New kind of Spammer

These are old archives. They are kept for historic purposes only.
Post Reply
mexx3k
Posts: 17
Joined: Sun Apr 10, 2005 8:54 pm
Location: Chaoz-IRC
Contact:

New kind of Spammer

Post by mexx3k » Fri Nov 04, 2005 12:11 am

Hi all,


today morning (03:00 time in germany) a user connected to our network ... he startet making trouble and got quit by a netadmin ... after that (05:00 am) he connected again ... and startet his "battlescript" (kinda) ...

he picked a nickname out of our chans / userlist of the network / ...

prior, registered his "evil" nick (including email-confirmation from anope!!!) ...

then made the following steps (he picked out mexx3000):

============
join #mexx3000.1
cs register #mexx3000.1 password mexx3000 sein neuer chatraum
cs set #mexx3000.1 founder mexx3000
part #mexx3000.1
============

this goes for the chans 1 to 20 ... after denying "*.1" to "*.20" 2hr ago, he switched to "101" till "120" ...

after the register, he send a memo to the user ...

-MemoServ- Memo 7 from Clane (Nov 03 03:38:29 2005 CET). To delete, type: /msg MemoServ DEL 7
-MemoServ- viele viele channel für dich mein schatz. bitte joine mal #mexx3000.1 und #mexx3000.2 und so weiter. davon gibt es 20 und nur für dich

OPSB and BOPM didn't recognize the ips (korea, argentinia, italy), at least not all ...

i didn't use getpass on the evil nick or on the chan yet ...


so, the problem is:

how to stop those scripts?

it has to be a script because the intervalls between register and set founder are always the same ...


antirandom doesn't work ... the nicks are unusual, but common ... "party", "zeev", "Clane", "baben"...

version reply? normal mirc 6.16 ...


we've got not enough irc-ops to cover a surveillance 24/7 ... and scripts for bots are not yet written ...


one solutions could be to check the amount of new chan-regs by each ip ... and gzline (to minimize serverload) e.g. all ips which register more then 2 chans in 5 minutes ... either with an eggdrop, parsing the debugmsgs from anope ... or writing a module which does the same ...

first solution would be to deny all chans with this regexp:

#\.([0-9].+)

but unreal supports only wildcards in the deny chan-directive ...


i'm kinda frightened ... this user was alone, but he got quite an amount of chans ... (yes, my other cops were not on attention) ... but imagine, 500 user join your net, and get this on ... services are gonna be full ... and you can't ban all of them ...


greetings from germany,

mexx


p.s.: i'll post the same also at searchirc, anope-support ... perhaps they know how to deal with it ...

Solutech
Posts: 296
Joined: Thu Mar 18, 2004 11:38 pm

Post by Solutech » Fri Nov 04, 2005 2:13 am

Simple stop your users creating channels . problem solved ;) . I had a similar problem and I locked my server to official channels only . If someone wants a room now they see an admin . No temp channels its harsh but it stops this sort of caper . The less a user can use the less they can abuse in my book . As for proxies if you suspect its a snide addy then ban it . You can always lift it again later on. As for someone abusing commands , set your snomasks (angrywolfs commandsno module will allow this) and the commands you want flagged . Then your ircops have no excuse for not seeing 20 chans being regged in a few secs .
Yawn. So there's yet another "if the user clicks the button, they're infected" exploit. Why is this news? We already know users are idiots.

Post Reply