mo' bots - not quite on the fizzer scale, but close

Howard · none Joined: 16 Nov 2003 Posts: 34

Started 11/17/03, about 1800 pacific, about 50 an hour, plus or minus.

Only signatures identified so far is that they're joining one of 8 channel names:

#bccbots
#digital-playground
#divxstation
#ds-xdcc
#ftps
#globalwatchzone
#ixdcc
#zeta

Most heavily hit is #ds-xdcc, only output from any of them so far has been on join 'password' in a notice, and '$#$@!@#' in notice from a couple when they were deopped.

Anyone but bdsm-net getting hit?

U · Eleet Joined: 18 Jun 2003 Posts: 521 Location: IRC

I haven't seen these yet, and usually whenever there is something like this my network tends to get hit too (well, they all do, but on a smaller network you notice them alot quicker!)

Howard · none Joined: 16 Nov 2003 Posts: 34

Howard · none Joined: 16 Nov 2003 Posts: 34

new info, appears that the behavior is consistent with symantec's writeup of W32.HLLW.Bereb - or a derivative thereof.

Fizzer all over again.

U · Eleet Joined: 18 Jun 2003 Posts: 521 Location: IRC

Actually its the same continued idiocy-people continue to accept files or open emails with attachments from people they don't know.

People just don't learn.

Howard · none Joined: 16 Nov 2003 Posts: 34

idiocy on the part of the users, certainly - but there's more to the deal.

Turns out that bdsm-net wasn't the target. Someone else was the target - and I guess to stay within the guidelines here I'll have to keep the name to myself - at least openly.

But when *they* got hit, they decided that it wasn't worth their trouble to deal with the attack. Instead they pointed irc.......net in their dns server to another irc system, one that they had no connection whatever with.

Naturally that particular server choked, and managed to find out where the choke was coming from. So instead of null-routing their irc.......net dns entry, they pointed it at us.

Really, really nice people out there in joisey.

Jason · Posted: Nov 18, 2003 8:26pm Post subject:

Howard,

We'd like to know the name of the network.

BTW Network names are allowed to be mentioned, just not in the SUBJECT of an initial post on all forums except 'Network announcements'.

I hope that makes sense :)

Howard · none Joined: 16 Nov 2003 Posts: 34

weaklinks.net

they nulled out the dns entry, but managed to pump 2gb of meaningless traffic into me before they did.

Got *no* idea of what they managed to pound into the other victim.

Admin said 'I don't control it' first, then 'they're just bottlers, they are valid irc clients'

Yeah, right. Like I'm going to put up with 10,000 drones on a purpose-built net. Got no problem at all with a lot of real people coming in to pursue an interest - that's what the place is for. But maybe it's time to start thinking about registering folks first.

Jason · Posted: Nov 18, 2003 9:20pm Post subject:

Ah, thats funny.

Our software detected a network merge (e.g; your channel list matched theirs), and it attributed Weaklinks to having merged with your network.

In fact, all that happened was they routed their traffic to you.

Either way, we do not list networks that point their dns to other networks, simply because it screws up the channel listings.

I'll go ahead and update the weaklinks info (so it doesn't say it merged with bdsm-net)

http://searchirc.com/network/WeakLinks

Howard · none Joined: 16 Nov 2003 Posts: 34