Home | Networks | Community | Need Help? 

 
 Quick search

 
 
 RegisterRegister   Log inLog in 

heads up on possible attack

 
Post new topic   Reply to topic    SearchIRC Forum Index -> IRC Abuse
Author Message
greg27
Lurker
Lurker


Joined: 07 Oct 2006
Posts: 136
Location: Australia
PostPosted: May 04, 2007 9:12pm    Post subject: heads up on possible attack Reply with quote
heyhey-
just last night my network was swamped with spam bots - they joined the two largest channels on the network and started msging a url to users.

[23:35:18pm] *** Muhendis (MESUUT@CentralChat-6367A8B2.hsd1.va.comcast.net) has joined #chat
[23:35:20pm] *** gececi (Gang@ABA6DC85.3490D950.E5B51949.IP) has joined #chat
[23:35:21pm] *** yutuk (lezcade@1C4E37C6.9D7FB673.995736CA.IP) has joined #chat
[23:35:22pm] *** _KEREM (Cavit@D71DD0D7.95BE230F.64247187.IP) has joined #chat
[23:35:22pm] *** haCi_ (~ANDRE@92B11A76.1F99DAA4.827E5338.IP) has joined #chat
[23:35:22pm] *** _Carlos (mary@562D83D6.653C7AD3.B7FEE1AC.IP) has joined #chat

[05:53:38am] *** AysahitNeT3854 (ChatmsN@380DAC01.2B54F4B1.5A35579F.IP) has joined #chat
[05:53:39am] *** Ebru_ (ChatmsN@19B050C1.F46C03F6.D3E90872.IP) has joined #chat
[05:53:39am] *** yasamak (ChatmsN@F17E3EE.14BD07A8.F1235F32.IP) has joined #chat
[05:53:39am] *** kerem^^ (Muzisyen@667D1D99.11F21131.F567C0CC.IP) has joined #chat
[05:53:39am] *** GEZMIS^^ (ChatmsN@65625FCD.55569D03.E5B51949.IP) has joined #chat
[05:53:41am] *** AysahitNeT3854 (ChatmsN@380DAC01.2B54F4B1.5A35579F.IP) Quit (Z:lined (spam bot))
[05:53:41am] *** yasamak (ChatmsN@F17E3EE.14BD07A8.F1235F32.IP) Quit (Z:lined (spam bot))
[05:53:42am] *** kerem^^ (Muzisyen@667D1D99.11F21131.F567C0CC.IP) Quit (Z:lined (spam bot))
[05:53:42am] *** a_LeTtEr_FrOm_DeAhT_rOw (ChatmsN@41D302EB.633E5E72.9E38BE18.IP) has joined #chat

[23:35:24pm] Session Ident: Muhendis
[23:35:24pm] (Muhendis): Free Sex Movies Download Click Go To >> www.[deleted].com/webcam.exe

luckily i happened to be staring blankly at the snotice window when the first round connected, so i was able to set a spam filter pronto on the url they sent out. the bots tried to register their nicks on connect (but can't do it straight away on my network).

as you can see from the timestamps.. it went on for several hours, but the spamfilter took care of it all. irc defender helped a lot too; it picked up a few of the drones and locked the affected channels whenever another wave of bots connected.

the bots can be recognised by a double version response:
[23:51:31pm]  ¢ VERSION info requested from 10Night^^
[23:51:32pm]  ¢ VERSION reply of 'mIRC v6.01 Khaled Mardam-Bey' from 10Night^^
[23:51:33pm]  ¢ version reply of 'mIRC v6.16 Khaled Mardam-Bey' from 10Night^^

the bots also joined a random channel on connect. some of the bots msg'd the virus url pretty much straight away, whilst others idled in a random channel and the two largest channels for a few minutes before msg'ing.

i have no idea who was responsible, but my network is in the mirc servers.ini so it could be some idiot just going through the list.

just a heads up.
Back to top
FBI
Guru
Guru


Joined: 19 Aug 2005
Posts: 1494
Location: Federation Of Bored IRC'ers
PostPosted: May 06, 2007 10:31pm    Post subject: Reply with quote
We sorta got the same attack but it was involved with DDoS also.

Note: No CTCP Version or Time reply seems like CloneX to me any ideas?

Quote:
May 06 14:47:31 *BRKILLER(BrKiller@12a06a62.2430b3da.1f49225e.29773c92X) has joined #lobby
May 06 14:47:36 <BRKILLER> wtf is dat???
May 06 14:47:47 <BRKILLER> stop flooding me
May 06 14:48:16 * Craig (~Craig@CENSORED.net) has joined #lobby
May 06 14:48:23 * JohnTitor gives channel operator status to Syntax
May 06 14:48:52 * MrZodiac (~mrzodiac@Network-Admin.geekslair.net) has joined #lobby
May 06 14:48:52 * JohnTitor gives channel operator status to MrZodiac
May 06 14:48:57 <Craig> how sucky
May 06 14:48:57 <Syntax> Who's flooding?
May 06 14:49:03 * clololz44 (~clololz44@540cf85.6b45bb2.dsl.bell.ca) has joined #lobby
May 06 14:49:04 <FBI> wow
May 06 14:49:04 * AYLA-1 (~AYLA-1@3af339a2.4fb88e4.dsl.bell.ca) has joined #lobby
May 06 14:49:04 * drpmi (~drpmi.dsl@27ea28c2.4b89d8f.dsl-w.verizon.net) has joined #lobby
May 06 14:49:04 * Emr3e|A (~Emr3e|A@1383ffec.3f38bee0.dsl.bell.ca) has joined #lobby
May 06 14:49:04 * AK1N{sex}1 (~AK1N{sex}@246a3fd8.9e889ae.dsl.bell.ca) has joined #lobby
May 06 14:49:04 * vb|_P (~vb|_P@1916f0b2.12daef3.dsl.bell.ca) has joined #lobby
May 06 14:49:04 * bgG (~bgG@113ade0c.24624475.infovia.com.ar) has joined #lobby
May 06 14:49:04 * h4xdd- (~h4xdd-@1ccf6d0.3a0f8979.dsl.bell.ca) has joined #lobby
May 06 14:49:05 * rot0rlez (~rot0rlez@16190e58.2fc699fc.dsl.bell.ca) has joined #lobby
May 06 14:49:05 * AD4LIM (~AD4LIM@ec7593a.2803ef39.vc.shawcable.net) has joined #lobby
May 06 14:49:05 * sttlwa (~sttlwa.ds@2e1bf8a9.2c546df3.dsl-w.verizon.net) has joined #lobby
May 06 14:49:05 * PIRAM1T (~PIRAM1T@246a3fd8.211e61ee.dsl.bell.ca) has joined #lobby
May 06 14:49:05 * ACK0111 (~ACK0111@307615a5.1e706c24.dsl.bell.ca) has joined #lobby
May 06 14:49:06 * h4yr4n6 (~h4yr4n6@18377e3c.22d996b6.highway.telekom.at) has joined #lobby
May 06 14:49:06 * U|woh| (~U|woh|@3fd056b1.3065b4fc.ct.charter.com) has joined #lobby


Thats just a lil peice of the log after the clone flood several times he proceeded to ddos the ircd and took it down for 30 minutes.

Quote:
May 06 14:50:12 -d_|luck|/#lobby- ownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUow
May 06 14:50:12 -kandent/#lobby- ownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUown3drootownedpwnd0w3ndYOUow
May 06 14:50:12 -lrt-5/#lobby-



Guy goes by the nick BRKILLER or q


We were totally unprepared for this....

Right now we have Defender and BOPM installed with a second server Smile
Back to top
greg27
Lurker
Lurker


Joined: 07 Oct 2006
Posts: 136
Location: Australia
PostPosted: May 08, 2007 8:58am    Post subject: Reply with quote
looks like a different attack..

i just got hit again, same version response but the bots msg'd a different url and used a common ident - made getting rid of 'em nice and easy.

but these spam bots are getting annoying - anyone know what ip ranges are used in turkey? i am seriously considering zlining an entire country... most of the bots from the recent attacks came from 88.*, but this isn't exclusive to turkey.
Back to top
bctrainers
Newbie
Newbie


Joined: 11 Mar 2005
Posts: 65
Location: kansas city
PostPosted: May 08, 2007 9:21am    Post subject: Reply with quote
Looking at the first ident of the original post, guessing the centralchat irc network? The network global gamers recently that I am staff on has had an increased slew of new spam bots. While we have been able to rid of most spam bots via a scan on connect and such, some bots can get through still... but that's to be expected heh. overall, it seemed that the botnet that hit our irc net was a clonesX form of it or so... all with random nick but same ident.

edit: stupid phone cut off text post.
Back to top
greg27
Lurker
Lurker


Joined: 07 Oct 2006
Posts: 136
Location: Australia
PostPosted: May 11, 2007 8:51am    Post subject: Reply with quote
if anyone is getting hit by this bot net, you can find me on irc.centralchat.net as 'xander'. i will send you my akill list, looks like i've banned most of these bots.
Back to top
BrKiller
none
none


Joined: 05 Oct 2005
Posts: 1
PostPosted: May 15, 2007 11:23am    Post subject: Reply with quote
FBI, you shouldn't go on accusing random people without proof...

Also, if you havn't noticed, there are a couple of thousands of 'script kiddies' running around the internet and flooding people, so its not like ONE person floods the whole internet.

I'm netadmin too and my network also gets botflooded often, so noobs shouldn't come crying here saying 'OMG I GOT FLOODED!!!'. Go protected your network properly, deal with it, and above all, stop accusing random people.
Back to top
FBI
Guru
Guru


Joined: 19 Aug 2005
Posts: 1494
Location: Federation Of Bored IRC'ers
PostPosted: May 15, 2007 8:00pm    Post subject: Reply with quote
BrKiller wrote:
FBI, you shouldn't go on accusing random people without proof...

Also, if you havn't noticed, there are a couple of thousands of 'script kiddies' running around the internet and flooding people, so its not like ONE person floods the whole internet.

I'm netadmin too and my network also gets botflooded often, so noobs shouldn't come crying here saying 'OMG I GOT FLOODED!!!'. Go protected your network properly, deal with it, and above all, stop accusing random people.


I didn't say it was you just a guy with a nick BrKiller it could be anyone in the world with a nick BrKiller Wink

I don't know why your defending yourself heh and I ain't accusing anyone of flooding Wink
Back to top
greg27
Lurker
Lurker


Joined: 07 Oct 2006
Posts: 136
Location: Australia
PostPosted: May 16, 2007 3:29am    Post subject: Reply with quote
BrKiller wrote:

I'm netadmin too and my network also gets botflooded often, so noobs shouldn't come crying here saying 'OMG I GOT FLOODED!!!'. Go protected your network properly, deal with it, and above all, stop accusing random people.


i wasn't aware of anyone in this thread complaining about getting flooded - i see people commenting on floods and offering information or advice to others.

maybe you should leave this thread and go protect your own network properly before telling other "noobs" to do the same.
Back to top
NightWing{s}
none
none


Joined: 26 Mar 2007
Posts: 33
PostPosted: May 17, 2007 9:01am    Post subject: Reply with quote
Thanks for the information peeps, will kep my eyes open and pass the info on to the rest of my staff... if we start gettin botted i can turn the bot protection on... it requires a user enter a number to log on... the number changes each logon... will play havoc with my resident bot but he can go offline for a while
Back to top
PingBad
Guru
Guru


Joined: 05 Feb 2005
Posts: 2012
Location: New Zealand
PostPosted: May 17, 2007 8:24pm    Post subject: Reply with quote
NW, that's a good defense for the short-term, but bot scripters are getting wiser... it would only be a matter of time to code in something to catch the numeric/server notice challenging the end-client and thus create a reply based on it - effectively bypassing that obstacle
Back to top
Stefano
Eleet
Eleet


Joined: 03 Apr 2005
Posts: 524
Location: Beirut
PostPosted: May 18, 2007 7:38am    Post subject: Reply with quote
some people called my net merkava, just like the israeli tanks, because its really unfloodable lol
Back to top
Crash_ChatNSN
Idler
Idler


Joined: 07 Nov 2005
Posts: 252
Location: Little Rock Ar
PostPosted: May 29, 2007 3:14am    Post subject: Reply with quote
Stefano wrote:
some people called my net merkava, just like the israeli tanks, because its really unfloodable lol


when i get undrunk you want to test that theory out ? Razz
Back to top
greg27
Lurker
Lurker


Joined: 07 Oct 2006
Posts: 136
Location: Australia
PostPosted: May 30, 2007 3:55am    Post subject: Reply with quote
rofl..

not exactly the smartest thing to post on an irc related forum, stefano.
Back to top
Stefano
Eleet
Eleet


Joined: 03 Apr 2005
Posts: 524
Location: Beirut
PostPosted: Jun 03, 2007 3:06am    Post subject: Reply with quote
ah sure let me know when
at least we could test and perfectionate it out incase of weekness :p
Back to top
FBI
Guru
Guru


Joined: 19 Aug 2005
Posts: 1494
Location: Federation Of Bored IRC'ers
PostPosted: Jun 05, 2007 6:24pm    Post subject: Reply with quote
Stefano wrote:
ah sure let me know when
at least we could test and perfectionate it out incase of weekness :p


Its impossible to get past Stefanos Drunk Defense Razz
Back to top
Display posts from previous:   
Post new topic   Reply to topic    SearchIRC Forum Index -> IRC Abuse All times are GMT - 6 Hours
Page 1 of 1

 
 
Forum powered by phpBB
 
 © 2000 - 2008 EverythingIRC, Inc. All rights reserved. Please read our disclaimer