clone attacks

hitnrun · none Joined: 28 Jul 2006 Posts: 2

Yes. some1 with the name Scottt / Scott -Rule / Scottz -Rule / ScotT / ScoTt, and other simialr names has been attacking our network with ClonesX v1.501b by kRaiX.
This person is a real script kiddie and we dont know a good way to handle this. If anyone else has had problems with him plz let me know and how you handled it.

He is rlly getting on our nerves. has about 100 clones join our chat channel and spam it rlly baddly.

FBI · Posted: Jul 28, 2006 8:41pm Post subject:

hitnrun · none Joined: 28 Jul 2006 Posts: 2

ok cool. Awesome.. How?

FBI · Posted: Jul 28, 2006 8:49pm Post subject:

slcker76 · none Joined: 22 Feb 2004 Posts: 3

this idiot has been dealt with, the point of the post should be to warn people about this clown, i was trying to be nice and help him set up anope, if he comes asking for help tell him to fuk himself

SATAN-HHH · Eleet Joined: 29 Nov 2003 Posts: 855 Location: Texas

Tranqerr · none Joined: 24 Mar 2005 Posts: 11

If using unreal (which is possible as many do with anope) this should work;

/spamfilter add u gline 3h Botnet [0-9][a-z]{5}![0-9][a-z]{5}@.+

FBI · Posted: Aug 05, 2006 12:30pm Post subject:

Jappy · none Joined: 28 Jun 2004 Posts: 9

for noestats secureserv , that line gline for a few hour all user from a1234 to abcd1234 , that all clonex

Clonex4 2 0 0 "(?i)^[[:alpha:]]{1,4}[[:digit:]]{4}$" "Youre nick is known as as Clonex drones please change nick !" 1

bzed · none Joined: 01 Dec 2006 Posts: 6

Looks like a good solution to me. Should try it out.

Niphyr · none Joined: 13 Jun 2006 Posts: 1

Here is a spamfilter that will trap them evertime:

Inudbz · none Joined: 02 Dec 2004 Posts: 33

Law, Do it like the pro's do it, BPM and Defcon is really helpful but !@#$ that, Set up a force join script like #lobby and then setup a popup for gline and get every one of those cock suckers at once.

Yeah^, Bleh, I've have been around for 10+ years and have used those proxy mass bot scripts, Use what the punks are using and learn how to get rid of them. Look up on google too if you want, and search for socks 5 proxies, see which ports there are and add it to the scanner in bopm, Helps get rid of alot of them and having more then one dnsbl works too.

AviZ · none Joined: 20 Jan 2007 Posts: 10

theres more than one way to skin a cat

SATAN-HHH · Eleet Joined: 29 Nov 2003 Posts: 855 Location: Texas

Atheme users also have the option to add the nickname variation to rawatch and set the akill/zline option on. Yes, I do realize that you could *possibly* risk killing other users with it, so I'd be careful. There are definently alot of options out there though, if you do your research on the ircd and services you run and get to know them properly.

Katlyn · Newbie Joined: 30 Sep 2006 Posts: 50

Hi,

A good way to remove the clones effectively and without affecting other users is to implement some sort of 'Trace' command into your services.

srvx already has this implemented and there is a copy of it for Anope (although you'll need to make some modifications for it to work properly) here.. http://www.anope.org/modules/os_trace.c

On our network (where we get alot of clone attacks) we have the trace command modified to include ? for letters and % for numbers, so if for example we had the bots that you had connecting then we could issue a command similar to /os trace akill nick ?%%%% ident ~?%%%%

There are tons of different trace criterias (eg. numchannels, nickage, channels, ident, vhost, mask, identify yes/no) which makes it very easier to track down clones, especially on a smaller network.

It's definately worth having BOPM as not only will it remove some of the clones but it will also alert you to any that are connecting.. A good blacklist at the moment is the EFnet rbl - http://rbl.efnet.org - unlike alot of the blacklists the entries are cleaned out regularly so you won't have false-positives turning up all the time.

-Katlyn