IRC-Junkie.org – IRC News

All about Internet Relay Chat

Major US ISPs Hijack IRC Server DNS

“I am writing to this list because I no longer know where to turn” admin Anthony from Ablenet started his email to the full-disclosure list. “Over the course of the past 2 to three weeks I have watched my services on the Internet become systematically blocked and redirected by no less than 3 major isps in their efforts to stop botnets from connecting to IRC.”

What happened was that three major ISPs (TimeWarner/AOL, Verizon and Cox) had set the DNS of the servers from Ablenet to resolve to their alternative IRCd instead of the actual IP, resulting in the users being redirected to the ISPs IRCd. Once connected to this IRCd they were being directed into a channel, where they would be presented by a list of commands intended to remove zombie software. For many years IRC was a popular place for dronerunners to control and command their dronenet from.

“Because we were hit by 3 major ISPs at the same time,” Anthony starts explaining to IRC-Junkie in a reaction, “… for a period of approximately one month, we have seemingly lost approximately 75% of our user base, who were either directly affected or peripherally affected and followed their communities to an unaffected network.

The action did not remained restricted to this relatively small network however, also 5 servers from EFnet were caught. One of them is irc.vel.net, with Exstatica as its admin. He explained how he discovered his server was involved as well. “Yesterday July 22nd, The admin-body discovered that a handful of EFNet servers have been “juped”.  Not only have they taken the irc record, but they’ve also hijacked the SOA and NS records too.”

Anthony tried to contact the ISPs in question but got either no reply at all, or a standard message that resources were too limited to reply. Also Exstatica tried to contact the ISPs; “Yes I’ve tried, I’ve contacted the abuse team at cox, they’ve requested logs, which I provided in the first email, and then gave me a canned response that I need to check my computer for viruses.”

Anthony stressed the character of his network was far from being a rogue one that hosted drone networks. “Our network has always been one that relied on their communities, under the premise that people come to irc to share ideas, meet new people and to gather in their own communities.  We were never big on the notions of unnatural expansion, inflated, false communities or hierarchies. We’re tough on botnets and non-conducive to file sharing… We have (had?) literary communities, fan communities, hobbyists, gamers, etc; pretty much running the gamut of personalities.”

Both Anthony and Exstatica have considered legal actions. But as there is no monetary loss and it involves only a violation of the RFC specifications such an action will most likely not be very fruitful.

For Anthony and Exstatica there is one reason left to fight back however, stand for Net neutrality. Anthony: “I also hope that our representatives do something, regarding Net Neutrality, to prevent the monopolization of the Internet.  This could in some ways be compared to racketeering or a corporate equivalent of China’s restriction on the Internet.  I firmly believe this to be a constitutional violation to our right of free speech and if we do not act now, when do we act? When will it be too late?”

Reviewing the move from the ISPs, how many drones could have been caught is unknown, it can not be that much as most of the zombie software has since moved from IRC to use P2P and HTTP. Also the text commands can either be given in a private message, channel message or topic. Prefixes range from . to , to & and can be virtually anything, including the word of the command itself, remove, uninstall, etc.

Admins advice users to use alternative DNS servers if they experience these problems when connecting to their IRC network. Since the media attention on this issue started yesterday several DNS records have been restored, of course without an explanation why they have been hijacked in the first place.

Over the past few years this has happened a few times before, but never ona  scale as this move, and not involving networks as large as EFnet’s.

IRC-Junkie was unable to contact any ISPs named in this article.

DrinkOrDie Member Sentenced to 51 Month Jail

In May 2002 the FBI and law enforcement agencies worldwide arrested members of the DrinkOrDie warez group in an operation named Operation Buccaneer. One member, Hew Raymond Griffiths who was arrested in Australia and transported to U.S.A. received a 51 month jail sentence for his part in the warez group.

Originally started in Russia in 1993 and operating from a channel on EFNet, the group quickly became a group with members worldwide. It specialized in cracking software, but also released films and music.

Griffiths, now 44 years-old, used the nickname Bandido and was one of the leaders of the group. After taking into consideration the time he was in jail in Australia fighting the extradition, 15 month are left in jail.

“Whether committed with a gun or a keyboard – theft is theft,” US Attorney Chuck Rosenberg for the Eastern District of Virginia said. “And, for those inclined to steal Intellectual Property here, or from halfway around the world, they are on notice that we can and will reach them.”

Worldwide 70 raids were conducted which resulted in 30 convictions in the U.S.A. and 11 in other countries.

Possible DoS Found in IRCd-Ratbox

A possible DoS has been found in IRCd-Ratbox. This IRCd is in use on EFNet and other smaller networks.

The discovery was announced on the Ratbox mailinglist by Lee H: “We have recently uncovered a potential DoS in ircd-ratbox that could result in resource starvation of the CPU.”

The bug dates back to very early version of Ratbox, which makes it a vulnerability that is presence in all flavors of the IRCd in use.

“We have now released ircd-ratbox-2.2.6, it is recommended that everybody upgrades — the attack is fairly easy to abuse.  Details follow in the next email”, Lee ends. Since then, Lee retracted to give more details about the exploit to prevent malicious users causing havoc.

Thanks to Kobi for the tip.

EFnet Round Robin Blues

“Over the past few days, the dude who runs the ‘irc.efnet.net’ round robin decided that he was tired of running it, and removed all the servers from the list”, Doug announced on EFnet.org“It now only sends users to his one IRC server. Some admins were clearly upset, and one even called for the delink of the dude’s server.”

EFnet’s loosely structure allows admins to own a broad range of domains such as efnet.net, efnet.org, efnet.info and efnet.us and give them the freedom to do with the domain how they feel like.

Once the roundrobin was changed, Doug setup a new roundrobin on EFnet.org.

The owner of EFnet.net is brad/jafo/paragod who runs the ircd.lagged.org server, which was the only server left in the roundrobin. The effects of that change can be found on this statistics page. In short, the change increased his number of users from a few hundred to over 4k.

“There was no discussions about possible delink,” one EFnet admin who asked to remain anonymous explained to IRC-Junkie. “.. as it didn’t have time to escalate to that before he realized how stupid it was and pointed it back to all open efnet servers. We have mailed mirc asking for irc.efnet.org to be official rr in the future to avoid this again. Mirc already have irc.efnet.us as us rr.”

The admin also sparked off a discussion before after starting to sell shells with the efnet.net domain name, making it look like an official service.

“A year back he put the domain out for sale seeing how much he could get for it, no one went high enough but that says something about his standards”, the anonymous EFnet admin concludes.

IRC-Junkie tried to contact Brad for a reaction but got no reply.

IRC Channel Driving Force Behind Revolutionary Software

Napster and WinAmp are just two programs that are well known with the type of people that regurarly read IRC-Junkie, that is a known fact. What is lesser known is, that both project benefited greatly from an IRC channel on EFNet that functions as a gathering place for “professional software developers, talented college and highschool students, novice programmers seeking help and the usual charlatans and rogues that add character to the colourful world that is the Internet”, as the channels’ website explains.

An article about the channel, #Winprog, appeared today on Wired. “The IRC channel has played virtual incubator to a gamut of fledgling developers for more than a decade”, the article explains.

Beside being a point of help to programmers, the channel also functions as a meeting point of companies seeking talented programmers.

On a personal note: I love it when this face of IRC is being shown in the media as well from time to time!