weird bots

greg27 · Lurker Joined: 07 Oct 2006 Posts: 179 Location: Australia

has anyone seen these bots before?

—› sandra_f was "35 F" (sandra_f@*.rev.numericable.fr)
—› sandra_f used scruffy.centralchat.net (Sun Jul 6 20:41:44 2008)

—› camgirl25 was "30 F" (camgirl25@*.rev.numericable.fr)
—› camgirl25 used scruffy.centralchat.net (Sun Jul 6 21:53:31 2008)

they join seemingly random channels, usually ones with a higher usercount, do nothing for a few minutes, then quit. version reply is the same as the real name and they always connect from a french host.

i have seen these on a few different networks - does anyone know what they do?

SATAN-HHH · Eleet Joined: 29 Nov 2003 Posts: 860 Location: Texas

From what I gather they're either a spam or harvest bot. Either way, I always ban those clients when I see them on any network I'm staff on.

I know that isn't very informational, but hopefully someone else can shed further light as to the exact nature of those clients for you.

ct7331 · none Joined: 05 Mar 2008 Posts: 14

Yeah I've seen those idling, i just gline them. They have the same version reply and name. Definately a bot but not sure what it does!

Leet · Newbie Joined: 26 Jun 2008 Posts: 78 Location: New York

Yeah There on my network too but they never send out messages. An i dont think its a bot because the one actually talked unless it was timed hold on.

* cybergirl (cybergirl@bLiTzX-USER-3C1E8EF9.w90-25.abo.wanadoo.fr) has joined #racrew
<cybergirl> Dead
<cybergirl> ...
* cybergirl (cybergirl@bLiTzX-USER-3C1E8EF9.w90-25.abo.wanadoo.fr) Quit (Quit: )

Not Sure What They Are.

zeke · Idler Joined: 04 Oct 2003 Posts: 325

The numericable address is definitely a bot - i noticed randomly spaced connections to the network, it would join channels, stay 2 minutes and around 10-15seconds, and quit again. The "Realname" was always a variation of "35 F" (eg, 30 F, 25 F, etc), and there were abnormal CTCP replies. I don't have the log of when I did this before banning *@212-198-248-33.rev.numericable.fr, but I'll try and remember to edit/re-post later when I get home.

Placing a G-line on the above address has solved the problem...

theEd · Newbie Joined: 15 Mar 2004 Posts: 75 Location: New Zealand

It talks! Kinda...

I PMed it, just for kicks...

Willaim · Lurker Joined: 27 Jun 2003 Posts: 242 Location: IRC

I'm getting them on my net now.. fun fun.

greg27 · Lurker Joined: 07 Oct 2006 Posts: 179 Location: Australia

yeh they've been connecting to mine for almost a year now, but in the last week they have been connecting more frequently and from a wider variety of hosts.

callisto · none Joined: 30 Dec 2006 Posts: 38

Same here but they are all taken care of.

NightShroud · none Joined: 18 Sep 2006 Posts: 15

I'm getting those bots on my network as well they all have a french connection.I just Gline them i am not sure what they do or anything i am totally dumb founded.They dont say anything nothing.If anyone has a clue what they do let me know

maddog906 · Lurker Joined: 08 Mar 2005 Posts: 132 Location: uk

many ways of skinning a cat,
use spamfilter,defender,and version kill(if you use unrealircd)
spamfilter and defender: regexp_akill add jennyf!jennyf@* dronebotz
version kill :
ban version {
mask "20*F*";
reason "SomeLameScript contains backdoors";
action zline;
};
the list is endless

theEd · Newbie Joined: 15 Mar 2004 Posts: 75 Location: New Zealand

maddog906, the user/nick, realname and ctcp replies change. The best way to handle it would be to just let your opers know to keep an eye out for them - they're always connecting from .fr hosts, they join a bunch of populated channels, say nothing, and leave after exactly 2 minutes - not too hard to spot.

Jobe · Posted: Jul 09, 2008 6:48am Post subject:

maddog906 · Lurker Joined: 08 Mar 2005 Posts: 132 Location: uk

take your pick ,use antirandom,
here some ideas,
spamfilter {
regex "http://.+\.geocities\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
target { private; quit; };
action block;
reason "Infected by sexbotz worm";
};

spamfilter {
regex "^http://www\.geocities\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]<- .*!";
target private;
reason "Infected by sexbot worm";
action block;
};

spamfilter {
regex "![a-z][0-9]{4}@[^:]+:[a-z]{9}";
target private;
action gline;
reason "Infected by Spam-Sex-Botz";
};

spamfilter {
regex "!~?[a-z][0-9]{2,4}@[^:]+:[a-z]{9}";
target private;
action gline;
reason "Infected by Spam-Sex-Botz";
};

spamfilter {
regex "!~?[a-z][0-9]{1,4}@[^:]+:[a-z]{9}";
target private;
action gline;
reason "Infected by Spam-Sex-Botz";
};

spamfilter {
regex "^([A-Z][a-z]{4,9})[0-9]{0,6}!\1[0-9]{2,6}@.*:\1[0-9]{1,6}$";
target private;
action gline;
reason "Infected by Spam-Sex-Botz";
};

spamfilter {
regex "Come watch me on my webcam";
target { private; channel; };
action gline;
reason "You are infected, please go to www.antivirus.xx/blah/virus=GrrTrojan";
ban-time 6h;
};

spamfilter {
regex "come to irc\..+\..+";
target { private; channel; };
action gline;
reason "No spamming allowed";
};
they use 20f to 29 f and then 30f to 39f etc etc,
i am sure i don't have to spell it out.
ban version {
mask "1****";
reason "SomeLameScript contains backdoors";
action zline;
};

ban version {
mask "2****";
reason "SomeLameScript contains backdoors";
action zline;
};

Willaim · Lurker Joined: 27 Jun 2003 Posts: 242 Location: IRC

Anyone have a list of names they use? or do they keep generating new ones?

I have a spamfilter setup for the geocities one.. (The "watch me on my webcam" is built into UnrealIRCD upon install).

F cpnNPqt kill 0 1754279 86400 Spamming_is_prohibited_on_the_WikkedWire_IRC_Network William!~William@WikkedWire.com Hello. Check this url if you want to seemywebcam! http://www\.geocities\.com/katieu[0-9]{2,4}

F cpNq gzline 0 555722 432000 Webcam_spam_is_prohibited._Fix_your_computer! William!~William@netadmin.wikkedwire.com .* you want to .* http://www\.geocities\.com/[a-z]{3,10}[0-9]{2,4}

Don't know if that helps at all...