February 2004

The mIRC-X network had to close down it's door due to a DDoS attack. Their website has put an announcement up about the closure.

"Over the past few days, we have been receiving a very large sustained ongoing DDoS attack against all of the servers on our IRC network. While we have made efforts to filter the attack, the person behind it has been very persistent and we have been forced to block all traffic to the servers at times to filter it. Unfortunately, the end result has been an unusable network and the loss of our secondary server."

On SearchIRC.com a forum thread has started for those users in the need to find their pals back across IRC networks.

mIRC-X is working with law enforcement to find the one responsible for the attacks. "At this time, we know who is responsible for the attacks and law enforcement is investigating", the announcement reads.

IRCJunkie got hold of a log file which it was unable yet to verify. If the file is genuine, it links the DDoS to mIRC-X to the recent raid at Foonet.

[20:01:36] only here cause cjb killed my 200k botnet
[20:02:00] i returned the favor
[20:02:08] by killing all *.mircx.com IRCD's
[20:03:01] CJB reported duelelites.cjb.net and the IP
[20:03:06] which was on foonet
[20:03:11] foonet got raided
[20:03:29] i bounce
[20:03:30] :P
[20:18:59] * Vampyre (syntax@DDoSd.mIRC-X.And.Is.Afraid.Org) has left #wahala

The guys who are behind the GUI based Windows OS WinBot have started a new project called IRC Defender.

IRC Defenderdeveloper Brain explains: "IRC Defender is a program designed for IRC networks, written in perl. It is a modular security service which amongst other things will keep virus and trojan drones from your network, allow you to set akills using regular expressions, and will prevent abuse of CGI:IRC proxies.
We welcome third party development of modules, and will include any useful modules in the distribution."

Those using the popular Bahamut IRCd might want to be aware of a new release.

The release comments explain: "This is a *small* maintainance release fixing a few small bugs, and a security issue. All dalnet servers have been upgraded to this release."

This is for those who like to be kept up to date with news from this website inside their channel.

TCLScript.com released a script that will "obtain the latest news articles from www.irc-junkie.org, which can also be configured to auto-broadcast new articles in specific channels" told strikelight to IRCJunkie.

The first stable release of a new IRC client, jIRCii was announced by raffi in a email to IRCJunkie: "jIRCii is a powerful cross platform Internet Relay Chat client. It is fully scriptable using a Perl-like language called sleep. The focus is to provide a console client experience with the advantages of a solid GUI. It includes DCC/CTCP support, the ability to connect to SSL servers, and over 65 built-in commands."

Few minutes ago the US portion of EFnet approved a new client server hosted by Mzima Networks. The servers name is irc.mzima.net and is located in Los Angeles, California.

The provider also hosts the UnderNet server named losangeles.ca.us.undernet.org and the server will be completly open for everyone to connect.

We already had a small script for mIRC to show the latest 5 headlines from the news in your client.

LinuxIRC released a script for clients who can use the Perl language. Using the /rss alias you get to see the latest 5 article headlines added to this site.

Version Unreal3.2-RC1 of this popular IRCd is released.

"Now I know no one thought this day would come, but 3.2 is finally out of beta! We are proud to announce the release of Unreal3.2-RC1. RC stands for "Release Candidate" what that basically means is we've added all the features we intend to add to 3.2, we're just in bug hunting mode now", the website announced.

New features include spam and exploit filtering and a new channel mode +T which stops channel wide notices.

Foonet, a hosting/colocation company, has been raided by the FBI early Saturday morning. Hardware have been taken away by the FBI.

As Foonet is delivering uplink services to a lot of shell providers many users on IRC are affected in some ways. Ways users are affected can be ranging from their shell accounts being unavailable, to IRC servers running on IRCd shells not being available.

The reason for the raid is yet unconfirmed, but said to be linked to DDoS nets.

Update 1: According to this page which is started to keep track of any news around the Foonet raid, it is possible for people who had servers running at Foonet to get a mirror of their disks from the FBI.

Update 2: Foonet/CIT now have a public announcement regarding the raid, which also confirms the raid has been performed because of suspected DDoS attacks. A quote from the announcement:

"The FBI executed a Search Warrant regarding the IRC network that we host. According to the FBI search warrant, some one hosted in our network hacked and attacked some one else.

After several hours of attempting to track down, inspect and audit the terabytes of data that we host it was determined by the FBI that it was more efficient to remove the equipment from our site and transport it to the FBI local laboratories for inspection."

A discussion has started on SearchIRC.com regarding this post.

Yesterday we posted a interview with the new owner of the Bersirc Windows IRC client. At the end of the interview he promised us a screenshot of the client in development. The article is now updated with the screenshot.

Update: More screenshots, including one for Linux, have been posted on http://bersirc.free2code.net/.

A total of 654MB Windows 2000 and NT source code got leaked onto the Internet yesterday in two seperate compressed files.

"On Thursday, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. It?’s illegal for third parties to post Microsoft source code, and we take such activity very seriously" the press release of Microsoft states.

"It was on the peer-to-peer networks and IRC today," Dragos Ruiu, a security consultant and the organizer of the CanSecWest security conference, said to ZDNet.

IRC networks are facing a wave of drone connections as this new worm named Deadhat is spreading over the world.

This virus is not using e-mail to spread itself, but using the ports that are opened by MyDoom on infected machines. Once being delivered on the machine, it will remove the MyDoom infection and attempt to remove anti-virus and firewall software.

Once installation is complete it will connect to a IRC server and wait for commands from it's master.

Good antivirus software is even available for free. Check out our security section on the links page.

Recently Jamie Frater coder of Bersirc have sold the code and domain to a new owner.

As one of the last popular freeware Windows based IRC clients users are in their right to be a bit wary of what is going to happen to their client. We interviewed N. Copeland, the new owner of the code, and asked him for the future plans for this client.

In an email to BugTraq cyborgirl announced a exploit in the share.mod module for Eggdrop.

"A tricky attacker can gain the control over (almost) any eggdrop botnet. the bug rely in the fact that every legitimate bot can gain share status even if it is not marked to share with someone", the post explains.

After the example exploit code is used, the malicious user "can adduser.. deluser.. chattr..".

A patch has been included in the post. To completely disable this feature (if your bot is not part of a botnet) reconfigure and compile without the module enabled, or comment out the loadmodule share option in your bot's config file, en .restart the bot.

Update: The CVS has now been patched with the code made by cyborgirl. The CVS can be found here.

Less and less freeware Windows IRC clients are left. One of them in HydraIRC which is gaining in popularity.

New Versions of this client are almost released daily. Version 0.3.124 got released yesterday and include some fixes on the DCC side, fix on closing a query window which wasn't yet visible which caused a crash and a memory leak.

Changes from this and previous versions can be found in the change log file.

You can find and download HydraIRC from here.

Author Jamie Frater sold his previously freeware IRC client Bersirc for "an undisclosed sum".

The code has been sold to a person named N. Copeland from the U.S.A., and the previous owner says he is unable to make any announcements on what he is going to do with the code and domain.

The website have been replaced with an announcement about the sale.

Most, if not all IRC network make use of load balancing. A single server address is available which will automatically redirect the user to one of the servers present on the network. Usually that address looks something like irc.network.com.

To get users from the USA to US based servers, and EU suers to EU users, often a few extra subdomains are created, like us.network.com and eu.network.com.

But how about real geographical load balancing? Just one server address which will send users worldwide to a server geographically close to them? Services like this are already available for commercial purposes, but unfortunately too costly for IRC networks who are based on volunteers.

A group of coders from the Blitzed IRC network are currently setting up a project to achieve just that.

"We have many channels that are geographically biased. We have channels of mainly Danish people, channels of mainly Dutch people, channels of mainly US people. When a split happens, because most of these people are spread over every server we have, they cannot help but notice the split since now one or more people they were talking to are no longer present." Project member grifferz explains one of the reasons for geographical load balancing.

An initial plan is laid out on a page on the Blitzed website. Currently several ways are being discussed on how to determine the origin of the user, detect the server with the lowest latency to him and caching any results for future users from the netblock.

If you are interested in this project, the members are still looking for more contributors.

From time to time a malicious scripter finds a new way to make a convincing text some people cant resist to click on, and then get them self infected with a virus.

Social engineering is much part of virus writing these days. The technique is to bring the package in such a way that the receiver of the virus will think it is a genuine save link to click, or program to start, only resulting in them being infected.

Lately there is a small increase again in the onjoin worms on IRC. These worms will message users as they are entering a channel trying to make them click a link to a malicious file on the World Wide Web.

These worms make use of either security flaws in Internet Explorer (just visiting a webpage is enough), or on the good faith of the user to execute any files found on that website which then write script files to the mIRC directory who then of course become part of the onjoin army to infect others.

Today an interesting article appeared in the New York Times about the virus underground (although those guys would probably be insulted when being grouped together with the people scripting mIRC worms...).

"Cupid has struck the Zine this month, and we've devoted the entire issue to Valentine's Day. If someone special has tickled your heartstrings, then this is the place to indulge your romantic side", DALnetizen's editor Curve introduces this edition.

The domain name dispute between the IRC network using the GamesNET.net domain and Donald Wasylyna has been settled in a agreement.

The domain in question, GamesNET.net which previously hosted the website for the network now hosts a short text explaining the settlement.

"Plaintiff Donald Wasylyna and the following defendants and cross complainants - Gavin Roy, D. Seth Hunter, Jeff E. Perales, Jennifer Locicero, R. Brenton Strickler, Michael Poole and James Thomason -- have reached a settlement of the litigation pending between them. The settlement agreement is available here http://www.gamesnet.net/settlement.pdf. None of the parties admit liability as to any of the allegations", the website reads.

The service who was previously available on the GamesNET.net domain, the IRC network, will be moved over to GameSurge, and the domain name GamesNET.net returned to Donald Wasylyna.

edit: changed title and wording to reflect the litigation.

The GamesNET and ProGamePlayer are joining forces to form a new IRC network named GameSurge.

ProGamePlayer was a network ranked 46 with a average of 3072 users on the network pages of SearchIRC.com. GamesNET is a slightly larger fish, ranked 6 with 39657 users. "PGPN's audience (mostly Unreal Tournament players) was different from ours, but the network structures, services and cultures were very similar. Having one place for to IRC gives a better focus for all the gamers we serve", former GamesNET oper Entrope explained to IRCJunkie.

"GameSurge has been setup to provide professional, non-commercial IRC and community related services", the new website of GameSurge reports. A system has been thought out to provide solutions on problems with colliding user- and channel accounts.

"Both sides were using the same version of srvx before, so the database contents were compatible." Only 1% of user accounts collided, and 2% of the channels, and the heuristics system setup gave clear preference over what account to prefer in more then half the collisions. "Our policy on handling the rest is first-come, first-serve: Whichever asks first in #support can be renamed to their original name" Entrope explains. "We apologize for the inconvenience to everyone whose account or channel was renamed, but we believe this is the fairest way to approach it."

GamesNET have been covered in a series of articles regarding the domain name dispute they had with former network admin Donald Wasylyna. The first article appearing on February the 19th 2003.