IRC Server - odd channel...

[Marlowe]

I'm the first to admit I know nothing about IRC bots and the like, but on the IRC server at the moment we have a channel with 28 odd botts in, which randomly paste things. Player alerted me to it and it does indeed seem a tad odd...

 

Here's an excerpt complete with an IP of one of the bots (which appears to be fake...).

 

[09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[09:47:38] ::: Now talking in: (#xt2#)

[09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[09:47:38] ::: Topic: (.ntscan 100 200 -a -b -s)

[09:47:38] ::: Set by: (asdas) on (Wednesday February 23 2005 07:56:40)

[09:47:38] ::: Users: (23), Ops: (0/0%), Halfops: (0/0%), Voiced: (0/0%), Regs: (23/100%)

[09:47:38] ::: Join synced in: (0.031) secs

[09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

 

[09:48:24] * [sMFW]-328025 (~SMFW-082@222.118.65.162) has joined #xt2#

[09:48:52] * [xT]-324683 (~xT-15959@220.80.136.189) Quit (Connection reset by peer)

[09:51:40] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[09:51:40] ::: QuickInfo for ([sMFW]-296458) in (#xt2#)

[09:51:40] ::: Status: Regular

[09:51:40] ::: Address: ~SMFW-416@211.202.111.151

[09:51:40] ::: Country: Unknown

[09:51:40] ::: ComChans: #xt2#

[09:51:40] ::: Idle: 4mins

[09:51:40] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[09:52:12] * [xT]-420245 (~xT-2610@218.232.245.213) has joined #xt2#

[09:52:32] * [xT]-420245 (~xT-2610@218.232.245.213) Quit (Connection reset by peer)

[09:54:58] (xT|Scan): Abusing.. (IP): [\\211.230.203.5] (User): [000/0000]

[09:55:09] (NTScan): Exploiting.. (IP): [\\222.118.139.15] (User): [Administrator/]

[09:58:29] * [sMFW]-648446 (~SMFW-81@211-74-207-51.adsl.dynamic.seed.net.tw) has joined #xt2#

 

I was just wondering as I once again say I know nothing about these things....Are these being run by Marcus to help log errors, or are these the work of a malicious third party?

 

Apologies, but I was just overly curious...

 

Ta Dan

[player]

Heres the log... Its a bit odd... I typed in /help a coupe of times Just skip over that bit... lol

 

If I could be of further assistance, let me know.

 

Anyway... must do homework... its 12:17 am here in hawaii

or my grade will be you must open the file with notepad... its looks like a rtf file... but its not...

_xt2_.rtf

Edited February 23, 2005 by player

[greebo_Brat]

I'm the first to admit I know nothing about IRC bots and the like, but on the IRC server at the moment we have a channel with 28 odd botts in, which randomly paste things. Player alerted me to it and it does indeed seem a tad odd...

 

Here's an excerpt complete with an IP of one of the bots (which appears to be fake...).

 

[09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› ›  ›

[09:47:38] ::: Now talking in: (#xt2#)

[09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› ›  ›

[09:47:38] ::: Topic: (.ntscan 100 200 -a -b -s)

[09:47:38] ::: Set by: (asdas) on (Wednesday February 23 2005 07:56:40)

[09:47:38] ::: Users: (23), Ops: (0/0%), Halfops: (0/0%), Voiced: (0/0%), Regs: (23/100%)

[09:47:38] ::: Join synced in: (0.031) secs

[09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› ›  ›

 

[09:48:24] * [sMFW]-328025 (~SMFW-082@222.118.65.162) has joined #xt2#

[09:48:52] * [xT]-324683 (~xT-15959@220.80.136.189) Quit (Connection reset by peer)

[09:51:40] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› ›  ›

[09:51:40] ::: QuickInfo for ([sMFW]-296458) in (#xt2#)

[09:51:40] ::: Status: Regular

[09:51:40] ::: Address: ~SMFW-416@211.202.111.151

[09:51:40] ::: Country: Unknown

[09:51:40] ::: ComChans: #xt2#

[09:51:40] ::: Idle: 4mins

[09:51:40] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› ›  ›

[09:52:12] * [xT]-420245 (~xT-2610@218.232.245.213) has joined #xt2#

[09:52:32] * [xT]-420245 (~xT-2610@218.232.245.213) Quit (Connection reset by peer)

[09:54:58] <[xT]-393651> (xT|Scan): Abusing.. (IP): [\\211.230.203.5] (User): [000/0000]

[09:55:09] <[sMFW]-328025> (NTScan): Exploiting.. (IP): [\\222.118.139.15] (User): [Administrator/]

[09:58:29] * [sMFW]-648446 (~SMFW-81@211-74-207-51.adsl.dynamic.seed.net.tw) has joined #xt2#

 

I was just wondering as I once again say I know nothing about these things....Are these being run by Marcus to help log errors, or are these the work of a malicious third party?

 

Apologies, but I was just overly curious...

 

Ta Dan

<{POST_SNAPBACK}>

 

Marlowe, those look like "zombie bots", IRC bots/trojans that run on infected PC's that allow evil doers (usually 12 to 15 year olds) to control the PC, they use IRC to send the commands to the bots.

 

I'd say someone thinks the IRC server is fairly low use so safe to use as a node in their command net. Not sure how this can be blocked though, can xt2 channel be blocked?

[Arnie]

Marcus has op control, I've sent him a PM about it as there's nothing I can do about it from here.

[Marcus]

Hey guys,

All malicious scanbots are Z-Lined :-P

 

Arnie, you can /zline too, on oper-up, which should sort this a bit for the time being.

 

M.

[Arnie]

Have got back in and will monitor things

[joeking27]

#airsoft 9 Welcome to ArniesAirsoft IRC. Stick around ! And keep it clean  http://network.mjleonard.me.uk:81/airsoft/

=== #h8m3 1

=== End of /LIST

[iNFO] Displayed 2 of 2 channels.

 

He back again.

[Marlowe]

It was him, but now he's left. I've now taken over that and #iceking, and set them to invite only + secret. Hopefully it might bug him a little when he next tries it...

[Jow]

I know subseven can be made to connect to an IRC server and create a new channel then spam info about the infected hosts.

 

Probs sometihng like that, with an IRC server as small as arnies it's a good place to hide.

[Arnie]

Yeah it was just a handy quiet place for infectious bots to hang out. Stupid really if you think about it as hiding on a busy server would make things harder to spot.

 

They don't do anything to irc anyway, but it's a nuisance so it's been dealt with accordingly.

[Jow]

People are bound to notice, I've been messing with ChanServ on the server, Basically just registered the channel, set entry message, made it keep topic, and am about to sort out entry levels giving marcus and arnie op and the regulars voice.

 

Just thought I'd post up too check if anyone minds? If you do, eitha one of you can deregister the channel and deop me etc, or I'll do it myself.

 

Just thought it would be nice to have it more organised.

 

Edit: Register your nicks with ChanServ so I can autovoice all you regulars !

Edited February 27, 2005 by Jowep

[Jow]

Above post wont let me edit.

 

Anyway, now I've got ChanServ running I'll be giving a few regulars AOP or HOP on join to try and stop the ammount of spamming and annoying people on the channel.

 

Hopefully we should be able to keep the place more organized now !

 

Oh and btw, I've made you channel owner Arnie. If you want the password (don't think it's actually needed for anything since you're owner anyway) I'll PM you it.

[Arnie]

Nah that's okay I'd just forget it anyway Feel free to PM it over just so that I can keep it in the vast archives that is my PM inbox.

[Marlowe]

I'm sorry to say, but it appears we have a similiar issue occurring again:

 

[14:12:20] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[14:12:20] ::: Now talking in: (#sd##)

[14:12:20] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[14:12:20] ::: Users: (2), Ops: (1/50%), Halfops: (0/0%), Voiced: (0/0%), Regs: (1/50%)

[14:12:20] ::: Join synced in: (0) secs

[14:12:20] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

 

[14:12:27] * joeking27 (~chatzilla@0-a-e6-4a-de-eb.hb.esol.dur.ac.uk) has joined #sd##

[14:12:52] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[14:12:52] ::: Whois report for (zywwkm)

[14:12:52] ::: Address: pretbm@1Cust5487.an4.nyc41.da.uu.net

[14:12:52] ::: Channels: @#sd##

[14:12:52] ::: Server: irc.arniesairsoft.co.uk, ArniesAirsoft IRC Server

[14:12:52] ::: Idle: 4mins 16secs, signed on 4mins 16secs ago

[14:12:52] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

 

[14:19:19] * ktdzi (~bngxx@dialup-4.130.195.140.Dial1.Houston1.Level3.net) has joined #sd##

 

Why do we seem to attract them?

Edited March 5, 2005 by Marlowe

[joeking27]

Looks we got him back, or someone similar.

 

Got a weird channel #sd## with not much going off. This guy is suspect is state side.

 

Possibly unrelated is "Lumin" who has about 6 channels going. I suspect this one is this side of the pond.

[player]

Seems hes gone now...

[joeking27]

Lumin has killed his channels, but hacker kiddies is still on.

[player]

Its invite only... o.O

[Marlowe]

It's back again...

 

[12:02:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[12:02:38] ::: Now talking in: (#sd##)

[12:02:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[12:02:38] ::: Users: (3), Ops: (1/33%), Halfops: (0/0%), Voiced: (0/0%), Regs: (2/67%)

[12:02:38] ::: Join synced in: (0.016) secs

[12:02:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

 

[12:03:27] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[12:03:27] ::: Whois report for (vgdahs)

[12:03:27] ::: Address: chanyou44@222.105.118.199

[12:03:27] ::: Channels: @#sd##

[12:03:27] ::: Server: irc.arniesairsoft.co.uk, ArniesAirsoft IRC Server

[12:03:27] ::: Idle: 1hr 57mins, signed on 1hr 57mins 2secs ago

[12:03:27] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[12:03:32] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[12:03:32] ::: Whois report for (gioue)

[12:03:32] ::: Address: yfpyp@218.49.88.133

[12:03:32] ::: Channels: #sd##

[12:03:32] ::: Server: irc.arniesairsoft.co.uk, ArniesAirsoft IRC Server

[12:03:32] ::: Idle: 1hr 3mins 49secs, signed on 1hr 3mins 47secs ago

[12:03:32] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

 

[13:28:33] * itkdl (~nufh@dialup-4.130.194.102.Dial1.Houston1.Level3.net) has joined #sd##

[13:33:45] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

[13:33:45] ::: Whois report for (itkdl)

[13:33:45] ::: Address: ~nufh@dialup-4.130.194.102.Dial1.Houston1.Level3.net

[13:33:45] ::: Channels: #sd##

[13:33:45] ::: Server: irc.arniesairsoft.co.uk, ArniesAirsoft IRC Server

[13:33:45] ::: Idle: 5mins 12secs, signed on 5mins 11secs ago

[13:33:45] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › ›

 

K-lining would seem to be good idea. That and, if it's possible, preventing such channels from being created...

Edited March 15, 2005 by Marlowe

[Arnie]

It was only back because I forgot to lock the channel last night and stop it being used.

 

If it's set to +i and there's one person in there it's most likely an admin idling to monitor anyone trying to connect.