[Dshield] ISP redirecting IRC traffic to attempt bot removal

jayjwa jayjwa at atr2.ath.cx
Fri Jul 20 10:11:25 GMT 2007


When blocking goes to far, part #2 (working title: First they came for email, 
now it's IRC)



Background info:
   1) http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016

   2) The typical command for rbot/urxbot removal of the bot from the bot 
user's perspective is to issue a command such as /msg bot .remove, sometimes 
also "!" is the command prefix, but technically it can be anything. They seem 
to forgotten most bots require .login before accepting commands, but there may 
be some that do not.

   3) The code for the server appears altered as well, as it announces 
multiple, different topics. Normally IRC servers do not do this for the same 
channel.



Fri Jul 20 05:57:00 EDT 2007:


*** Performing DNS lookup for [70.168.70.4] (server 4)
*** DNS lookup for server 4 [70.168.70.4] returned (1) addresses
*** Connecting to server refnum 4 (70.168.70.4), using address 1 (70.168.70.
+4:6667)
*** Looking up your hostname...
*** Checking Ident
*** No Ident response

(They lie, I do most certainly run Identd)

*** Welcome to the Internet Relay Network jayjwa
*** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2
*** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2
*** This server was created Thu Dec 6 2001 at 11:52:49 EST
*** localhost.localdomain 2.8/hybrid-6.2 oOiwszcrkfydnxb biklmnopstve
*** There are 2 users and 0 invisible on 1 servers
*** I have 2 clients and 0 servers
*** Current local  users: 2  Max: 2
*** Current global users: 2  Max: 2
*** Highest connection count: 2 (2 clients) (2 since server was (re)started)
*** - localhost.localdomain Message of the Day -
*** - Where's the kaboom? There was supposed to be an earth shattering kaboom.
+
*** End of /MOTD command.
*** jayjwa (jayjwa at 64.179.12.43) has joined channel #martian_
*** Mode change "+nt" on channel #martian_ by localhost.localdomain
*** Users on #martian_: @Marvin_ jayjwa
*** Topic for #martian_: .bot.remove
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: .remove
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: .uninstall
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: !bot.remove
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: !remove
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: !uninstall
*** The topic was set by Marvin_ 3 sec ago
<Marvin_> .bot.remove
<Marvin_> .remove
<Marvin_> .uninstall
<Marvin_> !bot.remove
<Marvin_> !remove
<Marvin_> !uninstall
*** Mode for channel #martian_ is "+tn"
*** Channel #martian_ was created at Fri Jul 20 05:46:57 2007
User [localhost.localdomain!@~jayjwa] was not on the names list for channel
+[#martian_] on server [4] -- adding them

  05:51AM [1] jayjwa #martian_ (+nt) (Mail: 56)  EPIC5 -- Type /help for help
EPic>


To sum this up for those not familiar with IRC, if I was a client of this ISP, 
and I tried to access the public IRC network irc.ablenet.org, my ISP's 
nameserver would return knowningly false information to send me to this fake 
server, which, once there, auto-logs me into a channel and attempts to 
interact with software I may or may not have running on my machine in an 
attempt to remove it from my machine.



-- 
[RBL:Just A Bad Idea] Do not use DNS-RBL; Demand your ISP stop.
  Tell RoadRunner/Adelphia, Netzero,etc: don't trash your mail.
http://www.ifn.net/classic/rblstory.htm
http://theory.whirlycott.com/~phil/antispam/rbl-bad/rbl-bad.html


More information about the list mailing list