|
|
| Author |
Message |
nenolod
Idler
Joined: 23 Jan 2004
Posts: 357
Location: A box!
|
 Posted: Feb 27, 2005 12:23pm Post subject: Wierd "Real Name " clients on IRC |
 |
|
(If this is in the wrong location, feel free to move it.)
Does anyone have any insight into what these bots are? They appear to be link lookers, crawling IRC networks looking for new servers. However, they seem to have discovered an IRC network that is not yet open to the public, which makes me think they are scanning IP ranges as well.
Here's some example output:
| Code: |
11:33 !irc.mediadriven.us *** Notice -- Client connecting: omega2575 (XMFFGBDR@64.241.114.7) [64.241.114.7] [Real Name ]
11:33 !irc.mediadriven.us *** Notice -- LINKS '' requested by omega2575 (XMFFGBDR@64.241.114.7=) [irc.mediadriven.us]
11:34 !irc.mediadriven.us *** Notice -- Client exiting: omega2575 (XMFFGBDR@64.241.114.7) [Read error: 54 (Connection reset by peer)] [64.241.114.7]
|
They also register nicks too it seems:
| Code: |
10:09 -!- WALLOP NickServ: OPERWALL - [REG] ~lillemor@SyncNet-15C049C5.gen.twtelecom.net registered nick lillemor
10:38 -!- WALLOP NickServ: OPERWALL - [REG] ~ILuvJen@SyncNet-3511F6DC.gen.twtelecom.net registered nick ILuvJen
|
|
|
| Back to top |
|
 |
darvocet
none
Joined: 08 Jan 2005
Posts: 4
|
| Posted: Mar 05, 2005 4:00pm Post subject: Re: Wierd "Real Name " clients on IRC |
|
|
| nenolod wrote: | (If this is in the wrong location, feel free to move it.)
Does anyone have any insight into what these bots are? They appear to be link lookers, crawling IRC networks looking for new servers. However, they seem to have discovered an IRC network that is not yet open to the public, which makes me think they are scanning IP ranges as well.
Here's some example output:
| Code: |
11:33 !irc.mediadriven.us *** Notice -- Client connecting: omega2575 (XMFFGBDR@64.241.114.7) [64.241.114.7] [Real Name ]
11:33 !irc.mediadriven.us *** Notice -- LINKS '' requested by omega2575 (XMFFGBDR@64.241.114.7=) [irc.mediadriven.us]
11:34 !irc.mediadriven.us *** Notice -- Client exiting: omega2575 (XMFFGBDR@64.241.114.7) [Read error: 54 (Connection reset by peer)] [64.241.114.7]
|
They also register nicks too it seems:
| Code: |
10:09 -!- WALLOP NickServ: OPERWALL - [REG] ~lillemor@SyncNet-15C049C5.gen.twtelecom.net registered nick lillemor
10:38 -!- WALLOP NickServ: OPERWALL - [REG] ~ILuvJen@SyncNet-3511F6DC.gen.twtelecom.net registered nick ILuvJen
|
|
That is strange. I would try a /ctcp <nick> VERSION on them the next time you see them connect. If they reply something odd you could do a version ban on it. The fact that they are registering nicknames is very odd, and makes me think it's not a bot. Maybe someone running a botnet and scanning IPs found your 6667 port open. So he connected to see whats up. Then he did a /LINKS (obvious) to check what servers you had linked. Then he registered his nickname for future visits. It could be because he found a vunlerability on you machine, and it could be cause he is running bots. Or.. he just was bored.
Just a thought.
Darvocet (darvocet@epicirc.net) |
|
| Back to top |
|
|
v3|0c17y
Eleet
Joined: 28 Jan 2005
Posts: 650
|
| Posted: Mar 05, 2005 6:22pm Post subject: |
|
|
looks like the start of a breed of botnets to me.... it all starts with one bot linking to another and then gets out of control....
can also be user regular channel bots which i highly doubt |
|
| Back to top |
|
|
Guest
|
| Posted: Nov 30, 2005 9:39am Post subject: |
|
|
| the bot from *gen.twtelecom.net also will use triggers and archive fileservers folders and files at lightning speeds. One example was just seen as a new TDCC trigger was introduced and it instantly accessed it. it never uses the same nick twice. it began showing up on Maddshark a little over one month ago and has a dynamic IP also. TW is time warner, aka roadrunner aka rr, all the same. I haven't found out if it is for or against irc yet. I can only speculate as to why, but my best guess is MPAA/RIAA affiliations, or maybe just some kind of search engine like packetnews |
|
| Back to top |
|
|
Ib3N
Lurker
Joined: 10 Mar 2004
Posts: 157
Location: ChatSpike
|
| Posted: Dec 02, 2005 7:53am Post subject: |
|
|
| lillemor is norwegian for little mother, a common norwegian nick as its reguarded as a "cute" nick |
|
| Back to top |
|
|
Gidzz0r
Guest
|
| Posted: Dec 14, 2005 11:16am Post subject: hmm? |
|
|
| Aint twtelecom just plain taiwan telecom? |
|
| Back to top |
|
|
Ty
none
Joined: 15 Nov 2005
Posts: 47
|
| Posted: Dec 15, 2005 2:57pm Post subject: |
|
|
| Twtelecom is Time Warner Telecom (generally T1 lines). |
|
| Back to top |
|
|
FBI
Guru
Joined: 19 Aug 2005
Posts: 1534
Location: Federation Of Bored IRC'ers
|
| Posted: Dec 15, 2005 3:11pm Post subject: |
|
|
| Just get BOPM and IRC Defender they probaly get auto akilled.... |
|
| Back to top |
|
|
|
Register
Log in
