Page 1 of 2

nicks made of random letters

Posted: Sun Jan 02, 2005 4:36 am
by Random Nick bots
I'm having a bad problem with thes bots connecting with nick/ident made of random letters. (See below)

[22:21] CONNECTION on port 6667: eGrNxxLu (~qvgljbvvk@ce2-vicone.netspace.net.au)
[22:21] CONNECTION on port 6667: pKKLNoBLf (~xfjmihtmg@216.155.74.28)
[22:21] CONNECTION on port 6667: SLowA (~wknaudtct@200.91.71.18)
[22:21] CONNECTION on port 6667: mCiPTnMAE (~wnrwqhok@216.239.1.4)

I know there are nick spamfilters, but is there a way to make a spamfilter for this randomness?

These bots have no version reply so I can't set a version ban :(

Thanks in advance :)

Posted: Sun Jan 02, 2005 4:38 am
by Syzop
And what do they do (besides connecting)? :p

Posted: Sun Jan 02, 2005 4:40 am
by Corey
No idea why it didn't log me in before. :?

Most of then also join channels that are random letter. THey then part, change nick, join another random channel. SOmetimes I get lucky and they join a constant channel, which I created a scropt to ban them on join... but I'm not always that lucky...

Posted: Sun Jan 02, 2005 4:44 am
by Stealth
Any chance they have a common real name?

Also, find out what messages they send, what channels they join, and some other behaior they might have.

Posted: Sun Jan 02, 2005 4:48 am
by Corey
There's not a lot of other activity.

After a while, they join channels that are not +s/+p and send a PM or notice to users with generic text...

[quite]$nick can you help?
yes?
hi
[/quote]

The real name is more random letters. Here are the common channels that some join.
#ruinbot
#rscheatnet
#SgtBot
#sleepinsleepey
#help
#Serials
#rsmarket

That's pretty much it.

Posted: Sun Jan 02, 2005 5:09 am
by Stealth
Try talking to one after it PM's you, that is a new way of spamming. The bot messages you and waits for a reply, sometimes it will send you generic lamer-like text for a few messages and then send the spam.

More info to try -
Does it respond to CTCP's? try these:
FINGER
PING
VERSION
LAG

Posted: Sun Jan 02, 2005 5:26 am
by Corey
No responce to any CTCPs.

Some have replied to PMs tho. However, others have not.

There was once, one of the random channels, the bot had set the topic to "Ban Tommy to stop spam"

*edit*
There are a lot of bots that registered their nicks... The email address used is generated by a bunch of random letters for user and domain.

Posted: Tue Jan 04, 2005 12:00 am
by Syzop
I've started on a module to ""detect"" these "random nicks", note however that by design this will lead to false positives (and false negatives).. I've unfortunately no idea yet how much (although initial results look good), so.. we'll see... :).

edit: I've finished the module and send it out to the thread-starter and someone else I know that has been affected badly by these bots... As soon as I hear it works fine I'll put it on my site and post a link (new message) here :).

Posted: Tue Jan 04, 2005 8:45 am
by osiris
Syzop wrote:I've started on a module to ""detect"" these "random nicks", note however that by design this will lead to false positives (and false negatives).. I've unfortunately no idea yet how much (although initial results look good), so.. we'll see... :).

edit: I've finished the module and send it out to the thread-starter and someone else I know that has been affected badly by these bots... As soon as I hear it works fine I'll put it on my site and post a link (new message) here :).
We've had problems with these for awhile now on and off. Same "MO" as the above and since having changed domain names for our network they of course died off but are now starting to appear again in dribs and drabs usually 2-4 per overnight but I suspect the number is on the increase.

Posted: Wed Jan 05, 2005 1:22 am
by Syzop
It seems I'm not really getting any feedback from the 2 I sent the module to.. ah well, they might be busy and I tend to be inpatient with these things (hate to waste a day when I might have a good working solution for quite a problem).
Anyway:
If you have this bot problem and would like to test my module, please PM or email me and I'll send it to you.
So please not persons that 'just want to look at it', although it's no secret (and in fact GPL'd) I would like it to be non-public until it has been properly tested (within a few days I hope? ;p).

Posted: Wed Jan 05, 2005 1:49 am
by Corey
Gah. Sorry about that. I've been so busy today. Been out running errands through most of it. I sent my reply tho :D

Posted: Thu Jan 06, 2005 2:43 am
by McTerry
Thats a bot you can find here --> http://www.poonscape.com/downloads/

Thats the closest info I can find about this shitty bot.

I'm not sure what it actually does. But it looks like it's a fighting bot.
You can fight against it or play games.
There seems to be more of those bots out there. After reading the forums you can atleast find four or more bots that have the same function.

I downloaded SBoT201.zip and saw that there is two *.bat files.
One is called run.bat and the second train.bat.
There is also one *.txt file with no info in it. :x It just says continuer
Then two folders. One called Data and the other one called Scripts.

Data folder contains *.jag and *.mem files. (Have no clues about what they do.

Scripts folder contains another *.bat file called compile.bat

The only info I can find about this bot mentioned above is found here.
http://www.rscheatnet.com/forums/index. ... topic=1696

There is probably more information to look for but I'm way to lazy and not even intrested in knowing more.

================================
Also. There is a bot called Ruinbot. Found it's own thread in same forum.
http://www.rscheatnet.com/forums/index. ... wtopic=265

Posted: Thu Jan 06, 2005 4:27 pm
by Syzop
I've released my AntiRandom module to the public now.

Got a few results from 2 sources: on one it killed 5 out of 7 random looking bots and 0 innocent users, on another it killed 1 "bad user" and 0 innocent [no bots at that time]). So the initial results don't look too bad :).

[correct.. no windows version on my page, and no nice set:: configurable stuff but in the source..]

Posted: Thu Jan 06, 2005 8:41 pm
by Stealth
Do you have an estimate on when this module will be available on windows?

Currently when I try to compile it for windows, I get 3 unresolved external symbols.

Posted: Thu Jan 06, 2005 8:41 pm
by McTerry
I guess this module would be great. :D
Nice job on it Syzop.