|
|
| Author |
Message |
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
 Posted: Aug 18, 2009 8:19am Post subject: the bopm patch |
 |
|
the standard bopm config as per website
http://static.blitzed.org/www.blitzed.org/bopm/files/release/bopm.conf.sample
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
there wasw a patch added on the old website which i showed above.(last posted)
sadly the patch is no longer on the bopm website,
plus i am not all that clued up about regex but getting there,
the big problem is the script-kid just have to reload a new script plus upload the psyBNC file some where else (millions of free-load-sites) |
|
| Back to top |
|
 |
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 18, 2009 4:55pm Post subject: Re: the bopm patch |
|
|
| maddog906 wrote: | the standard bopm config as per website
http://static.blitzed.org/www.blitzed.org/bopm/files/release/bopm.conf.sample
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
there wasw a patch added on the old website which i showed above.(last posted)
sadly the patch is no longer on the bopm website,
plus i am not all that clued up about regex but getting there,
the big problem is the script-kid just have to reload a new script plus upload the psyBNC file some where else (millions of free-load-sites) |
The trick with regex is to keep it as simple as possible while avoiding false positives or no matches at all. The key with this botnet at the moment is that it uses mIRC.+rar and PsyBNC.+rar - so they should be the first to be added and since .+ matches most things, it would work well at the moment. This leaves the websites that only use references codes (asapload.+com & share-oline.+biz), so by adding those you'll catch most of the bots. Remember to add for Channel Notices, Private Notices and Channel Messages to catch most of it's spam. |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 18, 2009 6:49pm Post subject: Re: the bopm patch |
|
|
| Trixar_za wrote: | | maddog906 wrote: | the standard bopm config as per website
http://static.blitzed.org/www.blitzed.org/bopm/files/release/bopm.conf.sample
/* Hybrid / Bahamut / Unreal (in HCN mode) */
connregex = "\\*\\*\\* Notice -- Client connecting: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*";
there wasw a patch added on the old website which i showed above.(last posted)
sadly the patch is no longer on the bopm website,
plus i am not all that clued up about regex but getting there,
the big problem is the script-kid just have to reload a new script plus upload the psyBNC file some where else (millions of free-load-sites) |
The trick with regex is to keep it as simple as possible while avoiding false positives or no matches at all. The key with this botnet at the moment is that it uses mIRC.+rar and PsyBNC.+rar - so they should be the first to be added and since .+ matches most things, it would work well at the moment. This leaves the websites that only use references codes (asapload.+com & share-oline.+biz), so by adding those you'll catch most of the bots. Remember to add for Channel Notices, Private Notices and Channel Messages to catch most of it's spam. |
Part messages too. Bear in mind that if you start spamfiltering all the major filesharing sites (RapidShare, MegaUpload, etc) you also prevent legitimate users from sharing things via the same services (it's not unheard of for channels or groups of friends to swap files via such services - they tend to have more bandwidth open to them than the users do  ) |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 19, 2009 1:19am Post subject: Re: the bopm patch |
|
|
| PingBad wrote: | | Bear in mind that if you start spamfiltering all the major filesharing sites (RapidShare, MegaUpload, etc) you also prevent legitimate users from sharing things via the same services (it's not unheard of for channels or groups of friends to swap files via such services - they tend to have more bandwidth open to them than the users do ) |
Indeed. We have some online radio websites that have chatrooms who use such sites. It's one of the reasons I'm trying to find an alternative than blocking "megaupload.com/" etc.. |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
| Posted: Aug 19, 2009 5:15am Post subject: yes i fully understand that |
|
|
yes i fully understand that thats why i put psyBNC._(ZIP\RAR\etc)
its easy just to change the (what-every-name).rar etc than putting the whole new website every time,
4 years ago we got hit with ircproxy bot that was using a hide channel ,
called ##botcentral from there the bots spawned 5 at a time there was more than two attacks they flooded the network with their bots,
the sad story was we had to move servers and change our irc server name ,plus lossing 95% of the users too.Thats why i take a strong view about people or persons that has nothing better to do and sit there attacking irc networks meaningfulness. |
|
| Back to top |
|
|
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
| Posted: Aug 19, 2009 6:37am Post subject: Re: yes i fully understand that |
|
|
| maddog906 wrote: | | a hide channel, called ##botcentral |
I'm sorry to be pedantic, but if you think that the channel is a "hidden" channel because of it's name, then you are mistaken, any decent IRC client, will show a channel with ##<name> in it's channel list. There is a commonly known and annoying default where mIRC hides them by default, which is ENTIRELY client side. Leaving only +p and +s as the ONLY methods to hide a channel from non-ircops.
And on that note, if the channel was indeed a +p or +s channel, and not considered hidden because of its name, then I apologise for my rant. There are just way too many people around who think just because they cant see it in their client means that nobody else can too. |
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 19, 2009 10:25am Post subject: Re: yes i fully understand that |
|
|
| Jobe wrote: | | maddog906 wrote: | | a hide channel, called ##botcentral |
I'm sorry to be pedantic, but if you think that the channel is a "hidden" channel because of it's name, then you are mistaken, any decent IRC client, will show a channel with ##<name> in it's channel list. There is a commonly known and annoying default where mIRC hides them by default, which is ENTIRELY client side. Leaving only +p and +s as the ONLY methods to hide a channel from non-ircops.
And on that note, if the channel was indeed a +p or +s channel, and not considered hidden because of its name, then I apologise for my rant. There are just way too many people around who think just because they cant see it in their client means that nobody else can too. |
Or you could just go into mIRC's List options (ALT+L) and uncheck the box that says 'hide non-text channels'. Then even ##botcenteral and #0 will show up when you type /list.
As for something to ban you can use: | Code: | /spamfilter add cpnNPqa gzline 6h Botnet psyBNC.+(rar|zip)
/spamfilter add cpnNPqa gzline 6h Botnet mIRC.+(rar|zip) |
for now and ban the services that don't use the actual name in the link, but rather a reference code.
At the moment it's two on this list: | Code: | /spamfilter add cpnNPqa gzline 6h Botnet asapload.+com
/spamfilter add cpnNPqa gzline 6h Botnet share-online.+biz |
Now we don't have to ban all services, but just those that use a reference code like share-online and asapload. This leaves Rapidshare and many others free to be used by the users. |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
| Posted: Aug 19, 2009 10:52am Post subject: no you got me all wrong |
|
|
no you got me all wrong (misunderstood)
the ## hides the channel from the /list,
we where all wet behind the ears (then)
but much wiser now.
i was just saying what happend to us 4 years ago |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
| Posted: Aug 27, 2009 11:29am Post subject: I am happy to say |
|
|
I am happy to say , that the bots are still using the old website address,
people are still using the old config,
i just they keep on using that one.
GOOD LUCK EVERYONE.
AND THANK'S FOR ALL THE PEOPLE THAT PUT,
THE INPUT TO STOP THIS(THOSE) SPAM BOTS |
|
| Back to top |
|
|
|
|
| |
Register
Log in
