The hackers, identifying themselves as “2l8″, allegedly killed off the IRCd on efnet.nl and relinked with their “ircd with a custom-made patch iHaq wrote just for the occasion. Amongst other nifty features it had kill protection, automatic opering, hardcoded spoof (incase anyone got in and looked at hte config files) for us (root@your.servers) and a more dynamic, yet coded in spoof that gave every connected user a host like OWNED-#.MASSIVE.2l8.OWNAGE”.

When asked about their motives they replied “The current situation of morons running alot of the network … is unacceptable. It’s no wonder kids resort to DDoSing IRC-servers. We felt it was time to send a clear message: We Own You. We will always own you … Being on IRC is no different from being in a large crowd, there is no reason for you to act like you are 12 and a bitch.”

They however stated that they themselves are EFNet regulars “Some of us have been on EFnet for 12 years, so that would be a yes. With the current state of affairs tho, we might just pound it into the stone age and go hang-out on freenode or something were people actually behave like regurlar human beings …”

Asked about the techniques behind the hack they replied “This attack has concsisted of using privately developed Linux and FreeBSD remote kernel bugs, as well as certain daemon bugs(apache,openssh,bind,etc) as well as webapp bugs, and sniffing. However the technique so far has been to rely on people’s totally predictable egos. Most of these folks have an ego the seize of the Great wall of China.”

Talking about the hacked webpage http://www.efnet.org, which displayed gayporn titled “oper convention” for two days, they told “The EFnet admins (and opers + groupies) thought we played with DNS cache poisoning for days to get their website to show gay porn, however, we never even attempted that, as we owned their nameservers:)”

Closing the email they wrote “The 2l8 team, want to take his opurtunity to tell everyone that a little love and respect goes a long way. Admins, opers or users, you are all still just human, us included.

- It’s never 2l8 to start being nice.

- The 2l8 team: iHaq, iRoot, iPwn, iSniff.”

Of course, any comments from the EFNet side are more than welcome and if need be will be handled strictly confidential.

EFNet IRC net and Website get hacked is a post from: IRC-Junkie.org - IRC News

This post is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Deutschland license.

Related posts:

1. EFnet Round Robin Blues
2. EFnet tests OpenChanfix
3. EFNet Switches to OpenChanfix

The developers of the Ratbox IRCd added it to the code after continuous requests. “The option to support SSL connections is part of ratbox 3, which is currently in beta stage. Hence only a few servers support it yet, namely irc.efnet.ch, irc.pte.hu & irc.blessed.net. However irc.eversible.com is running a special solution also accepting SSL, using the older ratbox 2. Also irc.efnet.ch and irc.pte.hu are running separate ircds for the SSL clients, to not disrupt regular clients while bugfixing etc.”

According to Taliz, around 200 clients are using the feature right now, but its growing as the word is spreading around.

Finally, Taliz ends with a small warning. “Until ratbox 3 goes “stable”, you may expect more frequent restarts due to bugs being worked out.”

EFnet Enables SSL Connections is a post from: IRC-Junkie.org - IRC News

This post is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Deutschland license.

Related posts:

1. IRC.EFNet.CH Supports IPv6
2. EFNet Switches to OpenChanfix
3. EFnet Round Robin Blues

Recently IRC.EFNet.CH added support for the IPv6 protocol. IRC-Junkie asked IRC EFNet.CH admin Taliz for how long IPv6 has been supported on EFNet. “Ratbox is an early fork of Hybrid 7 and, if I recall correctly, has always supported IPv6. Hybrid 7 has supported IPv6 since it was released back in 2003(there were however a lot of Betas & RC’s supporting IPv6 as well, which ratbox built on, dating back to 2001).”

“Some of the first servers supporting IPv6 on EFnet were irc6.qeast.net & irc.ipv6.homelien.no, they linked around 2001. Nowadays Qeast is gone, but IPv6 is enabled on irc.homelien.no as well as a multitude of other servers like irc.efnet.nl, efnet.ipv6.xs4all.nl, irc.inter.net.il, irc.efnet.ch, irc.ipv6.he.net & irc.choopa.net.” These servers can be found in the IPv6 round robin at irc.ipv6.efnet.net.

One of the old concerns with IPv6 was that maliscious users could have access to an unlimited range of addresses for floodbots. “CIDR limits are used to control IPv4 as well as IPv6 classes,” Taliz explains. “You can for example limit /64’s to 5 connections, effectively preventing mass cloning.”

IPv4 remains by far the most popular protocol in use. “I would estimate that there are less than, or around, 2000 IPv6 clients on EFnet regularly,” Taliz ends.

IRC.EFNet.CH Supports IPv6 is a post from: IRC-Junkie.org - IRC News

This post is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Deutschland license.

Related posts:

1. EFnet Enables SSL Connections
2. GameSurge tests new IPv6 code in ircu
3. EFNet Switches to OpenChanfix

“Mr. Killebrew was born in Temple to William Lee and Dianne Killebrew. He was a systems engineer for the Texas Network. He lived in Temple until the age of 10 and moved to Humble with his family where he graduated from Humble High School. He received a bachelors degree from the University of Houston. He was a member if the Institute for Electronic Engineer Computer Society, North American Network Operations Group and the American Radio Relay League. He was also an amateur radio operator”, the EFnet site reports.

Brad Allan Killebrew passed away last Thursday, September the 13th. A memorial service will be held Wednesday at Rosewood Funeral Home in Humble.

Thoughts can be left at this page on EFnet.org.

Stefano pointed IRC-Junkie out on this tragic news.

EFnet Admin Jafo Passes Away is a post from: IRC-Junkie.org - IRC News

This post is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Deutschland license.

Related posts:

1. EFnet Round Robin Blues
2. EFnet Enables SSL Connections
3. EFnet tests OpenChanfix

What happened was that three major ISPs (TimeWarner/AOL, Verizon and Cox) had set the DNS of the servers from Ablenet to resolve to their alternative IRCd instead of the actual IP, resulting in the users being redirected to the ISPs IRCd. Once connected to this IRCd they were being directed into a channel, where they would be presented by a list of commands intended to remove zombie software. For many years IRC was a popular place for dronerunners to control and command their dronenet from.

“Because we were hit by 3 major ISPs at the same time,” Anthony starts explaining to IRC-Junkie in a reaction, “… for a period of approximately one month, we have seemingly lost approximately 75% of our user base, who were either directly affected or peripherally affected and followed their communities to an unaffected network.

The action did not remained restricted to this relatively small network however, also 5 servers from EFnet were caught. One of them is irc.vel.net, with Exstatica as its admin. He explained how he discovered his server was involved as well. “Yesterday July 22nd, The admin-body discovered that a handful of EFNet servers have been “juped”.  Not only have they taken the irc record, but they’ve also hijacked the SOA and NS records too.”

Anthony tried to contact the ISPs in question but got either no reply at all, or a standard message that resources were too limited to reply. Also Exstatica tried to contact the ISPs; “Yes I’ve tried, I’ve contacted the abuse team at cox, they’ve requested logs, which I provided in the first email, and then gave me a canned response that I need to check my computer for viruses.”

Anthony stressed the character of his network was far from being a rogue one that hosted drone networks. “Our network has always been one that relied on their communities, under the premise that people come to irc to share ideas, meet new people and to gather in their own communities.  We were never big on the notions of unnatural expansion, inflated, false communities or hierarchies. We’re tough on botnets and non-conducive to file sharing… We have (had?) literary communities, fan communities, hobbyists, gamers, etc; pretty much running the gamut of personalities.”

Both Anthony and Exstatica have considered legal actions. But as there is no monetary loss and it involves only a violation of the RFC specifications such an action will most likely not be very fruitful.

For Anthony and Exstatica there is one reason left to fight back however, stand for Net neutrality. Anthony: “I also hope that our representatives do something, regarding Net Neutrality, to prevent the monopolization of the Internet.  This could in some ways be compared to racketeering or a corporate equivalent of China’s restriction on the Internet.  I firmly believe this to be a constitutional violation to our right of free speech and if we do not act now, when do we act? When will it be too late?”

Reviewing the move from the ISPs, how many drones could have been caught is unknown, it can not be that much as most of the zombie software has since moved from IRC to use P2P and HTTP. Also the text commands can either be given in a private message, channel message or topic. Prefixes range from . to , to & and can be virtually anything, including the word of the command itself, remove, uninstall, etc.

Admins advice users to use alternative DNS servers if they experience these problems when connecting to their IRC network. Since the media attention on this issue started yesterday several DNS records have been restored, of course without an explanation why they have been hijacked in the first place.

Over the past few years this has happened a few times before, but never ona  scale as this move, and not involving networks as large as EFnet’s.

IRC-Junkie was unable to contact any ISPs named in this article.

Major US ISPs Hijack IRC Server DNS is a post from: IRC-Junkie.org - IRC News

This post is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Deutschland license.

Related posts:

1. Australian ISPs unite to disconnect botnet zombies
2. AbleNET Renews its Website
3. Oslo* server Duo Delinks from Undernet