Some annoying bots

simos · none Joined: 21 Nov 2003 Posts: 4

I've fixed my script now works with all 3 symbols

on *:snotice:*: { if ($chr(123) isin $6) || ($chr(125) isin $6) || ($chr(124) isin $6 ) { .kill $6 Possible Trojan. } else { halt } }

I know that it kill anyone use {}\ symbols , infact it could be usable by little net like mine with not many user , but i say " possible troyan " and not " troyan detectected " . this spambot it's very annoing in a day 30-40 private message !!! anyone have find other way to detect it ?

bye Simos

zeke · Idler Joined: 04 Oct 2003 Posts: 334

I'll tell you right now that the bot list didn't come from here Smile

I'm responsible for two servers, one is listed here, one isn't, and ironically the one that isn't listed is the only one getting hit.

We fixed the problem by SQLining characters,
*{*
*\*
*`*
*^*
*}*
*]*
*[*
*__* (note, 2 _'s)
*|*

The few that these miss get hit by SecureServ (NeoStats module)

U · Eleet Joined: 18 Jun 2003 Posts: 521 Location: IRC

Course by doing that, you deny users the ability to use those characters in nicks Smile

I didn't do that because I do have some legit people who do use those characters. I just use a modified script that gets anyone with those characters who doesn't stay in a channel for more than 10 seconds, since the bots join, grab a list of who is in the channel, then part quickly, then spam.

zeke · Idler Joined: 04 Oct 2003 Posts: 334

I only added the first 5, and that was before secureserv came into play.
I could try removing them all and see what happens

*ponders*

RejiMC · none Joined: 22 Nov 2003 Posts: 11

U can create a channel #a (#! Too if you have non-text Channels) and keep a SecureServ Bot in there. Additionally you can also set Confirmation by email for Nick Registration which will prevent NickServ.db getting filled up with this bots.

Working fine for us.

-------------------------
irc.ablazenet.com

Guest · Posted: Nov 22, 2003 8:17am Post subject:

I've looked at the code and not found that the bot is trying to work its way trough channels in a alpabetically order..

Everything it does is pretty much RANDOM...

These bots are like a networks or IRC's worst enemy Razz

Its very well coded, coded to not be discovered by Operators on connect.. or with any command.

Only saw something for it when it works on Undernet. Could not figure it all out though.

/SaD

U · Eleet Joined: 18 Jun 2003 Posts: 521 Location: IRC

I have always had confirmation on for nicks, simply because then I nor any other staff member can never accidentally give a nickname password to anyone but the person who originally registered it.

I will, however, try your #a thing, see if that works, if my bot nails them then, that would be even better.

Thanks for the advice.

ed · Posted: Nov 22, 2003 11:30pm Post subject:

tiko · none Joined: 24 Sep 2003 Posts: 49

[02:00] -reaper.7sinz.net- *** Notice -- Client connecting on port 6667: }]^H{\ (JTqFjVNLx@---------.hpnx.com) [clients]

[02:00] -reaper.7sinz.net- *** Global -- from NickServ: }]^H{\ attempted to register before the registration delay expired.

[02:00] -reaper.7sinz.net- *** Notice -- }]^H{\ (JTqFjVNLx@-----------.hpnx.com) has changed his/her nickname to ]^gX

[02:01] -reaper.7sinz.net- *** Notice -- Client exiting: ]^gX (JTqFjVNLx@------------.hpnx.com) [User has been killed (Advertising)]

Rob · none Joined: 26 May 2003 Posts: 7 Location: IRC

Indeed the script is changing.

I've seen several of those spam bots without those non-alfabetical characters.

Just put a client with a nickname starting with an 'a' in the channel # or #a and use a little script to auto kill filter on "Come watch me on my webcam".

You pretty much get them before they spam to your users and you don't deny innocent users access to the network.

U · Eleet Joined: 18 Jun 2003 Posts: 521 Location: IRC

I've parked my bot in my largest 5 channels as well as #! and #a. So far my users are only getting a spam a day or so, instead of 50 or so like they used to.

Its not foolproof, but its working.

The major thing that is working is the fact that I'm telling any user that comes on to NOT click on it-the word is out now and users are now telling other users-and my major channels are running announcements every 10 minutes about it.

Eradication is good, but preventing the spread is even better-these will only go away once people stop clicking on them, as long as they keep doing it-they will continue to keep coming. I've also increased my gline time for them to 10 days-if you don't gline them, they return roughly every 3 hours, seems to be about the timeframe it takes for them to make the loop through the list, and they come mostly from the same addresses.

newbie · Guest

It seems to join channels in the order it recieves the list from the server.

RejiMC · none Joined: 22 Nov 2003 Posts: 11

The reason I think few spam bots get through is the way the /list is set on the infected machine its bouncing from. I have #a and #! as traps its seen most of the bots using newer version on mirc goes to #a rest goes to #! and sometimes its gets on to the first channel with minimum 3 users which is the default in /list for mirc. So………….

QoQ · none Joined: 28 Oct 2003 Posts: 10

The newer version of these bots don't seem to be working through an either an alphabetical order or room size. I am trying to figure in what order they are picking which channels to join from the /list.. any ideas?? Because it will help us in choosing where to park our Bots.

ed · Posted: Nov 24, 2003 4:21pm Post subject:

In the versions I have seen, it either does:
- alphabetical
- room size
- order your server returns /list

Of course, there is probably another new version out, that randomizes this. If anyone has the new version, please let me know.