: Nov 09 21:27:33 2003 GMT
-NickServ- Last seen time: Nov 09 21:32:42 2003 GMT
-NickServ- E-mail address: xAIoAFqGE@hotmail.com
-NickServ- Options: Security
|
At this time they're a moderate anoyance. |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Nov 11, 2003 1:15am Post subject: |
|
|
| We've been getting these bots on irc.7sinz.net as well. I have found that they do not have a CTCP VERSION reply, and kill them accordingly. |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Nov 11, 2003 4:38am Post subject: [b]Attention[/b]: |
|
|
| Quote: | | They're not causing too much harm, but are annoying. |
Actually folks, they do cause harm, and quite a bit of it. I've managed to get my hands on the bot itself, and take it apart. It uses windows media player to run a loader of sorts, that in turn installs a mIRC script.
This mIRC script is then used as the HTTP daemon, the bot itself, and a BNC that connects to undernet, dalnet, and plasa.com. This is where the harm comes in. It turns your computer into a bouncer for anyone that happens across one of the channels on Undernet.
As a matter of fact, this particular bot has a list of each and every server listed here on searchirc.org, probably the Authors source. My network, 7sinzNet, is on the top of the list, and I see 15 to 20 of these things daily.
The loader creates a batch file, which contains the mIRC script and install routines for the script and a registry key to:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
The script itself, and the executable are installed into your mIRC\sounds folder.
It is not vulnerable in such a manner that it allows an attacker access to your computer, it only creates a bouncer.
As a final note, the bots nickname will ALWAYS contain one or more of these characters: [ \ ] ^ _ ` { | } and the nicklength will ALWAYS be between 3 and 10 characters.
Just my two cents. |
|
| Back to top |
|
|
skerg
none
Joined: 14 Jul 2003
Posts: 5
|
| Posted: Nov 11, 2003 9:21pm Post subject: |
|
|
| glad to see others are having the same problem (well not glad, but good to know im not the only one being spammed), i first saw these bots a few months ago, i klined a few and they died off, but during the last week ive seen 15-20 a day (as someone said on here). and i cant find a easy way to stop them from coming back. anyone got ideas besides banning each? |
|
| Back to top |
|
|
Jason
SearchIRC Developer
Joined: 03 May 2003
Posts: 1161
Location: Tampa, FL
|
| Posted: Nov 11, 2003 9:28pm Post subject: |
|
|
| tiko, If you can email me the server list out of the robot, I can pretty quickly determin if that robot got it's list from SearchIRC. |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Nov 11, 2003 10:38pm Post subject: |
|
|
| Jason, sent. |
|
| Back to top |
|
|
Jason
SearchIRC Developer
Joined: 03 May 2003
Posts: 1161
Location: Tampa, FL
|
| Posted: Nov 11, 2003 11:40pm Post subject: |
|
|
While not as conclusive as I'd have liked (e.g; I was hoping networks would be named, so I could simply find some that aren't listed in SearchIRC or something of that nature), I was able to find several servers in that list that the searchirc robots have never seen (cached motds and /links).
But basically all that means is... at the very least, the list did not come directly from SearchIRC.
Speaking of which, you'll note the site layout for SearchIRC doesn't make it that easy to glean a list of servers. |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Nov 12, 2003 2:54am Post subject: |
|
|
Jason,
I just happened to think of ifirc.com, and guess what, the first 790 or so of those servers come directly from their server listing.. Should've guessed.
Sorry for the misunderstanding, it was merely an oversight on my behalf. If anyone is interested in working to prevent these things, please contact me. |
|
| Back to top |
|
|
JB*
none
Joined: 12 Nov 2003
Posts: 1
|
| Posted: Nov 12, 2003 7:42pm Post subject: |
|
|
I can say with certainty that these bots have infiltrated the Moua7 servers of the FSZ.
We have only been here about 3 weeks, if even, and are also listed only here. |
|
| Back to top |
|
|
Mary
SearchIRC Admin
Joined: 03 May 2003
Posts: 692
|
| Posted: Nov 12, 2003 8:44pm Post subject: |
|
|
JB, a good way to check and see where your servers are advertised is to check Google.
http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=moua7
That shows a server list for Moua7 available from several sources, and indeed, there are several IRC sites that either provide servers.ini files, or list their information in a way that could easily be copied over to a bot.
A network's server list is very handy for the individual user, but showing a full server list for all networks is almost guaranteed to be used for abuse. Jason uses several measures to make gathering such data from SearchIRC very, very, difficult and time consuming. Because of the amount of effort required, it is highly unlikely our data will be found in malicious bots.
But never say never... if anyone should ever succeed, then we definitely want to see it -- so that hole can be closed.
Last edited by Mary on Nov 12, 2003 9:03pm; edited 1 time in total |
|
| Back to top |
|
|
Mary
SearchIRC Admin
Joined: 03 May 2003
Posts: 692
|
| Posted: Nov 12, 2003 9:01pm Post subject: |
|
|
| Quote: | | I just happened to think of ifirc.com, and guess what, the first 790 or so of those servers come directly from their server listing.. Should've guessed. |
servers.ini
Much easier to plop a servers.ini into a bot, than sit down and click click click through SearchIRC's 1200+ networks to get to each network's server list and then copy it over to a script. |
|
| Back to top |
|
|
Orare
none
Joined: 12 May 2003
Posts: 17
|
| Posted: Nov 12, 2003 9:01pm Post subject: |
|
|
We are getting these bots also on Knightirc. There is a pattern to them, and we are successfully akilling them based on it.
They always have oddly formatted nicks.
They join the network and send the register command.
They immediately change nicks at least once sometimes twice.
They then join channels and leave.
They send the webcam PM to all non ops and non +V users.
I've also seen a significant network list that it's supposedly working from.. there are a tremendous amount of nets being targeted. |
|
| Back to top |
|
|
ed
SearchIRC Staff
Joined: 25 May 2003
Posts: 367
Location: Baton Rouge, LA
|
| Posted: Nov 12, 2003 9:32pm Post subject: |
|
|
Stick a bot in your major rooms as a normal (non-voice'd, non-op'ed) user, and /kill anyone who automatically send the bot a URL. 
It would be an easy job for a mIRC script, and just as easy with an eggdrop. |
|
| Back to top |
|
|
Orare
none
Joined: 12 May 2003
Posts: 17
|
| Posted: Nov 12, 2003 9:50pm Post subject: |
|
|
 |
|
| Back to top |
|
|
|
|
| |
Register
Log in
