Home | Networks | Community | Need Help? 

 
 Quick search

 
 
 RegisterRegister   Log inLog in 

Botnet Information

 
Post new topic   Reply to topic    SearchIRC Forum Index -> IRC Abuse
Author Message
Bobby2732000
none
none


Joined: 04 Nov 2004
Posts: 3
PostPosted: Nov 04, 2004 5:09pm    Post subject: Botnet Information Reply with quote
My network has been ddosed several times by someone named "Trake" I have went undercover somewhat and got some information about his network of bots.

www.wavextech.com:+16668 SSL

Can Anyone help me on this issue, not sure where to start. His bot channels are #bot and #sonic My network has dropped from a 300-400 user to almost 50 user network, down for 2 weeks.

His ISP is AOL, which he uses to evade a lot. Its very irritating.

Anyone have advice?
Back to top
EviL_SmUrF
Lurker
Lurker


Joined: 23 Feb 2004
Posts: 219
PostPosted: Nov 05, 2004 12:51am    Post subject: Reply with quote
Domain Name.......... wavextech.com
Creation Date........ 2003-07-23
Registration Date.... 2003-07-23
Expiry Date.......... 2008-07-23
Organisation Name.... Jose S. Fabregas
Organisation Address. 99 Park Ave
Organisation Address. No 383A
Organisation Address. New York
Organisation Address. 10016-1601
Organisation Address. New York
Organisation Address. UNITED STATES

Admin Name........... Jose Fabregas
Admin Address........ 99 Park Ave
Admin Address........ No 383A
Admin Address........ New York
Admin Address........ 10016-1601
Admin Address........ New York
Admin Address........ UNITED STATES
Admin Email.......... joefab@rhemainternational.com
Admin Phone.......... +603.76257370
Admin Fax............

Tech Name............ Hardev Singh
Tech Address......... Suite 3A-17, Level 4, Block A
Tech Address......... Kelana Centre Point, No 3, Jalan SS/17,
Tech Address......... Kelana Jaya, Petaling Jaya
Tech Address......... 47301
Tech Address......... Selangor
Tech Address......... MALAYSIA
Tech Email........... hardev@rhemainternational.com
Tech Phone........... +603.76257370
Tech Fax.............
Name Server.......... ns1.fnbs.net.my
Name Server.......... ns2.fnbs.net.my



There you go. Give him a call and tell him to stop ddos'ing you.

However, I bet that the owner of that domain doesn't have anything to do with the person running the irc server hosting those bots. You may want to either

A. give the person a call
or
B. Send that person an email and let him know his box is being used to host illegal botnets, and that if the attacks do not stop you WILL "take matters into your own hands"


Edit: Since I hate script kiddies, I sent this email for you to the Tech Email listed there:

This is an official notice that your server is being used to host illegal botnets at the following IRC address:

www.wavextech.com port 16668

If your illegal activities do not cease, measures will be taken.


Thank you.
Back to top
Plasma
Newbie
Newbie


Joined: 10 Dec 2003
Posts: 63
PostPosted: Nov 05, 2004 1:19am    Post subject: Reply with quote
Looking at the IRC server itself, its definatly a bot only server (/LUSERS, /LIST, /WHOIS etc are all disabled).
Back to top
katsklaw
Guru
Guru


Joined: 28 Jun 2004
Posts: 1087
PostPosted: Nov 05, 2004 7:13am    Post subject: Reply with quote
Plasma wrote:
Looking at the IRC server itself, its definatly a bot only server (/LUSERS, /LIST, /WHOIS etc are all disabled).


SIRC's IRC network has all those disabled too. I hardly think they are a bot net. I'm not argueing for or against your statement, just keep in mind that disabling /luser, /list and /whois is not proof that it's a bot net.
Back to top
Jason
SearchIRC Developer
SearchIRC Developer


Joined: 03 May 2003
Posts: 1179
Location: Tampa, FL
PostPosted: Nov 05, 2004 12:35pm    Post subject: Reply with quote
I don't have lusers or list disabled :P

but I have seen many networks with /links and /map missing.
Back to top
Bobby2732000
none
none


Joined: 04 Nov 2004
Posts: 3
PostPosted: Nov 05, 2004 2:20pm    Post subject: Reply with quote
When you join #sonic and #bot you can clearly see its a botnet.

(03:19) »» Joined: #sonic
(03:19) »» Topic: .advscan lsass_445 100 5 0 -b -r -s
(03:19) »» Topic set by: Sonic_The_Hedgehog
(03:19) »» Quit [Trakey]57470 arsdif@205.167.96.YD449= (Ping Timeout)
(03:19) »» Join [Trakey]33214 vdqjimj@66.231.235.gT58=
(03:19) »» MODE Permission Denied: you do not have the required privileges
(03:19) »» Quit [Trakey]32501 atooibl@212.106.170.gd33= (Ping Timeout)
(03:19) »» Join [Trakey]37626 cbbkq@83.194.202.nM181=
(03:19) »» Quit [Trakey]58884 lhryx@61.52.171.5q84= (Connection reset by peer)
(03:19) »» Quit [Trakey]47992 ggwsts@200.217.177.xu30= (Connection reset by peer)
(03:19) »» Quit [Trakey]92214 rbovgg@222.137.106.Y836= (Connection reset by peer)


(03:23) »» Joined: #bot
(03:23) »» Topic: .adv.start lsass 100 5 0 -b -r -s
(03:23) »» Topic set by: Robotnik
(03:23) »» MODE Permission Denied: you do not have the required privileges
(03:23) »» Join JUAN007 JUAN007@217.11.109.w5321=
(03:23) »» Join DHOLLIE333 DHOLLIE333@195.95.93.Ha048=
(03:23) »» Join JONNA845 JONNA845@217.210.246.ds008=
(03:23) »» Quit MACIEK256 MACIEK256@83.28.9.Bn534= (Ping Timeout)
(03:23) »» Quit OLD-SCHOOL851 OLD-SCHOOL@217.156.98.4s625= (Ping Timeout)
(03:24) »» Join POEP-G1OKFG8QNT482 POEP-G1OKF@81.69.111.ni38=
(03:24) »» NOTICE Permission Denied: you do not have the required privileges
(03:24) »» Join JIHANE343 JIHANE343@81.67.4.1q100=
(03:24) »» Join POEP-G1OKFG8QNT633 POEP-G1OKF@81.69.111.ni38=

I'm going to contact the owner of the domain name, if anyone has any connections to people who can actually do something about this, help would be great. We dont want this guy corupting any other IRC Networks out there.
Back to top
Plasma
Newbie
Newbie


Joined: 10 Dec 2003
Posts: 63
PostPosted: Nov 05, 2004 8:31pm    Post subject: Reply with quote
Its a GTBot net, I didnt bother to try it but maybe if you login to the bots using the stock standard login (its like !login Wazzup! or something - use google) and then see if you can uninstall/delete the bots - that would be golden.

Not sure if the bot comes with an uninstall command though.

katsklaw: Forgot to mention I had joined the channels and saw the botnet.

Also, an irc network is pretty useless for normal use if you cant perform any commands.
Back to top
katsklaw
Guru
Guru


Joined: 28 Jun 2004
Posts: 1087
PostPosted: Nov 05, 2004 8:43pm    Post subject: Reply with quote
Quote:

katsklaw: Forgot to mention I had joined the channels and saw the botnet.


That would make a difference Smile

As I said before .. I wasn't saying your wrong or right. Just didn't think that having a few commands disabled as enough to say it was.

Quote:

Also, an irc network is pretty useless for normal use if you cant perform any commands.


Can't say I agree with that. The commands listed are informational commands and could easily be disabled by the paranoid.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    SearchIRC Forum Index -> IRC Abuse All times are GMT - 6 Hours
Page 1 of 1

 
 
Forum powered by phpBB
 
 © 2000 - 2008 EverythingIRC, Inc. All rights reserved. Please read our disclaimer