Home | Networks | Community | Need Help? 

 
 Quick search

 
 
 RegisterRegister   Log inLog in 

Some annoying bots
Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next
 
Post new topic   Reply to topic    SearchIRC Forum Index -> IRC Abuse
Author Message
Michael
none
none


Joined: 18 May 2003
Posts: 48

PostPosted: Nov 10, 2003 7:52pm    Post subject: Some annoying bots Reply with quote

Anybody else getting these bots? They nearly always have a "\" as part of their nick, and the nicks are random characters. The bots join public channels and PM people with a link to a website supposedly with a "webcam."

The bots keep changing nicks to not be tracked, and sometimes try to register the first nick they come on as. Also, the hostmask seems to always be different.

They're not causing too much harm, but are annoying.
Back to top
SiD
Newbie
Newbie


Joined: 23 Jun 2003
Posts: 60
Location: Australia

PostPosted: Nov 10, 2003 8:07pm    Post subject: Reply with quote

Hi Michael, We've been getting them as well and they have been successfully registering their nick(s) on our net.

Code:

-NickServ- Apn]}{Qd{f is qPgtmzlZJ
-NickServ- Last seen address: QBh@[..].nas14.milwaukee1.wi.us.da.qwest.net
 -NickServ-   Time registered: Nov 09 21:27:33 2003 GMT
-NickServ-    Last seen time: Nov 09 21:32:42 2003 GMT
-NickServ-    E-mail address: xAIoAFqGE@hotmail.com
-NickServ-           Options: Security


At this time they're a moderate anoyance.
Back to top
tiko
none
none


Joined: 24 Sep 2003
Posts: 49

PostPosted: Nov 11, 2003 1:15am    Post subject: Reply with quote

We've been getting these bots on irc.7sinz.net as well. I have found that they do not have a CTCP VERSION reply, and kill them accordingly.
Back to top
tiko
none
none


Joined: 24 Sep 2003
Posts: 49

PostPosted: Nov 11, 2003 4:38am    Post subject: [b]Attention[/b]: Reply with quote

Quote:
They're not causing too much harm, but are annoying.


Actually folks, they do cause harm, and quite a bit of it. I've managed to get my hands on the bot itself, and take it apart. It uses windows media player to run a loader of sorts, that in turn installs a mIRC script.

This mIRC script is then used as the HTTP daemon, the bot itself, and a BNC that connects to undernet, dalnet, and plasa.com. This is where the harm comes in. It turns your computer into a bouncer for anyone that happens across one of the channels on Undernet.

As a matter of fact, this particular bot has a list of each and every server listed here on searchirc.org, probably the Authors source. My network, 7sinzNet, is on the top of the list, and I see 15 to 20 of these things daily.

The loader creates a batch file, which contains the mIRC script and install routines for the script and a registry key to:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
The script itself, and the executable are installed into your mIRC\sounds folder.

It is not vulnerable in such a manner that it allows an attacker access to your computer, it only creates a bouncer.

As a final note, the bots nickname will ALWAYS contain one or more of these characters: [ \ ] ^ _ ` { | } and the nicklength will ALWAYS be between 3 and 10 characters.

Just my two cents.
Back to top
skerg
none
none


Joined: 14 Jul 2003
Posts: 5

PostPosted: Nov 11, 2003 9:21pm    Post subject: Reply with quote

glad to see others are having the same problem (well not glad, but good to know im not the only one being spammed), i first saw these bots a few months ago, i klined a few and they died off, but during the last week ive seen 15-20 a day (as someone said on here). and i cant find a easy way to stop them from coming back. anyone got ideas besides banning each?
Back to top
Jason
SearchIRC Developer
SearchIRC Developer


Joined: 03 May 2003
Posts: 1485
Location: Tampa, FL

PostPosted: Nov 11, 2003 9:28pm    Post subject: Reply with quote

tiko, If you can email me the server list out of the robot, I can pretty quickly determin if that robot got it's list from SearchIRC.
Back to top
tiko
none
none


Joined: 24 Sep 2003
Posts: 49

PostPosted: Nov 11, 2003 10:38pm    Post subject: Reply with quote

Jason, sent.
Back to top
Jason
SearchIRC Developer
SearchIRC Developer


Joined: 03 May 2003
Posts: 1485
Location: Tampa, FL

PostPosted: Nov 11, 2003 11:40pm    Post subject: Reply with quote

While not as conclusive as I'd have liked (e.g; I was hoping networks would be named, so I could simply find some that aren't listed in SearchIRC or something of that nature), I was able to find several servers in that list that the searchirc robots have never seen (cached motds and /links).

But basically all that means is... at the very least, the list did not come directly from SearchIRC.

Speaking of which, you'll note the site layout for SearchIRC doesn't make it that easy to glean a list of servers.
Back to top
tiko
none
none


Joined: 24 Sep 2003
Posts: 49

PostPosted: Nov 12, 2003 2:54am    Post subject: Reply with quote

Jason,

I just happened to think of ifirc.com, and guess what, the first 790 or so of those servers come directly from their server listing.. Should've guessed.

Sorry for the misunderstanding, it was merely an oversight on my behalf. If anyone is interested in working to prevent these things, please contact me.
Back to top
JB*
none
none


Joined: 12 Nov 2003
Posts: 1

PostPosted: Nov 12, 2003 7:42pm    Post subject: Reply with quote

I can say with certainty that these bots have infiltrated the Moua7 servers of the FSZ.

We have only been here about 3 weeks, if even, and are also listed only here.
Back to top
Mary
SearchIRC Admin
SearchIRC Admin


Joined: 03 May 2003
Posts: 696

PostPosted: Nov 12, 2003 8:44pm    Post subject: Reply with quote

JB, a good way to check and see where your servers are advertised is to check Google.

http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=moua7

That shows a server list for Moua7 available from several sources, and indeed, there are several IRC sites that either provide servers.ini files, or list their information in a way that could easily be copied over to a bot.

A network's server list is very handy for the individual user, but showing a full server list for all networks is almost guaranteed to be used for abuse. Jason uses several measures to make gathering such data from SearchIRC very, very, difficult and time consuming. Because of the amount of effort required, it is highly unlikely our data will be found in malicious bots.

But never say never... if anyone should ever succeed, then we definitely want to see it -- so that hole can be closed.


Last edited by Mary on Nov 12, 2003 9:03pm; edited 1 time in total
Back to top
Mary
SearchIRC Admin
SearchIRC Admin


Joined: 03 May 2003
Posts: 696

PostPosted: Nov 12, 2003 9:01pm    Post subject: Reply with quote

Quote:
I just happened to think of ifirc.com, and guess what, the first 790 or so of those servers come directly from their server listing.. Should've guessed.


servers.ini

Much easier to plop a servers.ini into a bot, than sit down and click click click through SearchIRC's 1200+ networks to get to each network's server list and then copy it over to a script.
Back to top
Orare
none
none


Joined: 12 May 2003
Posts: 17

PostPosted: Nov 12, 2003 9:01pm    Post subject: Reply with quote

We are getting these bots also on Knightirc. There is a pattern to them, and we are successfully akilling them based on it.

They always have oddly formatted nicks.
They join the network and send the register command.
They immediately change nicks at least once sometimes twice.
They then join channels and leave.
They send the webcam PM to all non ops and non +V users.


I've also seen a significant network list that it's supposedly working from.. there are a tremendous amount of nets being targeted.
Back to top
ed
SearchIRC Staff
SearchIRC Staff


Joined: 25 May 2003
Posts: 366
Location: Baton Rouge, LA

PostPosted: Nov 12, 2003 9:32pm    Post subject: Reply with quote

Stick a bot in your major rooms as a normal (non-voice'd, non-op'ed) user, and /kill anyone who automatically send the bot a URL. Wink

It would be an easy job for a mIRC script, and just as easy with an eggdrop.
Back to top
Orare
none
none


Joined: 12 May 2003
Posts: 17

PostPosted: Nov 12, 2003 9:50pm    Post subject: Reply with quote

Smile
Back to top
Display posts from previous:   
Post new topic   Reply to topic    SearchIRC Forum Index -> IRC Abuse All times are GMT - 6 Hours
Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next
Page 1 of 8

 
 
Forum powered by phpBB
 
 © 2000 - 2008 EverythingIRC, Inc. All rights reserved. Please read our disclaimer