UnrealIRCd Forums

Welcome to the UnrealIRCd Forums!
https://forums.unrealircd.org/

strange bot nicks

https://forums.unrealircd.org/viewtopic.php?t=2647

Page 1 of 1

strange bot nicks

Posted: Sat Oct 22, 2005 1:54 am
by cl0ud
[13:30] * Joins: termination (~[email protected])
[13:30] * Joins: compassions (~[email protected])
[13:30] * Joins: recitals (~[email protected])
[13:30] * Joins: parapets (~[email protected])
[13:30] * Joins: mastiff (~[email protected])
[13:30] * Joins: feminin (~[email protected])
[13:30] * Joins: collation (~[email protected])
[13:30] * Joins: soonchai (~[email protected])
[13:30] * Joins: mensuration (~[email protected])
[13:30] * Joins: execreation (~[email protected])

Here is /whois from some of them.

| mastiff (~[email protected])
| name : stupefaction
mastiff is using modes +irx
mastiff is a registered nick
| chan : #channel
| serv : irc.server.com
| idle : 1hr 58mins 45secs (signed on Fri Oct 21 18:21:16 2005)

| retroversio (~[email protected])
| name : souvenirs
retroversio is using modes +irx
retroversio is a registered nick
| chan : #channel
| serv : irc.server.com
| idle : 40mins 55secs (signed on Sat Oct 22 08:08:53 2005)

and they replied ctcp version request.

* CTCP VERSION reply from compassions: mIRC v6.14 Khaled Mardam-Bey
* CTCP VERSION reply from retroversio: mIRC v6.14 Khaled Mardam-Bey

------
does anyone know what kinda of bots they are? Their nicks pretty much look like dictionary words. i haven't seen floodbots that reply to ctcp request yet. :roll:

Posted: Sat Oct 22, 2005 5:17 am
by Stealth
Here is a tip: G:Line one of them. All those IP's are the same, so g:lining 1 will take care of all of them.

EDIT: Also, add an allow block that looks like this to the conf:

Code: Select all

allow {
  ip unknown@*;
  hostname unknown@*;
  class clients;
  maxperip 2;
};
This allow block should be the LAST allow block in the conf to work. The 'unknown' part applies to anyone without an Identd reply, and the maxperip setting is set to 2, this will stop most clones, as clones (usually) don't have an Identd response.

I am willing to bet, these are nothing but some script kiddie wanting to generate a flood, but is also too dumb to use any proxies at the same time.

Posted: Sat Oct 22, 2005 5:29 am
by cl0ud
Thanks Stealth for ur reply. And i'm sorry that i forgot to mention that IP is kinda crowded. Many users from that ISP. :(

Posted: Sat Oct 22, 2005 6:05 am
by Stealth
The ISP won't matter if you just ban 1 IP. Ban it for a day, and re-ban it when they come back. On my network, when I have an abusive ISP, I gline ~*@*.some.isp.com with the reason "Due to abusive connections, Identd is requiered for this ISP." The ~ ofcourse is there when there is no Identd response, making Identd required to connect.

Posted: Sat Oct 22, 2005 11:22 am
by w00t
Although with the advent of mIRC and other clients that enable you to fake ident, this isn't so useful.

Posted: Sat Oct 22, 2005 1:21 pm
by Jason
Unless most of the abuse is by drones.

EDIT: Also, this 'unknown@*' feature appears to be undocumented. Perhaps that should be corrected.

Posted: Mon Oct 24, 2005 3:08 pm
by cl0ud
Thanks for the suggestions. Unfortunately, our servers are identd-disable for all clients. Seems like we have to config. :?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited