Hi. Our channel has been getting mass-joined by a drone-net for a while now. The bots appear to mainly be running on irc.inter.net.il, irc.colosolutions.net, and irc.nac.net. A version invariably returns a reply of "Cottle Rocket v10.2". A partial list of some of the clients follows:
fourdogs (~fourdogs@I don't like)
birdflu (~birdflu@to read forum rules)
billary (~billary@I think that they)
nuggetz (~nuggetz@are for fools)
fishfood (~fishfood@Why should I bother)
algore (~algore@to listen to what they say?)
willyb (~willyb@I just want these drones)
dumper2 (~dumper@gone anyway.)
jerryg (~jerryg@So, someone, please help me)
pooter (~pooter@with some lines that are K, X or D.)
buffalo3 (~buffalo@BURMA SHAVE)
Obviously these are open socks proxies.
Assistance in getting rid of these drones would be appreciated.
Help getting rid of mass-joining drones
Moderators: Website/Forum Admins, EFnet/Help Moderators
Well, I say "obviously" based on the fact that none of them ever have resolving identds, and that they are all clearly part of a single botnet (same odd version info, automated mass-joins day and night). I don't know what port(s) the socks proxies may be using, unfortunately. Since about half the mass-joiners make it past blacklists it certainly isn't any commonly-scanned ports. I guess it could just be a bunch of zombie machines that have been compromised in some other way, but the effect is the same.
Who is online
Users browsing this forum: No registered users and 4 guests