Page 1 of 1

regex help please on numerics

Posted: Sat Jun 25, 2011 6:11 pm
by cheiron
getting a mass of botnets of late and i have finally found one single common factor which i need help with banning

looking at snotice i can see they all have ip number direct after the @ on the user ident@

for example..

*** Notice -- Client connecting on port 6667: Ryan (Ryan@xxx.xx.xx.xx) [clients] at 19:02:37 on 25/06/2011 on server
*** Notice -- Client connecting on port 6667: Norroar_ (norroar@xx.xxx.xxx.xx [clients] at 19:04:39 on 25/06/2011 on server
*** Notice -- Client connecting on port 6667: Coolness (AndChat@xxx.xxx.x.xx) [clients] at 19:04:50 on 25/06/2011 on server
*** Notice -- Client connecting on port 6667: omi (onkar.moha@xxx.xxx.xx.xxx) [clients] at 08:34:50 on 25/06/2011 on server

i have been through a full 48 hour log and all botnets are in this pattern ident@ip.number.here

we're running unrealircd3.2.8.1 with anope1.8.5

Re: regex help please on numerics

Posted: Sat Jun 25, 2011 7:16 pm
by Stealth
Having an IP address in the connection notice simply means their IP addresses could not be resolved to a host. This is not a good way to tell which users are bots and which are not.

To better tell which users are bots and which are not, you should look at messages they may be sending to channels (both messages to the channels, and part messages), look at quit messages, and also look for any channels they are crowding in.

If they are all in 1 channel, simply stay in that channel and gline anyone who joins that is not human. There might also be commands you can send to the bots though the topic or messages that can make them remove themselves.

Also BE SURE you are running a BOPM or other bad people monitoring program as these would cut down on how many bots join. You can get instructions for setting up a BOPM here: http://unreal.x-tab.org/faq#InstallBOPM

Re: regex help please on numerics

Posted: Sat Jun 25, 2011 7:29 pm
by cheiron
figured might be the case...

we got bopm irc defender and blsb running. but we got kiddies proxying like hell and thats the exact format they are all coming in with ident@ip.address.here :(

bopm etc are going mental but still getting some past all 3

Re: regex help please on numerics

Posted: Sat Jun 25, 2011 8:23 pm
by Stealth
A BOPM is not a perfect solution, and there will always be some that get through. The only perfect solution would be to not run an IRCd and use another networks services to fill your needs (let them worry about it).

Again, you should look for a control pattern or other patterns in messages and realnames. All botnets have some kind of pattern or control channel, even the ones used specifically for flooding and are 'random'.

Re: regex help please on numerics

Posted: Sun Jun 26, 2011 7:20 am
by cheiron
dug up everything i had from snotice logs and there was a pattern

nick ident@ip.number

getting partial matches on nick and idents.. for example
11<03:00pm> * Joins: coyotebd (~coyote@Vampire-541D3D18.tu.ok.cox.net)
11<03:00pm> * Joins: coyoterz (~coyote@D7C0D932.B2232BAA.BD1D4102.IP)
11<03:00pm> * Joins: coyotent (~coyote@D4EF5F22.CBDC8DFE.100B76E2.IP)
11<03:00pm> * Joins: coyoteuc (~coyote@Vampire-AA609E1D.bgwan.com)
11<03:00pm> * Joins: coyoteea (~coyote@3E14C57D.15BCA088.BADDF4B5.IP)
11<03:00pm> * Joins: coyotefr (~coyote@6193B855.B244CAD8.AFCD75DE.IP)
11<03:00pm> * Joins: coyotehx (~coyote@Vampire-82F16339.idtnet.cz)
11<03:00pm> * Joins: coyotelw (~coyote@Vampire-12A6BBA3.static.hlrg.nc.charter.com)
11<03:00pm> * Joins: coyoteao (~coyote@Vampire-D6C6D412.rmo.bellsouth.net)
11<03:00pm> * Joins: coyoteff (~coyote@E2C6184F.7F322517.3E63F281.IP)
11<03:00pm> * Joins: coyotezq (~coyote@Vampire-8897F86D.hfc.comcastbusiness.net)
then the next set that came in a few secs later was
11<04:59pm> * Joins: chatirc2 (~chatirc@531351B9.8A9753AA.8D951922.IP)
11<04:59pm> * Joins: chatirc6382 (~chatirc@3E77173B.9770C532.5C892357.IP)
11<05:00pm> * Joins: chatirc7396 (~chatirc@Vampire-47580F8C.macross.com)
11<05:00pm> * Joins: chatirc137 (~chatirc@59AD7F33.CE1F58F8.6202AD67.IP)
11<05:00pm> * Joins: chatirc1745 (~chatirc@1A02E0C0.87082C51.AA9F3057.IP)
11<05:00pm> * Joins: chatirc5030 (~chatirc@A20543DF.2F957725.60B25A81.IP)
11<05:00pm> * Joins: chatirc1344 (~chatirc@AC70E7A5.31CEEC10.629AB85C.IP)
11<05:00pm> * Joins: chatirc3327 (~chatirc@17E634D6.972E6271.5D534610.IP)
11<05:00pm> * Joins: chatirc7179 (~chatirc@4A58B23F.30BAD3B5.108453A9.IP)
11<05:00pm> * Joins: chatirc2504 (~chatirc@FF2FFEF3.910FF70B.AC68BE95.IP)
11<05:00pm> * Joins: chatirc6064 (~chatirc@81834996.FA6267CC.2CBA5397.IP)
11<05:00pm> * Joins: chatirc3286 (~chatirc@18C12CBC.6018EACD.BD6E6B67.IP)
11<05:00pm> * Joins: chatirc9867 (~chatirc@2468FD31.54DBC987.DB4086E6.IP)
11<05:00pm> * Joins: chatirc1833 (~chatirc@12E9D3AD.5B8DBEC3.DAE4E0C1.IP)
11<05:00pm> * Joins: chatirc2410 (~chatirc@F2766194.52660914.D97900CD.IP)
11<05:00pm> * Joins: chatirc8981 (~chatirc@678EB66E.30218F02.6F14AD35.IP)
11<05:00pm> * Joins: chatirc1981 (~chatirc@C0858CCA.474E55FD.2FF326DB.IP)

Re: regex help please on numerics

Posted: Mon Jun 27, 2011 6:21 am
by Stealth
These are probably generated by clonesx or something similar. Check the spamfilters forums for many spamfilters to match.

You can also take care of patterns like this very easily:

/gline ~coyote@* 180d Due to abusive connections using this ident, it has been blocked. Please change your ident and reconnect.

Re: regex help please on numerics

Posted: Mon Jun 27, 2011 1:40 pm
by katsklaw
and ~chatirc@*

The good thing about ClonesX is that they have a very predictable pattern and are easy to gline even if they use proxies.

new...

Posted: Thu Aug 04, 2011 9:52 am
by Sally.Q
i just can say that this is totally new for me, so thanks...
regards,
sally.