www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Help! My Network is in Servers.ini!

Assuming this was a commonly known fact, it was never reported before on IRC-Junkie. But as I had contact over the past few weeks with several smaller IRC networks, it became clear not many small networks with servers.ini aspiration also realize the potential negative effects of being listed in the world largest IRC server list.

It is not just humans that make use of this extensive list of IRC networks. You might remember the Fizzer worm which was causing havoc over IRC networks in 2003. That worm created such problems that a special task force was created, named IRC Unity, to tackle the problem. On their website we can read: “irc/unity was formed in May 2003 as a direct result of what was known as the “fizzer crisis”. In early May, the Fizzer worm was becoming a problem for IRC Networks around the world. This was due to the fact that it had a built-in list of IRC servers to connect to, gathered from the mIRC servers.ini file.”

In the last servers.ini update the Beirut IRC Network first got listed. Within a few days I got this email from Nat, who is handling the PR for the network: “Since we got added on servers.ini we are invaded by turkish porn spambots. We are daily glining about 1000 IPs. Our boys, with aid of an Undernet scripter, finally started to control the situation, made a script and it started glining them before they reach the channels.”

Among abuse-exploit team members the use of servers.ini by drones and spambots is a know problem. An Undernet abuse-exploits team member who wishes to remain anonymous gives an example. “GTBot (an mIRC client with added backdoors and *.ini files) uses the servers.ini file from mIRC. An GTBot spreads by advertising (amongst others) an URL to other users. (Example: hey look at me in the nude @ http://ip-number-here/me-nude.jpg, which is in reality an EXE file. It (ab)uses the servers.ini file to go to all networks it contain.”

IRC-Junkie asked Tjerk Vonck, who is the webmaster of mIRC.com if he is aware of the problem. “No. And really, I doubt there is such a problem”, he replied.

“Making the servers.ini file for non-humans hard to download does not solve this situation”, the Undernet abuse-exploits team member explains. “The abuser could manually download the ini, and put it on his own website.” Also Tjerk agrees: “Especially not since the ini hardly changes over time, so any old copy would do perfectly fine, for normal users, and the drones you’re looking for.”

It seems that for now, IRC networks with servers.ini aspiration better realize that being listed can potentially have unwanted side effects.

Related posts:

  1. mIRC.net Experiencing Server Problems
  2. A decade of mIRC
  3. mIRC Local DCC Issue: Exploit, Vulnerability or Neither?
  4. mIRC charity appeal ends
  5. Zombie Network Rolled Up in Netherlands (upt)
Category: Botnets/DDoS, Clients, IRC, mIRC, Software
Tag: Botnets, IRC, mIRC, Software

Leave a Comment

Your email address will not be published. Required fields are marked *

*