trojan bots flood what should i do?

The UnrealIRCd team does not officially provide support for any services packages that you may be using or want to use. This forum is provided so the community can help each other with services issues.

Moderator: Supporters

Locked
sageek

trojan bots flood what should i do?

Post by sageek »

Lately, my server is getting attacked by some moron (clones, floods).
at first i thought it is proxies and installed bopm, after getting another attack, and bopm stands steal and killed like 3 of 300, i firgured something is not right.

I ran nmap on few of the hosts and found radmin (4899) and realvnc(5900), those ports prolly allow the hacker to take remote control.

so i figured it prolly xdcc, or ddos bots.

is there anything to do agiesnt them?
I thought might to make a script asking for version at connect, and if no respone then shun the user, tho it can catch poor users who ignore tcp, or lagged users.
clues?
is there anyway to add to bopm those ports? i tried to add them to all the protocols there, no clue if it will help.

Untill next time,
yours, sagi :)
Matridom
Posts: 296
Joined: Fri Jan 07, 2005 3:28 am

Re: trojan bots flood what should i do?

Post by Matridom »

sageek wrote:Lately, my server is getting attacked by some moron (clones, floods).
at first i thought it is proxies and installed bopm, after getting another attack, and bopm stands steal and killed like 3 of 300, i firgured something is not right.

I ran nmap on few of the hosts and found radmin (4899) and realvnc(5900), those ports prolly allow the hacker to take remote control.

so i figured it prolly xdcc, or ddos bots.

is there anything to do agiesnt them?
I thought might to make a script asking for version at connect, and if no respone then shun the user, tho it can catch poor users who ignore tcp, or lagged users.
clues?
is there anyway to add to bopm those ports? i tried to add them to all the protocols there, no clue if it will help.

Untill next time,
yours, sagi :)
spamfilters work real well to clean out these types of attacks

if you post some examples of the names that these bots are using to connect, i'm sure someone will be able to post an accurate regex to stop the connections.
Never argue with an idiot. They will bring you down to their level, then beat you with experience.
Locked