Some annoying bots

Jedi · none Joined: 07 Jul 2003 Posts: 26

ed, that script does work with the mods done by skerg as I have it running on a seperate mirc on our network.
I have the mirc in common channels that the drone was going into, and so far to this date, I think it has killed at least 10 of the bots off our network.

Our coder is gonna try to code it into our services also.

Terry · none Joined: 17 Jul 2003 Posts: 28

I would like to take a glance at the code for that bot if you don't mind sharing tiko...

Terry · none Joined: 17 Jul 2003 Posts: 28

Never mind tiko I seen it in your channel topic :wink:

tiko · none Joined: 24 Sep 2003 Posts: 49

Is right here: http://www.7sinz.net/spambot/spambot.txt

This is just the script, I'm not posting the executable.

Guest

Howard · none Joined: 16 Nov 2003 Posts: 34

Appears to be two variants of this. One uses a domain name in the real name field - .com .org .net .ca are the ones seen so far, some are real, most are bogus.

The other variant uses a varying length real name field, all alpha, sometimes mixed-case.

I've been just setting shuns on them whenever they appear, timed to expire in three hours. There aren't enough hitting simultaneously to load the machine.

Jason · Posted: Nov 16, 2003 12:31pm Post subject:

Anyone logging the websites that are being spammed, and contacting providers about getting them shut down?

tiko · none Joined: 24 Sep 2003 Posts: 49

Hey Jason,

have a look at the script. The addy it spams is actually the infected machine. http://my.real.host.com:random port/me.mpg

Jason · Posted: Nov 16, 2003 7:15pm Post subject:

Ah, I see. For some reason I was under the impression that the script was being run by a spammer to get users to go to a spam website. It looks like this script is basically a typical IRC trojan/virus that tries to spread itself to others.

RejiMC · Guest

Using SecureServ (from http://www.neostats.net) helps akill these bots automatically. Its working fine on our servers.

tigger · Guest

Hey the only way to get rid of them to to change your IP Address you can set up neostats to Gline them but the only sure cure for right now is to change the IP also you might want to change the alias for you IRCD as well since in the .ini file the bot uses to connect has your irc.yournetwork.net and your IP in its file we had the same problem with the bots as you are haveing we changed our domain alias and our IP and they are gone .... if you need any more info stop by my server irc.nothingbutstyle.net or give me an email admin@nothingbutstyle.net Smile

Tigger

U · Eleet Joined: 18 Jun 2003 Posts: 521 Location: IRC

BTW, I believe the server list for these didn't come from any IRC site-I think its the current mIRC servers.ini, which means this thing was unleashed very recently, as I recall a new servers.ini coming out right before the new release of mIRC.

These seem to be increasing also. Besides the script, I think awareness needs to be raised again to all users to NOT click any url they recieve-because if the number of these is going up, that means people are getting infected by clicking.

Maybe mIRC needs to come up with something that when a url is posted into a channel, it gets munged, or something similar, and make that warning box that pops up come up every time-not have the ability to turn it off, so maybe people will think before clicking. I have a feeling most people turned it off the first time they saw it and are now forgetting about the warning it provided.

These things will keep getting made and posted as long as people continue to click on anything they get Smile

tiko · none Joined: 24 Sep 2003 Posts: 49

I disagree. mIRC doesn't add networks with >300 users to its servers.ini, and there are several listed with less than 100, included mine.

Mary · SearchIRC Admin Joined: 03 May 2003 Posts: 696

tigger, that also keeps users off your network - and its only good until the next servers.ini list is out. Then your information is updated and you are open to the abuse du jour.

Michael · none Joined: 18 May 2003 Posts: 48

Plus, as I replied to him, changing a domain isn't exactly free Wink