regex help please on numerics

These are old archives. They are kept for historic purposes only.
Post Reply
cheiron
Posts: 74
Joined: Sun May 29, 2011 6:17 pm

regex help please on numerics

Post by cheiron » Sat Jun 25, 2011 6:11 pm

getting a mass of botnets of late and i have finally found one single common factor which i need help with banning

looking at snotice i can see they all have ip number direct after the @ on the user ident@

for example..

*** Notice -- Client connecting on port 6667: Ryan (Ryan@xxx.xx.xx.xx) [clients] at 19:02:37 on 25/06/2011 on server
*** Notice -- Client connecting on port 6667: Norroar_ (norroar@xx.xxx.xxx.xx [clients] at 19:04:39 on 25/06/2011 on server
*** Notice -- Client connecting on port 6667: Coolness (AndChat@xxx.xxx.x.xx) [clients] at 19:04:50 on 25/06/2011 on server
*** Notice -- Client connecting on port 6667: omi (onkar.moha@xxx.xxx.xx.xxx) [clients] at 08:34:50 on 25/06/2011 on server

i have been through a full 48 hour log and all botnets are in this pattern ident@ip.number.here

we're running unrealircd3.2.8.1 with anope1.8.5

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: regex help please on numerics

Post by Stealth » Sat Jun 25, 2011 7:16 pm

Having an IP address in the connection notice simply means their IP addresses could not be resolved to a host. This is not a good way to tell which users are bots and which are not.

To better tell which users are bots and which are not, you should look at messages they may be sending to channels (both messages to the channels, and part messages), look at quit messages, and also look for any channels they are crowding in.

If they are all in 1 channel, simply stay in that channel and gline anyone who joins that is not human. There might also be commands you can send to the bots though the topic or messages that can make them remove themselves.

Also BE SURE you are running a BOPM or other bad people monitoring program as these would cut down on how many bots join. You can get instructions for setting up a BOPM here: http://unreal.x-tab.org/faq#InstallBOPM

cheiron
Posts: 74
Joined: Sun May 29, 2011 6:17 pm

Re: regex help please on numerics

Post by cheiron » Sat Jun 25, 2011 7:29 pm

figured might be the case...

we got bopm irc defender and blsb running. but we got kiddies proxying like hell and thats the exact format they are all coming in with ident@ip.address.here :(

bopm etc are going mental but still getting some past all 3

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: regex help please on numerics

Post by Stealth » Sat Jun 25, 2011 8:23 pm

A BOPM is not a perfect solution, and there will always be some that get through. The only perfect solution would be to not run an IRCd and use another networks services to fill your needs (let them worry about it).

Again, you should look for a control pattern or other patterns in messages and realnames. All botnets have some kind of pattern or control channel, even the ones used specifically for flooding and are 'random'.

cheiron
Posts: 74
Joined: Sun May 29, 2011 6:17 pm

Re: regex help please on numerics

Post by cheiron » Sun Jun 26, 2011 7:20 am

dug up everything i had from snotice logs and there was a pattern

nick ident@ip.number

getting partial matches on nick and idents.. for example
11<03:00pm> * Joins: coyotebd (~coyote@Vampire-541D3D18.tu.ok.cox.net)
11<03:00pm> * Joins: coyoterz (~coyote@D7C0D932.B2232BAA.BD1D4102.IP)
11<03:00pm> * Joins: coyotent (~coyote@D4EF5F22.CBDC8DFE.100B76E2.IP)
11<03:00pm> * Joins: coyoteuc (~coyote@Vampire-AA609E1D.bgwan.com)
11<03:00pm> * Joins: coyoteea (~coyote@3E14C57D.15BCA088.BADDF4B5.IP)
11<03:00pm> * Joins: coyotefr (~coyote@6193B855.B244CAD8.AFCD75DE.IP)
11<03:00pm> * Joins: coyotehx (~coyote@Vampire-82F16339.idtnet.cz)
11<03:00pm> * Joins: coyotelw (~coyote@Vampire-12A6BBA3.static.hlrg.nc.charter.com)
11<03:00pm> * Joins: coyoteao (~coyote@Vampire-D6C6D412.rmo.bellsouth.net)
11<03:00pm> * Joins: coyoteff (~coyote@E2C6184F.7F322517.3E63F281.IP)
11<03:00pm> * Joins: coyotezq (~coyote@Vampire-8897F86D.hfc.comcastbusiness.net)
then the next set that came in a few secs later was
11<04:59pm> * Joins: chatirc2 (~chatirc@531351B9.8A9753AA.8D951922.IP)
11<04:59pm> * Joins: chatirc6382 (~chatirc@3E77173B.9770C532.5C892357.IP)
11<05:00pm> * Joins: chatirc7396 (~chatirc@Vampire-47580F8C.macross.com)
11<05:00pm> * Joins: chatirc137 (~chatirc@59AD7F33.CE1F58F8.6202AD67.IP)
11<05:00pm> * Joins: chatirc1745 (~chatirc@1A02E0C0.87082C51.AA9F3057.IP)
11<05:00pm> * Joins: chatirc5030 (~chatirc@A20543DF.2F957725.60B25A81.IP)
11<05:00pm> * Joins: chatirc1344 (~chatirc@AC70E7A5.31CEEC10.629AB85C.IP)
11<05:00pm> * Joins: chatirc3327 (~chatirc@17E634D6.972E6271.5D534610.IP)
11<05:00pm> * Joins: chatirc7179 (~chatirc@4A58B23F.30BAD3B5.108453A9.IP)
11<05:00pm> * Joins: chatirc2504 (~chatirc@FF2FFEF3.910FF70B.AC68BE95.IP)
11<05:00pm> * Joins: chatirc6064 (~chatirc@81834996.FA6267CC.2CBA5397.IP)
11<05:00pm> * Joins: chatirc3286 (~chatirc@18C12CBC.6018EACD.BD6E6B67.IP)
11<05:00pm> * Joins: chatirc9867 (~chatirc@2468FD31.54DBC987.DB4086E6.IP)
11<05:00pm> * Joins: chatirc1833 (~chatirc@12E9D3AD.5B8DBEC3.DAE4E0C1.IP)
11<05:00pm> * Joins: chatirc2410 (~chatirc@F2766194.52660914.D97900CD.IP)
11<05:00pm> * Joins: chatirc8981 (~chatirc@678EB66E.30218F02.6F14AD35.IP)
11<05:00pm> * Joins: chatirc1981 (~chatirc@C0858CCA.474E55FD.2FF326DB.IP)

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: regex help please on numerics

Post by Stealth » Mon Jun 27, 2011 6:21 am

These are probably generated by clonesx or something similar. Check the spamfilters forums for many spamfilters to match.

You can also take care of patterns like this very easily:

/gline ~coyote@* 180d Due to abusive connections using this ident, it has been blocked. Please change your ident and reconnect.

katsklaw
Official supporter
Posts: 1114
Joined: Sun Apr 18, 2004 5:06 pm

Re: regex help please on numerics

Post by katsklaw » Mon Jun 27, 2011 1:40 pm

and ~chatirc@*

The good thing about ClonesX is that they have a very predictable pattern and are easy to gline even if they use proxies.

Sally.Q
Posts: 1
Joined: Thu Aug 04, 2011 9:47 am
Location: Germany
Contact:

new...

Post by Sally.Q » Thu Aug 04, 2011 9:52 am

i just can say that this is totally new for me, so thanks...
regards,
sally.

Post Reply