module like defizzer

These are old archives. They are kept for historic purposes only.
SLipKnOt
Posts: 42
Joined: Sat Apr 10, 2004 6:43 pm
Location: Bangladesh , dhaka
Contact:

module like defizzer

Post by SLipKnOt » Sat Sep 18, 2004 2:06 am

i was wondering if there is another module like defizzer that identify bots(botnets) and kline it..

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Sat Sep 18, 2004 3:19 am

Every botnet is different. There is no way to detect them all, and some are completely undetectable.
-- codemastr

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Sat Sep 18, 2004 6:12 am

codemastr wrote:and some are completely undetectable.
Well, maybe completely undetectable by a mere automated process such as an IRCd, but us humans are naturally much more capable of investigating such a "client"'s activities and taking the necessary action ;) .

SLipKnOt
Posts: 42
Joined: Sat Apr 10, 2004 6:43 pm
Location: Bangladesh , dhaka
Contact:

Post by SLipKnOt » Sat Sep 18, 2004 11:00 am

codemastr wrote:Every botnet is different. There is no way to detect them all, and some are completely undetectable.
ok then how about when name!identd@* and fullname are same .. and mirc version not respond at in this moment it will identify them. i find some botnet use this style similer nick identd fullname in this way atleast we can stop few bots

SLipKnOt
Posts: 42
Joined: Sat Apr 10, 2004 6:43 pm
Location: Bangladesh , dhaka
Contact:

Post by SLipKnOt » Sat Sep 18, 2004 11:05 am

aquanight wrote: Well, maybe completely undetectable by a mere automated process such as an IRCd, but us humans are naturally much more capable of investigating such a "client"'s activities and taking the necessary action ;) .
Well auanight how long u can be active and investigate.. not all time i guess.. and this bots can mess up all within few minutes if u dont run any automated process :)

w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t » Mon Sep 20, 2004 12:04 am

http://ircdefender.org/

May be able to help, maybe not. Can do regex banning and stuff... give it a whirl.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]

SLipKnOt
Posts: 42
Joined: Sat Apr 10, 2004 6:43 pm
Location: Bangladesh , dhaka
Contact:

Post by SLipKnOt » Tue Sep 21, 2004 8:16 am

w00t wrote:http://ircdefender.org/

May be able to help, maybe not. Can do regex banning and stuff... give it a whirl.
thanks bubby
./SLipKnOt --help

Winbots
Posts: 65
Joined: Wed Apr 21, 2004 12:26 am
Location: irc://irc.winbots.org/Winbots
Contact:

Post by Winbots » Tue Sep 21, 2004 7:09 pm

ehh... http://www.neostats.net secureserv already detects many many botnets/spam/viruses :)

SLipKnOt
Posts: 42
Joined: Sat Apr 10, 2004 6:43 pm
Location: Bangladesh , dhaka
Contact:

Post by SLipKnOt » Wed Sep 22, 2004 6:15 pm

Winbots wrote:ehh... http://www.neostats.net secureserv already detects many many botnets/spam/viruses :)
Well i tried so but secureserv only help on for some virus (litmus, trojan) kinda not botnet :)
./SLipKnOt --help

SLipKnOt
Posts: 42
Joined: Sat Apr 10, 2004 6:43 pm
Location: Bangladesh , dhaka
Contact:

Post by SLipKnOt » Wed Sep 22, 2004 7:01 pm

Actually i need something like that if any client wont reply version then it will mark it and kill or kline cuz most of the botnet dont reply version :$
./SLipKnOt --help

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Wed Sep 22, 2004 7:46 pm

SLipKnOt wrote:Actually i need something like that if any client wont reply version then it will mark it and kill or kline cuz most of the botnet dont reply version :$
Well you could certainly make such a module, but keep in mind it will kill innocent users too. I have my client set to not respond to version replies. Just because I want privacy means I can't use your server?
-- codemastr

w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t » Thu Sep 23, 2004 12:00 am

They must have other characteristics in common... presumably nickname or something?
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]

SLipKnOt
Posts: 42
Joined: Sat Apr 10, 2004 6:43 pm
Location: Bangladesh , dhaka
Contact:

Post by SLipKnOt » Thu Sep 23, 2004 11:09 pm

codemastr wrote:
SLipKnOt wrote:Actually i need something like that if any client wont reply version then it will mark it and kill or kline cuz most of the botnet dont reply version :$
Well you could certainly make such a module, but keep in mind it will kill innocent users too. I have my client set to not respond to version replies. Just because I want privacy means I can't use your server?
oh i dont mean that .. actually in my network its asian net work most of the user (99%) users use mIRC Jirc Few ppl usre xchat and all of them i find they respond except those bots :$ so .. in this kind a network that kind a module will help a lot..
./SLipKnOt --help

SLipKnOt
Posts: 42
Joined: Sat Apr 10, 2004 6:43 pm
Location: Bangladesh , dhaka
Contact:

Post by SLipKnOt » Thu Sep 23, 2004 11:12 pm

w00t wrote:They must have other characteristics in common... presumably nickname or something?
yeah i find they use they fullname common but they use "*" as their full name.. for this i cant ban them :( from ircd
./SLipKnOt --help

w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t » Fri Sep 24, 2004 6:14 am

Banning based on ctcp replies is a really bad idea... go talk to the defender people, they should probably be able to investigate into it and give you a hand.

I'd offer myself, but I'm busy with other projects at the moment. Still, drop me a line and I'll try get round to it.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]

Post Reply