nicks made of random letters

These are old archives. They are kept for historic purposes only.
Random Nick bots

nicks made of random letters

Post by Random Nick bots » Sun Jan 02, 2005 4:36 am

I'm having a bad problem with thes bots connecting with nick/ident made of random letters. (See below)

[22:21] CONNECTION on port 6667: eGrNxxLu (~qvgljbvvk@ce2-vicone.netspace.net.au)
[22:21] CONNECTION on port 6667: pKKLNoBLf (~xfjmihtmg@216.155.74.28)
[22:21] CONNECTION on port 6667: SLowA (~wknaudtct@200.91.71.18)
[22:21] CONNECTION on port 6667: mCiPTnMAE (~wnrwqhok@216.239.1.4)

I know there are nick spamfilters, but is there a way to make a spamfilter for this randomness?

These bots have no version reply so I can't set a version ban :(

Thanks in advance :)

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Sun Jan 02, 2005 4:38 am

And what do they do (besides connecting)? :p

Corey
Posts: 4
Joined: Sun Jan 02, 2005 4:30 am

Post by Corey » Sun Jan 02, 2005 4:40 am

No idea why it didn't log me in before. :?

Most of then also join channels that are random letter. THey then part, change nick, join another random channel. SOmetimes I get lucky and they join a constant channel, which I created a scropt to ban them on join... but I'm not always that lucky...

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Sun Jan 02, 2005 4:44 am

Any chance they have a common real name?

Also, find out what messages they send, what channels they join, and some other behaior they might have.

Corey
Posts: 4
Joined: Sun Jan 02, 2005 4:30 am

Post by Corey » Sun Jan 02, 2005 4:48 am

There's not a lot of other activity.

After a while, they join channels that are not +s/+p and send a PM or notice to users with generic text...

[quite]$nick can you help?
yes?
hi
[/quote]

The real name is more random letters. Here are the common channels that some join.
#ruinbot
#rscheatnet
#SgtBot
#sleepinsleepey
#help
#Serials
#rsmarket

That's pretty much it.

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Sun Jan 02, 2005 5:09 am

Try talking to one after it PM's you, that is a new way of spamming. The bot messages you and waits for a reply, sometimes it will send you generic lamer-like text for a few messages and then send the spam.

More info to try -
Does it respond to CTCP's? try these:
FINGER
PING
VERSION
LAG

Corey
Posts: 4
Joined: Sun Jan 02, 2005 4:30 am

Post by Corey » Sun Jan 02, 2005 5:26 am

No responce to any CTCPs.

Some have replied to PMs tho. However, others have not.

There was once, one of the random channels, the bot had set the topic to "Ban Tommy to stop spam"

*edit*
There are a lot of bots that registered their nicks... The email address used is generated by a bunch of random letters for user and domain.

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Tue Jan 04, 2005 12:00 am

I've started on a module to ""detect"" these "random nicks", note however that by design this will lead to false positives (and false negatives).. I've unfortunately no idea yet how much (although initial results look good), so.. we'll see... :).

edit: I've finished the module and send it out to the thread-starter and someone else I know that has been affected badly by these bots... As soon as I hear it works fine I'll put it on my site and post a link (new message) here :).

osiris
Posts: 5
Joined: Mon Nov 01, 2004 11:08 pm
Location: Melbourne, Australia
Contact:

Post by osiris » Tue Jan 04, 2005 8:45 am

Syzop wrote:I've started on a module to ""detect"" these "random nicks", note however that by design this will lead to false positives (and false negatives).. I've unfortunately no idea yet how much (although initial results look good), so.. we'll see... :).

edit: I've finished the module and send it out to the thread-starter and someone else I know that has been affected badly by these bots... As soon as I hear it works fine I'll put it on my site and post a link (new message) here :).
We've had problems with these for awhile now on and off. Same "MO" as the above and since having changed domain names for our network they of course died off but are now starting to appear again in dribs and drabs usually 2-4 per overnight but I suspect the number is on the increase.
That is not dead which can eternal lie, yet with strange eons, even death, may die.

H.P. Lovecraft

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Wed Jan 05, 2005 1:22 am

It seems I'm not really getting any feedback from the 2 I sent the module to.. ah well, they might be busy and I tend to be inpatient with these things (hate to waste a day when I might have a good working solution for quite a problem).
Anyway:
If you have this bot problem and would like to test my module, please PM or email me and I'll send it to you.
So please not persons that 'just want to look at it', although it's no secret (and in fact GPL'd) I would like it to be non-public until it has been properly tested (within a few days I hope? ;p).

Corey
Posts: 4
Joined: Sun Jan 02, 2005 4:30 am

Post by Corey » Wed Jan 05, 2005 1:49 am

Gah. Sorry about that. I've been so busy today. Been out running errands through most of it. I sent my reply tho :D

McTerry
Posts: 64
Joined: Tue Oct 19, 2004 12:42 am
Location: *.se
Contact:

Post by McTerry » Thu Jan 06, 2005 2:43 am

Thats a bot you can find here --> http://www.poonscape.com/downloads/

Thats the closest info I can find about this shitty bot.

I'm not sure what it actually does. But it looks like it's a fighting bot.
You can fight against it or play games.
There seems to be more of those bots out there. After reading the forums you can atleast find four or more bots that have the same function.

I downloaded SBoT201.zip and saw that there is two *.bat files.
One is called run.bat and the second train.bat.
There is also one *.txt file with no info in it. :x It just says continuer
Then two folders. One called Data and the other one called Scripts.

Data folder contains *.jag and *.mem files. (Have no clues about what they do.

Scripts folder contains another *.bat file called compile.bat

The only info I can find about this bot mentioned above is found here.
http://www.rscheatnet.com/forums/index. ... topic=1696

There is probably more information to look for but I'm way to lazy and not even intrested in knowing more.

================================
Also. There is a bot called Ruinbot. Found it's own thread in same forum.
http://www.rscheatnet.com/forums/index. ... wtopic=265
BOOM!

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Thu Jan 06, 2005 4:27 pm

I've released my AntiRandom module to the public now.

Got a few results from 2 sources: on one it killed 5 out of 7 random looking bots and 0 innocent users, on another it killed 1 "bad user" and 0 innocent [no bots at that time]). So the initial results don't look too bad :).

[correct.. no windows version on my page, and no nice set:: configurable stuff but in the source..]

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Thu Jan 06, 2005 8:41 pm

Do you have an estimate on when this module will be available on windows?

Currently when I try to compile it for windows, I get 3 unresolved external symbols.

McTerry
Posts: 64
Joined: Tue Oct 19, 2004 12:42 am
Location: *.se
Contact:

Post by McTerry » Thu Jan 06, 2005 8:41 pm

I guess this module would be great. :D
Nice job on it Syzop.
BOOM!

Post Reply