Help getting rid of mass-joining drones

Help with EFnet related issues

Moderators: Website/Forum Admins, EFnet/Help Moderators

Pickle
Posts: 3
Joined: Fri Jun 09, 2006 3:10 am

Help getting rid of mass-joining drones

Postby Pickle » Fri Jun 09, 2006 3:29 am

Hi. Our channel has been getting mass-joined by a drone-net for a while now. The bots appear to mainly be running on irc.inter.net.il, irc.colosolutions.net, and irc.nac.net. A version invariably returns a reply of "Cottle Rocket v10.2". A partial list of some of the clients follows:

fourdogs (~fourdogs@I don't like)
birdflu (~birdflu@to read forum rules)
billary (~billary@I think that they)
nuggetz (~nuggetz@are for fools)
fishfood (~fishfood@Why should I bother)
algore (~algore@to listen to what they say?)
willyb (~willyb@I just want these drones)
dumper2 (~dumper@gone anyway.)
jerryg (~jerryg@So, someone, please help me)
pooter (~pooter@with some lines that are K, X or D.)
buffalo3 (~buffalo@BURMA SHAVE)

Obviously these are open socks proxies.

Assistance in getting rid of these drones would be appreciated.
User avatar
Pills
Forum Admin
Posts: 312
Joined: Wed Jul 02, 2003 1:14 pm
Location: Long Island, NY
Contact:

Postby Pills » Fri Jun 09, 2006 1:25 pm

/stats p those servers, and message an active oper when they're on.
admin, irc.umich.edu
oper, irc.servercentral.net
Pickle
Posts: 3
Joined: Fri Jun 09, 2006 3:10 am

Postby Pickle » Mon Jun 12, 2006 1:47 am

Unfortunately that hasn't been working very well.

By the way, the botnet is currently mostly on nac.net and blackened.com, if anyone cares.
User avatar
munky
Site Admin
Posts: 826
Joined: Wed Jul 02, 2003 4:54 pm
Location: Phoenix AZ
Contact:

Postby munky » Mon Jun 12, 2006 12:09 pm

if they are obvious socks proxies, what port is the proxy on?

a few hosts appear in njabl, and a few in spamhaus, but none have SOCKS or HTTP proxies on any scanned proxy ports.
In God we trust,
Everyone else must have an X.509 certificate.
Pickle
Posts: 3
Joined: Fri Jun 09, 2006 3:10 am

Postby Pickle » Tue Jun 13, 2006 3:53 am

Well, I say "obviously" based on the fact that none of them ever have resolving identds, and that they are all clearly part of a single botnet (same odd version info, automated mass-joins day and night). I don't know what port(s) the socks proxies may be using, unfortunately. Since about half the mass-joiners make it past blacklists it certainly isn't any commonly-scanned ports. I guess it could just be a bunch of zombie machines that have been compromised in some other way, but the effect is the same.

Who is online

Users browsing this forum: Google [Bot] and 3 guests