UnrealIRCd Forums

Welcome to the UnrealIRCd Forums!
https://forums.unrealircd.org/

we need help !!

https://forums.unrealircd.org/viewtopic.php?t=4099

Page 1 of 1

we need help !!

Posted: Sun Jan 28, 2007 3:46 pm
by Talustus
hi :) we have some problem with an BotNet since 4 days every day a BotNet with many Bots is connecting to our Irc Network, they are joinig same channels somtime so i have added the channels to the killchanlist in ircdefender, but it not realy kill all Bots only a few, we have glined all the ips but every day they will come back, there are no things the same not same nicks not same ident or so on, they didnt reply to finger or versions requests, our only help against them is defcon system from anope

we know that it is an other Network that attacks us we know the Network, its a turkish Network with around 1200 users, but what could we do against this network ?

here some examples

Code: Select all

14:27:09] <@ConnectServ> SIGNED ON user: KatiL ([email protected] - StRess) at: dream-irc.de
[14:27:17] <Global> OperServ: Talustus: defcon 1
[14:27:17] -OperServ- Services sind jetzt beim DEFCON 1
[14:27:17] -OperServ- * Keine neuen Channel-Registrierungen
[14:27:17] -OperServ- * Keine neuen Nicknamen-Registrierungen
[14:27:17] -OperServ- * keine MLOCK änderungen
[14:27:17] -OperServ- * Zwingt alle Channels die Modes (+miR) zu setzen
[14:27:17] -OperServ- * Benutzt das reduzierte Session-Limit von 1
[14:27:17] -OperServ- * Stilles ignorieren von non-opers
[14:27:17] -OperServ- * Setzt einen AKILL auf jeden NEU verbindenden Clienten
[14:27:17] <Global> Defcon level changed to 1 by Oper Talustus
[14:27:17] -Global- Das Defcon-Level ist jetzt auf Level: 1
[14:27:17] -Global- Security issues detected services in Defconmode
[14:27:17] <Global> DEFCON: setting +miR on all chan's
[14:27:17] * OperServ sets mode: +miR
[14:27:18] <Global> LOGUSERS: TnT ([email protected] => FC3709BC.8DF57D1E.7CCE9679.IP) (Monitor) [88.233.224.49] connected to the network (dream-irc.de).
[14:27:18] <@ConnectServ> SIGNED ON user: TnT ([email protected] - Monitor) at: dream-irc.de
[14:27:18] <Global> DEFCON: adding akill for *@88.233.224.49
[14:27:18] <Global> LOGUSERS: OcusTic ([email protected] => FC3709BC.8DF57D1E.7CCE9679.IP) (ProFiLe) [88.233.224.49] connected to the network (dream-irc.de).
[14:27:18] <@ConnectServ> SIGNED ON user: OcusTic ([email protected] - ProFiLe) at: dream-irc.de
[14:27:18] <Global> DEFCON: adding akill for *@88.233.224.49
[14:27:18] <Global> user: QUIT from nonexistent user OcusTic: User has been banned from Dream-Irc (This network is currently not accepting connections, please try again later)
[14:27:18] <Global> LOGUSERS: TnT ([email protected] => FC3709BC.8DF57D1E.7CCE9679.IP) (Monitor) left the network (dream-irc.de).
[14:27:18] <@ConnectServ> SIGNED OFF user: OcusTic ([email protected] - ProFiLe) at: dream-irc.de - User has been banned from Dream-Irc (This network is currently not accepting connections, please try again later)
[14:27:18] <@ConnectServ> SIGNED OFF user: TnT ([email protected] - Monitor) at: dream-irc.de - User has been banned from Dream-Irc (This network is currently not accepting connections, please try again later)
[14:27:19] <@ConnectServ> SIGNED ON user: KoRDoba ([email protected] - The_seYtanNN) at: dream-irc.de
[14:27:19] <Global> LOGUSERS: KoRDoba ([email protected] => 49FE7891.2A2D6CA5.7CCE9679.IP) (The_seYtanNN) [88.233.137.173] connected to the network (dream-irc.de).
[14:27:19] <Global> DEFCON: adding akill for *@88.233.137.173
[14:27:19] <Global> LOGUSERS: KoRDoba ([email protected] => 49FE7891.2A2D6CA5.7CCE9679.IP) (The_seYtanNN) left the network (dream-irc.de).
[14:27:19] <@ConnectServ> SIGNED OFF user: KoRDoba ([email protected] - The_seYtanNN) at: dream-irc.de - User has been banned from Dream-Irc (This network is currently not accepting connections, please try again later)
[14:27:20] <Global> LOGUSERS: inBoX ([email protected] => 6A2E93A6.3F3B928A.7EE77F11.IP) (Password) [86.123.46.102] connected to the network (dream-irc.de).
[14:27:20] <@ConnectServ> SIGNED ON user: inBoX ([email protected] - Password) at: dream-irc.de
[14:27:20] <Global> DEFCON: adding akill for *@86.123.46.102
[14:27:20] <@ConnectServ> SIGNED OFF user: inBoX ([email protected] - Password) at: dream-irc.de - OperServ (Session limit exceeded)
[14:27:20] <@ConnectServ> SIGNED OFF user: BeRDaNi ([email protected] - FaNatiK) at: dream-irc.de - User has been banned from Dream-Irc (This network is currently not accepting connections, please try again later)
[14:27:20] <Global> LOGUSERS: BeRDaNi ([email protected] => 6A2E93A6.3F3B928A.7EE77F11.IP) (FaNatiK) left the network (dream-irc.de).
[14:27:30] <@ConnectServ> SIGNED OFF user: iLetisim ([email protected] - Z-i-Y-a) at: dream-irc.de - User has been permanently banned from Dream-Irc (SpamBot by Talustus)
[14:27:30] <Global> LOGUSERS: iLetisim ([email protected] => FD1094A0.A8BD19EB.B0379ED3.IP) (Z-i-Y-a) left the network (dream-irc.de).
[14:27:33] <Global> LOGUSERS: Romeo ([email protected] => DreamUser-7BCDF65D.red-80-24-145.staticip.rima-tde.net) (ZeYNeL) [80.24.145.243] connected to the network (dream-irc.de).
[14:27:33] <@ConnectServ> SIGNED ON user: Romeo ([email protected] - ZeYNeL) at: dream-irc.de
[14:27:33] <Global> DEFCON: adding akill for *@243.Red-80-24-145.staticIP.rima-tde.net
[14:27:34] <@ConnectServ> SIGNED OFF user: Romeo ([email protected] - ZeYNeL) at: dream-irc.de - User has been banned from Dream-Irc (This network is currently not accepting connections, please try again later)
[14:27:34] <Global> LOGUSERS: Romeo ([email protected] => DreamUser-7BCDF65D.red-80-24-145.staticip.rima-tde.net) (ZeYNeL) left the network (dream-irc.de).
a whois of one of them

Code: Select all

-=[  •••••••••••••••••••• -=[  Whois von Keko ]=-
-=[  Nickname: -=[  Keko ]
-=[  Realname: -=[  garibBoY ]
-=[  Hostmask: -=[  8DB3CDB.E94CE238.60B65782.IP ]
-=[  Ident: -=[  BruceLee ]
-=[ Usermodes: -=[  +ixG ]
-=[  RealHost: -=[  *@88.226.39.10 ]
-=[  Channels: -=[  #dream-irc @#adana ]
-=[  Server: -=[  new-funpower.dream-irc.de ]
-=[  Connectet seit : -=[  Sunday 28/01/2007 14:23:32 ]
-=[  Ist still seit : -=[  7secs ]
-=[  Online zeit : -=[  -72secs ]
-=[  •••••••••••••••••••• -=[  Whois von keko Ende > ]=
...
and so on i could post a Collection like a Book from these connects

any ideas to block this ?

p.s. sorry for my broken english i am german

Posted: Sun Jan 28, 2007 9:57 pm
by Dukat
Yes, please post a bigger sample (whoises).
Are they doing anything? (i.e. "say" something?)
  • You should gzline the IPs, not gline them. Duration >24h, so they won't return the next day.
  • You ARE running a proxy scanner, right?
  • You should probably reconfigure ircdefender to add bans longer than 30 minutes...
  • You could also try an anope module (like cs_jail or cs_trapchan) to ban a channel (increase the time here too).
  • If you are a national network, you could configure your allow block to only allow users from *.de (ok, ugly, but still better than the bots).

Posted: Sun Jan 28, 2007 10:05 pm
by Stealth
Dukat wrote:If you are a national network, you could configure your allow block to only allow users from *.de (ok, ugly, but still better than the bots).
It also looks like you are not running Identd checks. You should enable them in your unrealircd.conf, and ban ~@*.isp, which would stop all the users not running identd. It is still an ugly way of doing it, but it would still give the legitamite users a way onto your network.

re we need help

Posted: Mon Jan 29, 2007 4:07 pm
by Talustus
@Dukat
thx fpr fast reply
i have uploaded a txt with a few /whowas and connect infos of them you can find it here

yes they say anything, they flood in PM and in channel, but always turkish things, and not the same things,

to 1: ok we will zline the ips on all servers,
to 2: yes we are running BOPM and OPSB but nothing happens only a few were banned becouse an openproxy were found
to 3: defender does great job at the moment i have added the channels they often join to the killchan list in defender and it works good, but if the didnt join a channel defender didnt ban them
to 4: i will have a look to this anope modul

@ Stealth i have enabled ident-check in my unrealircd.conf but how to set the right ban ?

Code: Select all

/gline ~*@*.IP
doesnt work

Re: re we need help

Posted: Mon Jan 29, 2007 6:35 pm
by Stealth
Talustus wrote:@ Stealth i have enabled ident-check in my unrealircd.conf but how to set the right ban ?

Code: Select all

/gline ~*@*.IP
doesnt work
~*@*.IP will not work, because that is just the hashed IP of the user. You would need to look at all their IP's and see whatthey have in common and ban that (ex if they are all connecting from 1.2.3.*, ban ~*@1.2.3.*... if they are all connecting from something.some.isp.net, ban ~*@*.some.isp.net)

Posted: Mon Jan 29, 2007 9:36 pm
by Dukat
The easiest way would probably be to ban the whole provider TurkTelekom - should not be a problem if you don't have any legitimate users from there...

Code: Select all

ban ip {
	mask 88.254.0.0/17;
	reason "TurkTelekom is permanently banned from this network. Please visit http://dream-irc.de/turk.html for more information.";
};
ban ip {
	mask 85.98.64.0/19;
	reason "TurkTelekom is permanently banned from this network. Please visit http://dream-irc.de/turk.html for more information.";
};
ban ip {
	mask 81.215.50.0/23;
	reason "TurkTelekom is permanently banned from this network. Please visit http://dream-irc.de/turk.html for more information.";
};
ban ip {
	mask 85.96.0.0/12;
	reason "TurkTelekom is permanently banned from this network. Please visit http://dream-irc.de/turk.html for more information.";
};
ban ip {
	mask 88.229.192.0/18;
	reason "TurkTelekom is permanently banned from this network. Please visit http://dream-irc.de/turk.html for more information.";
};
Add more blocks for additional ranges if required.


Additionally you should contact the provider with details of the attacks.

Posted: Fri Feb 02, 2007 3:11 pm
by Talustus
Dukat wrote:
  • ?
  • You should probably reconfigure ircdefender to add bans longer than 30 minutes...
how can i do this i have changed the modul killchan.pm from ircDefender where the following code wAS

Code: Select all

my $killed = 0;

my %killchans;

my $gline_time = 30;

sub handle_mode {}

sub handle_topic
{
}


sub handle_join {

	my $gline_mins = int($gline_time / 60);

	my($nick,$chan) = @_;
	
	foreach(keys %killchans) {

		if(lc $chan eq lc $_) {
                        my (undef,$host) = split("@",main::gethost($nick));
			if (!main::isoper($nick)) {
	                        main::gline("*\@$host",$gline_time,"You joined a banned channel ($killchans{$_})");
				main::message("$nick joined $chan and was glined ($killchans{$_})");
				$killed++;
			} else {
				main::message("$nick joined $chan but is an ircop, so was not glined");
				main::notice($nick,"The channel \2$chan\2 is in the \2killchan list\2, so non-opers joining this channel will be G-Lined for \2$gline_mins\2 minutes.");
			}

		}

	}

}
i have changed the var.

Code: Select all

my $gline_time = 30;
to my

Code: Select all

$gline_time = 0;
becouse /gline +0 is permanent gline but it didnt work -.-
i can change this time but nothing happens.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited