|
|
| Author |
Message |
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
 Posted: Aug 11, 2009 1:16am Post subject: |
 |
|
Yea, I added "spamfilter yes;" to nickserv and chanserv aliases..didn't work..
either the bot's using a new pass or doing something differently
I don't have a way to spy on it so I can't see what commands it issues upon connecting...  damn privacy policy! |
|
| Back to top |
|
 |
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
| Posted: Aug 11, 2009 3:00am Post subject: |
|
|
| Willaim wrote: | Yea, I added "spamfilter yes;" to nickserv and chanserv aliases..didn't work..
either the bot's using a new pass or doing something differently
I don't have a way to spy on it so I can't see what commands it issues upon connecting... damn privacy policy! |
Run services in debug mode  , you can then class it as debugging, and get away with it. |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 12, 2009 1:55am Post subject: |
|
|
I turned Debug on and saw no mention of the spammer privmsg'ing NickServ.
It simply connects, joins a bunch of channels, spams the channels, parts each channel, changes nick, repeats. |
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 12, 2009 2:07am Post subject: Re: its come back as a new name/place/etc |
|
|
For that I would just spamfilter mIRC.rar, because this seems the defining factor. |
|
| Back to top |
|
|
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
| Posted: Aug 12, 2009 4:47am Post subject: Re: its come back as a new name/place/etc |
|
|
| Trixar_za wrote: | | For that I would just spamfilter mIRC.rar, because this seems the defining factor. |
Unfortunately there are some spammed links that dont include mIRC.rar |
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 12, 2009 7:26am Post subject: Re: its come back as a new name/place/etc |
|
|
| Jobe wrote: | | Trixar_za wrote: | | For that I would just spamfilter mIRC.rar, because this seems the defining factor. |
Unfortunately there are some spammed links that dont include mIRC.rar |
Good point. I've never experienced a independent bot attack, so I'm kind of in the dark to it's M.O. There has to be a pattern to how it works though (hopefully anyway). Let me dig through the code and see what I can fish up.
EDIT: Bleh, PingBad provide me with the newest copy of this. I still have a old version floating around on my hard drive (somewhere), but it won't be much use with the new one  |
|
| Back to top |
|
|
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
| Posted: Aug 12, 2009 9:47am Post subject: Re: its come back as a new name/place/etc |
|
|
| Trixar_za wrote: | | Good point. I've never experienced a independent bot attack, so I'm kind of in the dark to it's M.O. There has to be a pattern to how it works though (hopefully anyway). Let me dig through the code and see what I can fish up. |
Oh there's a C&C channel where you can find all the active bots and independant himself.
As for you never being attacked, you're lucky, one network I /oper on gets 24 per hour (that's 24 caught by BOPM, usually none get through) |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 12, 2009 10:15am Post subject: |
|
|
What DNSBL? Because I have maybe 1 get blocked by BOPM, and the rest get through.
Here's an example of the latest one we got: http://pastebin.com/m2dffe8b1 |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
|
| Back to top |
|
|
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
| Posted: Aug 13, 2009 6:50am Post subject: |
|
|
| Willaim wrote: | | What DNSBL? |
DroneBL, SwiftBL, EFNet's BL, AHBL, njabl and proxybl on the network where the bots cant get through. Most are caught by dronebl and swiftbl, then efnet's bl |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 13, 2009 9:57am Post subject: |
|
|
| Can I get an example for AHBL and NJABL? I can't find one on their sites.. |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
| Posted: Aug 13, 2009 12:21pm Post subject: the address is (real google it) |
|
|
http://www.dnsbl.org/
or
here for bopm config,
blacklist {
name = "virbl.dnsbl.bit.nl";
type = "A record reply";
ban_unknown = no;
reply {
1 = "TOR";
};
kline = "KLINE *@%h :TOR exit node found. Visit http://virbl.dnsbl.bit.nl/?i=%i for info.";
};
blacklist {
name = "dnsbl.swiftbl.net";
type = "A record reply";
reply {
2 = "SOCKS Proxy";
3 = "IRC Proxy";
4 = "HTTP Proxy";
5 = "IRC Drone";
6 = "TOR";
};
ban_unknown = no;
kline = "KLINE *@%h :Your host is listed in SwiftBL. For further information and removal visit http://swiftbl.net/lookup";
};
there are many more
http://www.dronebl.org/docs/howtouse |
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 13, 2009 1:13pm Post subject: |
|
|
| Yay, finally got attacked, but no script, only a exe file and a proxy list - did they modify the exe file? |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 14, 2009 1:33am Post subject: Re: the address is (real google it) |
|
|
| maddog906 wrote: | | name = "virbl.dnsbl.bit.nl"; |
Added.
Anyone have one for AHBL and NJABL? |
|
| Back to top |
|
|
|
Register
Log in
