|
|
| Author |
Message |
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
 Posted: Aug 14, 2009 7:30am Post subject: Re: the address is (real google it) |
 |
|
| Willaim wrote: | | Anyone have one for AHBL and NJABL? |
I dont have access to the NJABL config but here's AHBL blocks (careful on the kline syntaxes though, the ones pasted are Nefarious ZLINE's):
| Code: | blacklist {
name = "dnsbl.ahbl.org";
type = "A record reply";
reply {
2 = "open relay - mail";
3 = "open proxy";
10 = "shoot on sight";
14 = "Compromised System - ddos drone/bot infected";
15 = "Compromised System - relay";
16 = "Compromised System - autorooter/scanner";
17 = "Compromised System - worm or mass mailing virus";
18 = "Compromised System - misc virus";
19 = "open proxy";
127 = "other";
};
ban_unknown = no;
kline = "ZLINE +%i * 1d :%n, You are in the AHBL.org DNSBL. Please visit http://www.ahbl.org/tools/lookup.php?ip=%i";
};
blacklist {
name = "ircbl.ahbl.org";
type = "A record reply";
reply {
2 = "abusive host";
};
ban_unknown = no;
kline = "ZLINE +%i * 1d :%n, Your IP is in the ircbl.ahbl.org DNSBL";
};
blacklist {
name = "tor.ahbl.org";
type = "A record reply";
reply {
2 = "tor node";
};
ban_unknown = no;
kline = "ZLINE +%i * 1d :%n, Your IP is in the tor.ahbl.org DNSBL";
};
|
|
|
| Back to top |
|
 |
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 14, 2009 8:45am Post subject: |
|
|
| Thank you! |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 16, 2009 12:50am Post subject: |
|
|
Anyone make any progress on this? I've added those DNSBL's and it seems EfnetRBL is taking care of 99% of the bots...
I want to try and get rid of all the spamfilters we have, since they're not helping except for the 1% getting through (one a day now?) |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 16, 2009 2:21am Post subject: |
|
|
latest link: | Code: | | http://asapload.com/235547 |
calls itself psyBNC.rar... interesting
It's now using PRIVMSG :\001ACTION <spam> <link>\001 in channel...and as I write this... more spam...You can bet your blue blazer it's the same damn download 
At least I have a printer where I am, so yes, I will have a look at this latest incarnation in more detail  |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 16, 2009 3:10am Post subject: |
|
|
Heh, the writer of this latest incarnation must be getting pretty damn stupid - right in the latest file is a list of every spamtext it's using (psyBNC-2.0.2-2\system\files\m.ax) | Code: | Download psyBNC f0r !w1ndoze! LOL Here:
Get this good script
You really should download this:
Nice software!
OMG LOOK!!
This is the best script in the world! GET IT NOW!
WTF
HAHAHA!!!
LOL
:D
:)
:O
Download
donl0ad
Did you ever heard of this thing?
Hey look here:
Fine program
heh nice software here
psyBN© Here!
This thing rocks!!!
/!\
Noobs HAHAHA
If you are addicted to irc you should look at that code
hey this guy owns!
if you get that DOWNLOAD IT ITS GUD!!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Owned!
Noobs!
PwN3D!
lol
l0l
hey whats this?
here i wanna show u dat
hey that links pretty cool
hey what do ya think o dat?
Pretty cool huh ?
NICE
WONDERFUL
123 HOP!
Ever wanted to register mIRC and never could?
Thats SICK!
!!!!!!!!!!!!!!!!!
I think you hate me
DONT DOWNLOAD, of course you can...
Need trojan?
I NEED MORE BOTS PLEASE
Install this on a couple computers for me!
MassHack
HACK teh planet! |
and every URL it's spamming with (s.ax) | Code: | http://uploadmirrors.com/download/0ERWT4FL/psyBNC_1.rar
http://uploadmirrors.com/download/0UB8W5RD/psyBNC_2.rar
http://rapidshare.com/files/267916976/psyBNC.rar
http://qooy.com/files/VSJMOD7R/psyBNC.rar
http://qooy.com/files/0NBHWHXR/psyBNC_1.rar
http://www.share-online.biz/download.php?id=7A9ZKGOKYR0 |
Granted these are short-term measures. One thing I have noticed is that this script opens a psyBNC clone on port 31337 or 1337 (with the former being preferred) and a default password of "temp" (do note that the author/skiddy may change the password at anytime, so this may not be entirely useful in every case) |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
| Posted: Aug 16, 2009 10:31am Post subject: I HATE TO SAY |
|
|
after downloading the script that they are using,
NOW that the script can be downloaded,by almost everyone,
it can be mode by any one with a bit of irc scripting know how,
the main part of the program was done a good few years a go, with ircproxy,some one just added the mirc 6.21 (update version) and then some one else has added the psyBNC to it,just take time to read the programs and you will see it not all done by one person.
as PINGBAD and a few others thats taken the script apart,
the only way to stop it in the short run is,
get BOPM
NEOSTATS
or a good proxy scanning bot.
because the bot is scanning all know proxy sites
etc
aliveproxylist.blogspot.com
www.socksdaily.com
http://proxygod.com.com/
http://forum.my-proxy.com/?from=menu
http://www.xroxy.com/xorum/
http://www.proxy4free.com http://www.publicproxyservers.com/page1.html
http://www.anonymitychecker.com/page1.html
http://www.proxz.com/
http://www.multiproxy.org/anon_proxy.htm
http://www.samair.ru/proxy/
http://www.aliveproxy.com/us-proxy-list/
http://highanonymity.com/
http://proxy.mazafaka.ru/
i can sit here all day showing them,
it can be started and stoped at any time,
and can be run on a windows box so you can be hit any time at any day.
The only thing i like about this script is the proxy scanning ,it will help to kill off the bots that uses sockets 4 and 5 ports , kill them once you will kill them all for every.
well here is the proxy port list it has already ,
this is a start.
sockopen scan $+ $r(0,99999999999999) $1 9090
sockopen scan $+ $r(0,99999999999999) $1 80
sockopen scan $+ $r(0,99999999999999) $1 8080
sockopen scan $+ $r(0,99999999999999) $1 8118
sockopen scan $+ $r(0,99999999999999) $1 3129
sockopen scan $+ $r(0,99999999999999) $1 8089
sockopen scan $+ $r(0,99999999999999) $1 6649
sockopen scan $+ $r(0,99999999999999) $1 1111
sockopen scan $+ $r(0,99999999999999) $1 808
sockopen scan $+ $r(0,99999999999999) $1 8088
sockopen scan $+ $r(0,99999999999999) $1 707
sockopen scan $+ $r(0,99999999999999) $1 3128
sockopen scan $+ $r(0,99999999999999) $1 6588
sockopen scan $+ $r(0,99999999999999) $1 7212
sockopen scan $+ $r(0,99999999999999) $1 8888
sockopen scan $+ $r(0,99999999999999) $1 8000
sockopen scan $+ $r(0,99999999999999) $1 8008
sockopen scan $+ $r(0,99999999999999) $1 8001
sockopen scan $+ $r(0,99999999999999) $1 8081
sockopen scan $+ $r(0,99999999999999) $1 443
sockopen scan $+ $r(0,99999999999999) $1 8800
sockopen scan $+ $r(0,99999999999999) $1 444
sockopen scan $+ $r(0,99999999999999) $1 445
sockopen scan $+ $r(0,99999999999999) $1 553
sockopen scan $+ $r(0,99999999999999) $1 554
sockopen scan $+ $r(0,99999999999999) $1 8808
sockopen scan $+ $r(0,99999999999999) $1 81
sockopen scan $+ $r(0,99999999999999) $1 1337
sockopen scan $+ $r(0,99999999999999) $1 31337
sockopen s5chk $+ $r(0,9999999) $1 1080
sockopen s4chk $+ $r(0,9999999) $1 1080
sockopen s5chk $+ $r(0,9999999) $1 1025
sockopen s4chk $+ $r(0,9999999) $1 1025
sockopen s4chk $+ $r(0,9999999) $1 1337
sockopen s5chk $+ $r(0,9999999) $1 1337
sockopen s4chk $+ $r(0,9999999) $1 31337
sockopen s5chk $+ $r(0,9999999) $1 31337
sockopen s4chk $+ $r(0,9999999) $1 9050
sockopen s5chk $+ $r(0,9999999) $1 9050
sockopen s5chk $+ $r(0,9999999) $1 25552
sockopen s5chk $+ $r(0,9999999) $1 29991
sockopen s5chk $+ $r(0,9999999) $1 27771
sockopen s5chk $+ $r(0,9999999) $1 443
sockopen s5chk $+ $r(0,9999999) $1 444
sockopen s5chk $+ $r(0,9999999) $1 554
sockopen s5chk $+ $r(0,9999999) $1 553
this will kill off the lazy irc flood.
HAPPY ENDING. |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 16, 2009 1:47pm Post subject: |
|
|
Had one get through BOPM today:
-Aandreita__camara:#class- Noobs! h**p://www.mirrorcreator.com/files/9BJLF7DJ/psyBNC_1.rar_links
<Aandreita__camara> Pretty cool huh ? h**p://www.mirrorcreator.com/files/9BJLF7DJ/psyBNC_1.rar_links
(Links censored) |
|
| Back to top |
|
|
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
| Posted: Aug 17, 2009 7:27am Post subject: |
|
|
| PingBad wrote: | | Code: | http://uploadmirrors.com/download/0ERWT4FL/psyBNC_1.rar
http://uploadmirrors.com/download/0UB8W5RD/psyBNC_2.rar
http://rapidshare.com/files/267916976/psyBNC.rar
http://qooy.com/files/VSJMOD7R/psyBNC.rar
http://qooy.com/files/0NBHWHXR/psyBNC_1.rar
http://www.share-online.biz/download.php?id=7A9ZKGOKYR0 |
|
Your s.ax is different from the one I saw. Plus the last copy of the script I got, pointed the C&C channel at a channel that has according to the topic been shut down by the IRC network it's hosted on and no sign of the botmaster (whos nick is known to most of us anyway) |
|
| Back to top |
|
|
Incognito
none
Joined: 01 Aug 2009
Posts: 41
|
| Posted: Aug 17, 2009 8:36am Post subject: |
|
|
| Jobe wrote: | | PingBad wrote: | | Code: | http://uploadmirrors.com/download/0ERWT4FL/psyBNC_1.rar
http://uploadmirrors.com/download/0UB8W5RD/psyBNC_2.rar
http://rapidshare.com/files/267916976/psyBNC.rar
http://qooy.com/files/VSJMOD7R/psyBNC.rar
http://qooy.com/files/0NBHWHXR/psyBNC_1.rar
http://www.share-online.biz/download.php?id=7A9ZKGOKYR0 |
|
Your s.ax is different from the one I saw. Plus the last copy of the script I got, pointed the C&C channel at a channel that has according to the topic been shut down by the IRC network it's hosted on and no sign of the botmaster (whos nick is known to most of us anyway) |
what network and nick? |
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 17, 2009 1:07pm Post subject: |
|
|
| Jobe wrote: | | PingBad wrote: | | Code: | http://uploadmirrors.com/download/0ERWT4FL/psyBNC_1.rar
http://uploadmirrors.com/download/0UB8W5RD/psyBNC_2.rar
http://rapidshare.com/files/267916976/psyBNC.rar
http://qooy.com/files/VSJMOD7R/psyBNC.rar
http://qooy.com/files/0NBHWHXR/psyBNC_1.rar
http://www.share-online.biz/download.php?id=7A9ZKGOKYR0 |
|
Your s.ax is different from the one I saw. Plus the last copy of the script I got, pointed the C&C channel at a channel that has according to the topic been shut down by the IRC network it's hosted on and no sign of the botmaster (whos nick is known to most of us anyway) |
By the Quality of the current reworking of his script, I would say that this is a different botmaster. Compared to the previous versions this one seems to have become a little more simplistic - like he suddenly lost his skill. It just seems weird to me that there has been such a large drop in the quality. |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
| Posted: Aug 17, 2009 1:46pm Post subject: hi all if |
|
|
hi all if you pm me i can give you a list of the ports i have collected
socks4 and socks5 i must have over 100 ports by now,
plus i am sure you are aware there a add-on to bopm so one bopm will scan the whole network,
but because i have a long list of proxy ports i still use a bopm per server,
well here the code this is for unrealirc.
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
but please remember there are new proxy ports every day. |
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 17, 2009 3:55pm Post subject: Re: hi all if |
|
|
| maddog906 wrote: | hi all if you pm me i can give you a list of the ports i have collected
socks4 and socks5 i must have over 100 ports by now,
plus i am sure you are aware there a add-on to bopm so one bopm will scan the whole network,
but because i have a long list of proxy ports i still use a bopm per server,
well here the code this is for unrealirc.
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
but please remember there are new proxy ports every day. |
I wouldn't go overboard maddog906. I would stick with the BOPM recommendation and have one to scan using blacklists and another for scanning ports. It should split the majority of the load (if run on different servers within the networks) and help catch more of them.
I also remember there being a addon (or was it list?) written for IRC Defender to curb this kind of Botnet - I'll have to delve into my E-mail archives and see if I can find the link or name for it again. |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 17, 2009 4:10pm Post subject: Re: here is a quick fix |
|
|
Er... did you test those first? By a quick glance I would say they won't work very well.
Why don't you just ban the hosts qooy.com, share-online.biz, uploadmirrors.com, rapidshare.com and the name psyBNC_.+rar?
EDIT: Oh and don't forget asapload.com |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 18, 2009 2:38am Post subject: |
|
|
| Trixar_za wrote: | | Jobe wrote: | | PingBad wrote: | | Code: | http://uploadmirrors.com/download/0ERWT4FL/psyBNC_1.rar
http://uploadmirrors.com/download/0UB8W5RD/psyBNC_2.rar
http://rapidshare.com/files/267916976/psyBNC.rar
http://qooy.com/files/VSJMOD7R/psyBNC.rar
http://qooy.com/files/0NBHWHXR/psyBNC_1.rar
http://www.share-online.biz/download.php?id=7A9ZKGOKYR0 |
|
Your s.ax is different from the one I saw. Plus the last copy of the script I got, pointed the C&C channel at a channel that has according to the topic been shut down by the IRC network it's hosted on and no sign of the botmaster (whos nick is known to most of us anyway) |
By the Quality of the current reworking of his script, I would say that this is a different botmaster. Compared to the previous versions this one seems to have become a little more simplistic - like he suddenly lost his skill. It just seems weird to me that there has been such a large drop in the quality. |
Hrm, I'm only guessing here, but it may appear that someone else has picked up on the original author's work (I did notice that the user access list had significantly changed from the last version I pulled apart) and is using it for their own ends (as skiddies do, of course  ) |
|
| Back to top |
|
|
|
|
| |
Register
Log in
