|
|
| Author |
Message |
UKhappychat
none
Joined: 08 Mar 2008
Posts: 28
|
 Posted: Mar 22, 2008 9:08am Post subject: Random nicks |
 |
|
Hi, we've started getting random nick's coming on our servers just sitting in rooms... examples..
T_IFH42154563
A_204JOFJ3
Anyone know what it could be ? |
|
| Back to top |
|
 |
Future
none
Joined: 20 Mar 2008
Posts: 34
|
| Posted: Mar 22, 2008 5:46pm Post subject: |
|
|
not sure, but maybe you should try to contact them. Query them if they don't reply assume it's a bot and shouldn't be there. /kill it  |
|
| Back to top |
|
|
greg27
Lurker
Joined: 07 Oct 2006
Posts: 136
Location: Australia
|
| Posted: Mar 22, 2008 6:30pm Post subject: |
|
|
never seen anything like that before - did you ctcp version them? no reply = badly coded bot, anything else could either be fake or give some insight  |
|
| Back to top |
|
|
UKhappychat
none
Joined: 08 Mar 2008
Posts: 28
|
| Posted: Mar 22, 2008 7:09pm Post subject: |
|
|
| Yep, i did a whois and it kept bringing up random ip's on each nick.. i've kicked/banned about 19 my servers today :S |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1064
|
| Posted: Mar 22, 2008 9:31pm Post subject: |
|
|
| greg27 wrote: | | never seen anything like that before - did you ctcp version them? no reply = badly coded bot, anything else could either be fake or give some insight |
no reply can also mean client has CTCP on ignore or the client doesn't wish to support CTCP.
CTCP is not controlled by RFC1459, thus it's not required to be supported by the client let alone turned on and sending replies. So just because a client fails to reply to CTCP, don't assume it's a malicious connection. |
|
| Back to top |
|
|
greg27
Lurker
Joined: 07 Oct 2006
Posts: 136
Location: Australia
|
| Posted: Mar 23, 2008 1:14am Post subject: |
|
|
| but the vast majority of clients will respond to a ctcp version, and no version + those nicknames most likely = something malicious. |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1064
|
| Posted: Mar 23, 2008 6:00am Post subject: |
|
|
The nicks alone are more malicious looking and random than any/no CTCP reply. Considering that a malicious bot can return what appears to be a valid CTCP reply just as easily as an innocent user can return a real reply. It's not possible to use any collected statistics as to what percentage of the returned replies a correct. The vast majority of clients can and many do ignore CTCP. A lot of the now aging mIRC scripts do it for various reasons .. including my own. In fact for most of the last 12 years, ctcp cloaking/hiding has been a feature in a lot of mIRC scripts alone and many users expect a script to do it. I'm talking numbers of downloads in the hundreds of thousands over the years, not just 100 or 200. Thats not counting the abilities of other clients. Since SearchIRC reports the IRC population between 700k and 1m users, you could be talking about a rather notable percentage.
CTCP version replies are so easily faked by nearly any client including mIRC that it's just not reliable anymore, much like the usefulness of identd. You should search google on "how to hide version reply on irc" (without the quotes) sometime. It's not a phenomenon just on IRC either and I'd be willing to bet that there are as many if not more clients that ignore or modify their CTCP version than there are malicious bots that answer truthfully. CTCP cloaking is and always has been an additional measure of anonymity, just like using a secure proxy or a bouncer like BNC, which has also been used by hundreds of thousands of users. Let's also toss in the fact that there is such a thing as a CTCP flood and many clients have little or no flood protection so the only solution for that is to ignore all of it.
This same thing happens when users like myself who use their nick as their ident and GCOS, couple that with the fact that I ignore CTCP I get banned for networks that think that just beacuse my GCOS matches my nick I'm a malicious bot. Which is equally as absurd as thinking that a CTCP reply is an indication of client authenticity.
What networks should REALLY do is their damned job and scan the network with their eyes and not some script that can't possibly tell if a nick is random or not. Hiring staff that has some real experience on large networks doesn't hurt either.
It's the younger generation of IRC Admins that have made it so people think that no reply = malicious bot. This same generation is what made it so IRCops expect to be able to be ban proof, can op themselves in any channel for any reason and have God like powers on IRC and make it seem perfectly ok and needed. I've been an admin for most of my 12 years on IRC and I've been an admin on a 140,000 user network I've killed tens of thousands of clones every week, dealt with flooders and the same kind of malicious users as you see today and I can tell you for a fact that such "toys" are not needed when you have the proper experience you should have as an Admin and not some yahoo user than has been on IRC for just a few months and thinks that they can be a NetAdmin. But that a whole different story. |
|
| Back to top |
|
|
greg27
Lurker
Joined: 07 Oct 2006
Posts: 136
Location: Australia
|
| Posted: Mar 23, 2008 8:00am Post subject: |
|
|
| katsklaw, relax, all i meant was that if a bot is badly coded by some lazy idiot it is unlikely to reply to ctcp versions - i didn't mean that any user with no version response should automatically be labeled malicious. |
|
| Back to top |
|
|
Jobe
Idler
Joined: 30 Jul 2006
Posts: 348
Location: Lurking in the shadows of some random channel!
|
| Posted: Mar 23, 2008 8:36am Post subject: |
|
|
| greg27 wrote: | | katsklaw, relax, all i meant was that if a bot is badly coded by some lazy idiot it is unlikely to reply to ctcp versions - i didn't mean that any user with no version response should automatically be labeled malicious. |
katsklaw's point was that no response cant even be used as an indicator of a badly written bot. It can be pretty darn well written and not respond to CTCP version. Take any bot I write in perl for example, although none are malicious, there is only one I went to the effort to even handle a CTCP version request. |
|
| Back to top |
|
|
UKhappychat
none
Joined: 08 Mar 2008
Posts: 28
|
| Posted: Mar 23, 2008 11:03am Post subject: |
|
|
| Well i have proxy scans on and it still is getting passed. |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1064
|
| Posted: Mar 23, 2008 12:02pm Post subject: |
|
|
| greg27 wrote: | | katsklaw, relax, all i meant was that if a bot is badly coded by some lazy idiot it is unlikely to reply to ctcp versions - i didn't mean that any user with no version response should automatically be labeled malicious. |
I am relaxed. I did take your statement literally because "no reply = badly coded bot" is a literal statement. My point is that CTCP replies are too untrustworthy and inaccurate to even consider at all. So my statements are an expression of disagreement to the usage of CTCP to determine authenticity under any scenario.
In my experience the best way to prevent false positives and still effectively manage the security of the network is to do so manually and not rely on automated processes or any type of information that can be easily faked such as CTCP replies, GCOS/nick matching etc ... Since nothing is fool proof, it's still possible to ban an innocent user doing things manually too, but I maintain that nothing beats using good old fashioned brain power.
At anyrate, Good Day and thank you for not turning this debate into an argument/flame war.  |
|
| Back to top |
|
|
Future
none
Joined: 20 Mar 2008
Posts: 34
|
| Posted: Apr 21, 2008 10:10am Post subject: |
|
|
| Ok it's someone who has downloaded a .exe and opened it, with it being full of virus's and so they are infected...the botnet owner has made it so it joins your network, same happened with me. |
|
| Back to top |
|
|
|
Register
Log in
