Proof of Previous post on Attacker BEWARE

mthwgrn · none Joined: 09 Dec 2007 Posts: 28

My previous post was deleted because lack of proof. Simply save this image to your harddrive and zoom in if it is unreadable to you here. The user is searching the searchirc networks list and finding small networks where he can run rampid. I recommend a pm to myself if you want help in getting rid of this user before he even has the chance to join your network. I've seen him go by the nickname's qw and Purple}{aze on IRC and his searchirc Name is Dipset. I have his IP and hostname, I will not give it to anyone looking to attack him only for users looking to ban him from there network. His only intent is to flood bots nothing good.

PingBad · Guru Joined: 05 Feb 2005 Posts: 2012 Location: New Zealand

having personally seen these attacks myself - on this net, and others - i'll vouch for this

Jobe · Posted: Jan 28, 2008 8:52am Post subject:

Ive seen this attack too, all ove arounf 13 bots joined my net. Only 3 got past BOPM. Which made it easy to deal with.

The URL they spam changes though.

Katlyn · none Joined: 30 Sep 2006 Posts: 33

Hi,

He was also present on our network for a while (although either he didn't connect any bots, or wasn't able to) and made the channel #root# in which he claimed to be making 'fake' rxBots through mIRC scripting. He soon started to join channels with these supposed fake bots and spread links to downloads which never existed. (I doubt the link he was spamming there works).

Just looked at our services records and it seems that he still vists the network with the nickname qw.. however he has used both 'law' and 'gopzap' in the past.

His bots are just proxy bots and should be easily be stopped with any properly configured BOPM..

If it helps his email address is desiejp@hotmail.com (Sorry if we're not supposed to give out users details here).

Mary · SearchIRC Admin Joined: 03 May 2003 Posts: 692

We don't make a servers.ini and Jason has several programs in place to prevent mass harvesting of data from SearchIRC in order to prevent spambots and other botnets from using data published here to abuse networks.

Type the name of the connect server the bot used into Google and see how many websites come up. You'd be surprised how many channels tell users where to connect via their websites.

mthwgrn · none Joined: 09 Dec 2007 Posts: 28

I am not blaming his attacks on SearchIRC. I love this site it's an excellent concept but anyone can view smaller networks from the Networks link on the site and go crash them. And usually more smaller networks seem to have inexperienced admins.

I just wanted to provide solid evidence as my previous post was deleted. I hope this one stays up for a while. Again, I will not post his information to the public but privately I will give his information so you can ban him from your network before he comes.

My community is small and friendly. I didn't have a bopm until 2 minutes after he left as I never needed it. It's just a shame that there are people out there that do such a thing.

Also, he is not a big threat. He connects through his real hostname and IP. His bots are weak and they do advertise a virus so beware of clicking on the link. I am glad demon-child (they have a relay bot to our network) found his bot source and figured out who it was. They didn't want to accept his link so he started flooding in bots. And then had the nerve to say "Guys I can help you get rid of them, it's easy" obviously cause they were his own bots. He went to purplesurge last night, also relayed to my network and tried the same but was banned.

Last night he used the nick Purple}{aze. Please BEWARE and mods please keep this post up and To the top (ttt)

Mary · SearchIRC Admin Joined: 03 May 2003 Posts: 692

No worries. Some people do think that listing their network will bring attacks. Obviously if you can see a network on SearchIRC (or any other site, for that matter) so can other people - including those who try to do you harm. Not much anyone can do about that except have a completely private, unadvertised IRC network. Like I said, for most networks, Googling your servers will get dozens if not hundreds of results.

The attack you documented was fortunately very mild, and can actually serve as a good learning experience for you and your staff. Keep your opers sendq limits up high so they don't get flooded off, script your channel bots to mode your channel +im when there's a large influx of users, use BOPM and any feature your service pack has to mitigate bot attacks, and then experience will teach you to laugh at the rest.

dacayhero · Lurker Joined: 26 Jan 2008 Posts: 191

hmmm qw keeps coming on my server asking to link to me though hes never flooded blitzx.net yet ill keep my eye on her

SasukeUchiha · Lurker Joined: 01 Dec 2007 Posts: 114 Location: California

:O iv seen that before on my friends serv

mthwgrn · none Joined: 09 Dec 2007 Posts: 28

You are very lucky to not have the bots loaded. It may be because you have a proxy monitor. If you do he can't do it. He's small time. Next time he connects get his ip so you can quickly akill/szline him/her when it starts. Because it will.

dacayhero · Lurker Joined: 26 Jan 2008 Posts: 191

he was asking about my ciscos so who knows

greg27 · Lurker Joined: 07 Oct 2006 Posts: 136 Location: Australia

if you use unrealircd, a good +f will save your channel from pathetic attack attempts like these. a bopm using ahbl, efnet bl, etc. (and the cbl if you're really paranoid, but personally that gets too many false positives for me to justify using) will also filter out a fair bit of the crap. irc defender also has a module which is good against these types of floods.

Anarchy · Posted: Jan 31, 2008 9:22pm Post subject:

ive seen this attack. these people have no life.

SasukeUchiha · Lurker Joined: 01 Dec 2007 Posts: 114 Location: California

Alot of proxy users have been around Lucidchat lately

dipset · none Joined: 26 Jan 2008 Posts: 14

fake, thats not qw