strange bot nicks

These are old archives. They are kept for historic purposes only.
Post Reply
cl0ud
Posts: 6
Joined: Mon Sep 05, 2005 7:37 pm
Contact:

strange bot nicks

Post by cl0ud »

[13:30] * Joins: termination (~[email protected])
[13:30] * Joins: compassions (~[email protected])
[13:30] * Joins: recitals (~[email protected])
[13:30] * Joins: parapets (~[email protected])
[13:30] * Joins: mastiff (~[email protected])
[13:30] * Joins: feminin (~[email protected])
[13:30] * Joins: collation (~[email protected])
[13:30] * Joins: soonchai (~[email protected])
[13:30] * Joins: mensuration (~[email protected])
[13:30] * Joins: execreation (~[email protected])

Here is /whois from some of them.

| mastiff (~[email protected])
| name : stupefaction
mastiff is using modes +irx
mastiff is a registered nick
| chan : #channel
| serv : irc.server.com
| idle : 1hr 58mins 45secs (signed on Fri Oct 21 18:21:16 2005)

| retroversio (~[email protected])
| name : souvenirs
retroversio is using modes +irx
retroversio is a registered nick
| chan : #channel
| serv : irc.server.com
| idle : 40mins 55secs (signed on Sat Oct 22 08:08:53 2005)

and they replied ctcp version request.

* CTCP VERSION reply from compassions: mIRC v6.14 Khaled Mardam-Bey
* CTCP VERSION reply from retroversio: mIRC v6.14 Khaled Mardam-Bey

------
does anyone know what kinda of bots they are? Their nicks pretty much look like dictionary words. i haven't seen floodbots that reply to ctcp request yet. :roll:
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

Here is a tip: G:Line one of them. All those IP's are the same, so g:lining 1 will take care of all of them.

EDIT: Also, add an allow block that looks like this to the conf:

Code: Select all

allow {
  ip unknown@*;
  hostname unknown@*;
  class clients;
  maxperip 2;
};
This allow block should be the LAST allow block in the conf to work. The 'unknown' part applies to anyone without an Identd reply, and the maxperip setting is set to 2, this will stop most clones, as clones (usually) don't have an Identd response.

I am willing to bet, these are nothing but some script kiddie wanting to generate a flood, but is also too dumb to use any proxies at the same time.
cl0ud
Posts: 6
Joined: Mon Sep 05, 2005 7:37 pm
Contact:

Post by cl0ud »

Thanks Stealth for ur reply. And i'm sorry that i forgot to mention that IP is kinda crowded. Many users from that ISP. :(
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

The ISP won't matter if you just ban 1 IP. Ban it for a day, and re-ban it when they come back. On my network, when I have an abusive ISP, I gline ~*@*.some.isp.com with the reason "Due to abusive connections, Identd is requiered for this ISP." The ~ ofcourse is there when there is no Identd response, making Identd required to connect.
w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t »

Although with the advent of mIRC and other clients that enable you to fake ident, this isn't so useful.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]
Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason »

Unless most of the abuse is by drones.

EDIT: Also, this 'unknown@*' feature appears to be undocumented. Perhaps that should be corrected.
Why the hell can't my signature be empty?
"Your message contains too few characters."
cl0ud
Posts: 6
Joined: Mon Sep 05, 2005 7:37 pm
Contact:

Post by cl0ud »

Thanks for the suggestions. Unfortunately, our servers are identd-disable for all clients. Seems like we have to config. :?
Post Reply