Annouying pests, Anyone ever seen or know what these are?

These are old archives. They are kept for historic purposes only.
Post Reply
rava
Posts: 5
Joined: Mon Feb 28, 2005 3:47 pm

Annouying pests, Anyone ever seen or know what these are?

Post by rava » Mon Feb 28, 2005 4:10 pm

Ok last week I woke up and was just watching the ircd as normal and I noitced something simular to this logging on [Color and Bold are shown as it is shown in mirc]:
[2K]-118127 (~Oi@ip68-105-230-184.lu.dl.cox.net => ravetrax-7BA9C5EE.lu.dl.cox.net) (is an IRC Operator) connected to the network (irc.ravetrax.net).
This woke me up a bit and i started looking a bit further to what is going on, during the next few mins i noticed a few more of these logging on. I found 2 locked rooms with about 100 users in each that where new. We have a small network of about 20 rooms or so and an average of about 250 users, so I knew something was up.

Well I jumped into one of the rooms and saw that these where bots running scanns such as this:
4:22am | [NT]-634110 -> on February 28 2005 at 09:16:09 AM Scanning NT: 151.126.0.0-151.126.255.255
4:22am | [NT]-634110 -> on February 28 2005 at 09:16:09 AM Scanning NT: 32.39.0.0-32.39.255.255
4:22am | [NT]-634110 -> on February 28 2005 at 09:16:09 AM Scanning NT: 40.110.0.0-40.110.255.255
4:22am | [NT]-634110 -> on February 28 2005 at 09:16:09 AM Scanning NT: 227.181.0.0-227.181.255.255
4:22am | [NT]-634110 -> on February 28 2005 at 09:16:10 AM Scanning NT: 225.218.0.0-225.218.255.255
4:22am | [NT]-634110 -> on February 28 2005 at 09:16:10 AM Scanning NetBios: 58.73.0.0 to 58.73.255.255
4:25am | [NT]-634110 -> Copying the files and running them on IP: \\
This repeats from each bot about every 30 mins if left in a room, otherwise if the bot is kicked off the network without a gline or simluar, it will return in 30 mins to start scanning again.

Well I instally glined the entire bunch and wrote a script to keep them off. But over the last 4 days we have killed over 1500 of these bots attempting to join and start scanning, all have very simular patterns in there nicks and all are attempting to join the same room.

The channel is called "#MANiAC" and all the bots have the following patterns to there names: [XP], [2K], [NT], T3

Has anyone every seen these or have any idea wtf they are?

Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat » Mon Feb 28, 2005 4:32 pm

Obviously some sort of botnet... looks like infected windows PCs...

If they have this pattern in the nick, it's very easy to /spamfilter them out:

/SPAMFILTER ADD u zline 4d - ^(\[XP\]|\[2K\]|\[NT\])-[0-9]+!.*@.*:is an IRC Operator$

(Adding a zline for four days on any user connecting with a nick starting with [XP], [2K] or [NT], following by a - and some numbers and using the real name "is an IRC Operator". I hope I interpreted your login notices correctly and it works...)

rava
Posts: 5
Joined: Mon Feb 28, 2005 3:47 pm

Post by rava » Mon Feb 28, 2005 5:58 pm

Well I already have them filtered out, but you did understand correctly.

I was just curious if anyone else had seen these or been getting annouyed with them recently, as it started just friday morning.

White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic » Thu Mar 03, 2005 1:28 am

these are self scanning self infecting bots, they are also on purposly joining ur network (someone has found ur network and is using it to host the btos there, u cna tell becuz the rooms are locked, meaning someone is setting these up on purpose, unless one of ur ircops locked the room for users safety.)

They are ddos capable bots, written in C/C++, they are scanning the entire IP range from there infected host... which you see there, basically looking for other ways to infect the user / expoilt them.

you can either, Spamfilter them to keep them off (use gzline its best) or u cna let them load if u think your servers can hold them, get in touch with the fbi, or u can wait for the bot master tocome on and a) ban them or b) watch how he logins with the password then when he goes off use the password and forcve the bots to uninstall, this will stop them coming back. i hope this makes sense.
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D

rava
Posts: 5
Joined: Mon Feb 28, 2005 3:47 pm

Post by rava » Fri Mar 04, 2005 2:10 pm

yeah i kinda understood everything except how to stop them...

we have glined them all and have a filter glineing them as they logon..

just not sure how to make then stop, for now its no big deal.

White_Magic
Posts: 267
Joined: Tue Jan 18, 2005 3:24 pm
Location: Scotland - United Kingdom

Post by White_Magic » Fri Mar 04, 2005 2:13 pm

use GZline not Gline:

Gline allows the user to connect before disconnecting them
GZline Doesnt allow the user to connect at all.
i spend 4 hrs a day gaming and 14hrs on irc, for 5days a week, im not an addict :D

Syzop
UnrealIRCd head coder
Posts: 1957
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Fri Mar 04, 2005 8:32 pm

Some people use other ways to get rid of them, they do something like: '/topic #chan .remove' and then kick the bots so they rejoin. This could cause the bots to uninstall themselves completely, BUT:
1. (most important) This can very well be illegal in your country, because now you are giving commands to bots that are running on hacked computers.
2. The command char (dot [.] in this example) might well be different
3. The remove command could trigger something entirely differently because some bot owners rename it or make it do something else, if that happens in combination with 1 and it for example suddenly starts an attack on [somesite] then you might well be in trouble :P

So, personally I would just /g(z)line them, I suggest others to do the same :)

rava
Posts: 5
Joined: Mon Feb 28, 2005 3:47 pm

Post by rava » Mon Mar 14, 2005 7:06 pm

they are still coming, 2500 over the last week, we swtich the filter to gzline them instaed of a stright gline, and there is no timer on these because even a 1 week timer allows them to rejoin, and they do within mins of the gline removing.

anyone else experiecing these pest yet?

Post Reply