Marlowe Posted February 23, 2005 Report Share Posted February 23, 2005 I'm the first to admit I know nothing about IRC bots and the like, but on the IRC server at the moment we have a channel with 28 odd botts in, which randomly paste things. Player alerted me to it and it does indeed seem a tad odd... Here's an excerpt complete with an IP of one of the bots (which appears to be fake...). [09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:47:38] ::: Now talking in: (#xt2#) [09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:47:38] ::: Topic: (.ntscan 100 200 -a -b -s) [09:47:38] ::: Set by: (asdas) on (Wednesday February 23 2005 07:56:40) [09:47:38] ::: Users: (23), Ops: (0/0%), Halfops: (0/0%), Voiced: (0/0%), Regs: (23/100%) [09:47:38] ::: Join synced in: (0.031) secs [09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:48:24] * [sMFW]-328025 (~SMFW-082@222.118.65.162) has joined #xt2# [09:48:52] * [xT]-324683 (~xT-15959@220.80.136.189) Quit (Connection reset by peer) [09:51:40] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:51:40] ::: QuickInfo for ([sMFW]-296458) in (#xt2#) [09:51:40] ::: Status: Regular [09:51:40] ::: Address: ~SMFW-416@211.202.111.151 [09:51:40] ::: Country: Unknown [09:51:40] ::: ComChans: #xt2# [09:51:40] ::: Idle: 4mins [09:51:40] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:52:12] * [xT]-420245 (~xT-2610@218.232.245.213) has joined #xt2# [09:52:32] * [xT]-420245 (~xT-2610@218.232.245.213) Quit (Connection reset by peer) [09:54:58] (xT|Scan): Abusing.. (IP): [\\211.230.203.5] (User): [000/0000] [09:55:09] (NTScan): Exploiting.. (IP): [\\222.118.139.15] (User): [Administrator/] [09:58:29] * [sMFW]-648446 (~SMFW-81@211-74-207-51.adsl.dynamic.seed.net.tw) has joined #xt2# I was just wondering as I once again say I know nothing about these things....Are these being run by Marcus to help log errors, or are these the work of a malicious third party? Apologies, but I was just overly curious... Ta Dan Quote Link to post Share on other sites
player Posted February 23, 2005 Report Share Posted February 23, 2005 (edited) Heres the log... Its a bit odd... I typed in /help a coupe of times Just skip over that bit... lol If I could be of further assistance, let me know. Anyway... must do homework... its 12:17 am here in hawaii or my grade will be you must open the file with notepad... its looks like a rtf file... but its not... _xt2_.rtf Edited February 23, 2005 by player Quote Link to post Share on other sites
greebo_Brat Posted February 23, 2005 Report Share Posted February 23, 2005 I'm the first to admit I know nothing about IRC bots and the like, but on the IRC server at the moment we have a channel with 28 odd botts in, which randomly paste things. Player alerted me to it and it does indeed seem a tad odd... Here's an excerpt complete with an IP of one of the bots (which appears to be fake...). [09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:47:38] ::: Now talking in: (#xt2#) [09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:47:38] ::: Topic: (.ntscan 100 200 -a -b -s) [09:47:38] ::: Set by: (asdas) on (Wednesday February 23 2005 07:56:40) [09:47:38] ::: Users: (23), Ops: (0/0%), Halfops: (0/0%), Voiced: (0/0%), Regs: (23/100%) [09:47:38] ::: Join synced in: (0.031) secs [09:47:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:48:24] * [sMFW]-328025 (~SMFW-082@222.118.65.162) has joined #xt2# [09:48:52] * [xT]-324683 (~xT-15959@220.80.136.189) Quit (Connection reset by peer) [09:51:40] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:51:40] ::: QuickInfo for ([sMFW]-296458) in (#xt2#) [09:51:40] ::: Status: Regular [09:51:40] ::: Address: ~SMFW-416@211.202.111.151 [09:51:40] ::: Country: Unknown [09:51:40] ::: ComChans: #xt2# [09:51:40] ::: Idle: 4mins [09:51:40] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [09:52:12] * [xT]-420245 (~xT-2610@218.232.245.213) has joined #xt2# [09:52:32] * [xT]-420245 (~xT-2610@218.232.245.213) Quit (Connection reset by peer) [09:54:58] <[xT]-393651> (xT|Scan): Abusing.. (IP): [\\211.230.203.5] (User): [000/0000] [09:55:09] <[sMFW]-328025> (NTScan): Exploiting.. (IP): [\\222.118.139.15] (User): [Administrator/] [09:58:29] * [sMFW]-648446 (~SMFW-81@211-74-207-51.adsl.dynamic.seed.net.tw) has joined #xt2# I was just wondering as I once again say I know nothing about these things....Are these being run by Marcus to help log errors, or are these the work of a malicious third party? Apologies, but I was just overly curious... Ta Dan <{POST_SNAPBACK}> Marlowe, those look like "zombie bots", IRC bots/trojans that run on infected PC's that allow evil doers (usually 12 to 15 year olds) to control the PC, they use IRC to send the commands to the bots. I'd say someone thinks the IRC server is fairly low use so safe to use as a node in their command net. Not sure how this can be blocked though, can xt2 channel be blocked? Quote Link to post Share on other sites
Arnie Posted February 23, 2005 Report Share Posted February 23, 2005 Marcus has op control, I've sent him a PM about it as there's nothing I can do about it from here. Quote Link to post Share on other sites
Marcus Posted February 23, 2005 Report Share Posted February 23, 2005 Hey guys, All malicious scanbots are Z-Lined :-P Arnie, you can /zline too, on oper-up, which should sort this a bit for the time being. M. Quote Link to post Share on other sites
Arnie Posted February 23, 2005 Report Share Posted February 23, 2005 Have got back in and will monitor things Quote Link to post Share on other sites
joeking27 Posted February 24, 2005 Report Share Posted February 24, 2005 #airsoft 9 Welcome to ArniesAirsoft IRC. Stick around ! And keep it clean http://network.mjleonard.me.uk:81/airsoft/ === #h8m3 1 === End of /LIST [iNFO] Displayed 2 of 2 channels. He back again. Quote Link to post Share on other sites
Marlowe Posted February 24, 2005 Author Report Share Posted February 24, 2005 It was him, but now he's left. I've now taken over that and #iceking, and set them to invite only + secret. Hopefully it might bug him a little when he next tries it... Quote Link to post Share on other sites
Jow Posted February 25, 2005 Report Share Posted February 25, 2005 I know subseven can be made to connect to an IRC server and create a new channel then spam info about the infected hosts. Probs sometihng like that, with an IRC server as small as arnies it's a good place to hide. Quote Link to post Share on other sites
Arnie Posted February 25, 2005 Report Share Posted February 25, 2005 Yeah it was just a handy quiet place for infectious bots to hang out. Stupid really if you think about it as hiding on a busy server would make things harder to spot. They don't do anything to irc anyway, but it's a nuisance so it's been dealt with accordingly. Quote Link to post Share on other sites
Jow Posted February 27, 2005 Report Share Posted February 27, 2005 (edited) People are bound to notice, I've been messing with ChanServ on the server, Basically just registered the channel, set entry message, made it keep topic, and am about to sort out entry levels giving marcus and arnie op and the regulars voice. Just thought I'd post up too check if anyone minds? If you do, eitha one of you can deregister the channel and deop me etc, or I'll do it myself. Just thought it would be nice to have it more organised. Edit: Register your nicks with ChanServ so I can autovoice all you regulars ! Edited February 27, 2005 by Jowep Quote Link to post Share on other sites
Jow Posted February 27, 2005 Report Share Posted February 27, 2005 Above post wont let me edit. Anyway, now I've got ChanServ running I'll be giving a few regulars AOP or HOP on join to try and stop the ammount of spamming and annoying people on the channel. Hopefully we should be able to keep the place more organized now ! Oh and btw, I've made you channel owner Arnie. If you want the password (don't think it's actually needed for anything since you're owner anyway) I'll PM you it. Quote Link to post Share on other sites
Arnie Posted March 1, 2005 Report Share Posted March 1, 2005 Nah that's okay I'd just forget it anyway Feel free to PM it over just so that I can keep it in the vast archives that is my PM inbox. Quote Link to post Share on other sites
Marlowe Posted March 5, 2005 Author Report Share Posted March 5, 2005 (edited) I'm sorry to say, but it appears we have a similiar issue occurring again: [14:12:20] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [14:12:20] ::: Now talking in: (#sd##) [14:12:20] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [14:12:20] ::: Users: (2), Ops: (1/50%), Halfops: (0/0%), Voiced: (0/0%), Regs: (1/50%) [14:12:20] ::: Join synced in: (0) secs [14:12:20] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [14:12:27] * joeking27 (~chatzilla@0-a-e6-4a-de-eb.hb.esol.dur.ac.uk) has joined #sd## [14:12:52] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [14:12:52] ::: Whois report for (zywwkm) [14:12:52] ::: Address: pretbm@1Cust5487.an4.nyc41.da.uu.net [14:12:52] ::: Channels: @#sd## [14:12:52] ::: Server: irc.arniesairsoft.co.uk, ArniesAirsoft IRC Server [14:12:52] ::: Idle: 4mins 16secs, signed on 4mins 16secs ago [14:12:52] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [14:19:19] * ktdzi (~bngxx@dialup-4.130.195.140.Dial1.Houston1.Level3.net) has joined #sd## Why do we seem to attract them? Edited March 5, 2005 by Marlowe Quote Link to post Share on other sites
joeking27 Posted March 5, 2005 Report Share Posted March 5, 2005 Looks we got him back, or someone similar. Got a weird channel #sd## with not much going off. This guy is suspect is state side. Possibly unrelated is "Lumin" who has about 6 channels going. I suspect this one is this side of the pond. Quote Link to post Share on other sites
player Posted March 5, 2005 Report Share Posted March 5, 2005 Seems hes gone now... Quote Link to post Share on other sites
joeking27 Posted March 5, 2005 Report Share Posted March 5, 2005 Lumin has killed his channels, but hacker kiddies is still on. Quote Link to post Share on other sites
player Posted March 6, 2005 Report Share Posted March 6, 2005 Its invite only... o.O Quote Link to post Share on other sites
Marlowe Posted March 15, 2005 Author Report Share Posted March 15, 2005 (edited) It's back again... [12:02:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [12:02:38] ::: Now talking in: (#sd##) [12:02:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [12:02:38] ::: Users: (3), Ops: (1/33%), Halfops: (0/0%), Voiced: (0/0%), Regs: (2/67%) [12:02:38] ::: Join synced in: (0.016) secs [12:02:38] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [12:03:27] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [12:03:27] ::: Whois report for (vgdahs) [12:03:27] ::: Address: chanyou44@222.105.118.199 [12:03:27] ::: Channels: @#sd## [12:03:27] ::: Server: irc.arniesairsoft.co.uk, ArniesAirsoft IRC Server [12:03:27] ::: Idle: 1hr 57mins, signed on 1hr 57mins 2secs ago [12:03:27] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [12:03:32] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [12:03:32] ::: Whois report for (gioue) [12:03:32] ::: Address: yfpyp@218.49.88.133 [12:03:32] ::: Channels: #sd## [12:03:32] ::: Server: irc.arniesairsoft.co.uk, ArniesAirsoft IRC Server [12:03:32] ::: Idle: 1hr 3mins 49secs, signed on 1hr 3mins 47secs ago [12:03:32] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [13:28:33] * itkdl (~nufh@dialup-4.130.194.102.Dial1.Houston1.Level3.net) has joined #sd## [13:33:45] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › [13:33:45] ::: Whois report for (itkdl) [13:33:45] ::: Address: ~nufh@dialup-4.130.194.102.Dial1.Houston1.Level3.net [13:33:45] ::: Channels: #sd## [13:33:45] ::: Server: irc.arniesairsoft.co.uk, ArniesAirsoft IRC Server [13:33:45] ::: Idle: 5mins 12secs, signed on 5mins 11secs ago [13:33:45] •››››››››››››››››››››››››››››››››››››››››››› ››››› ››› ›› ›› ›› › › K-lining would seem to be good idea. That and, if it's possible, preventing such channels from being created... Edited March 15, 2005 by Marlowe Quote Link to post Share on other sites
Arnie Posted March 15, 2005 Report Share Posted March 15, 2005 It was only back because I forgot to lock the channel last night and stop it being used. If it's set to +i and there's one person in there it's most likely an admin idling to monitor anyone trying to connect. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.