Asmo
Site Admin
Joined: 26 Oct 2004
Posts: 663
Location: Undernet
|
 Posted: Wed Oct 27, 2004 10:23 am?? ?Post subject: October 2002
|
 |
|
Users can not connect to DalNet
Thursday, October 31 2002 by Asmo
Several users have been asking on forums and mailinglists why they keep getting the * Unable to connect (Can't assign requested address) message.
This error message is caused becuase the requested host could not be turned into a correct IP adress. The DalNet admin team have pointed the round robin irc.dal.net to 255.255.255.255 to keep the DDoS attacks away from any servers.
To get connected you best use a direct server adress, always best to pick one geographically close to you. Some servers you can use are: tricky.dal.net, jade.dal.net, twisted.dal.net or starburst.dal.net.
Two bugged trojans
Thursday, October 31 2002 by Asmo
Symantecs security responce reports on two variants of the W32.STD.D trojan which will try to spread himself over IRC with the use of mIRC, but luckily for us, the coder of said trojan had made a few errors, resulting in the fact that the trojan will not work at all.
Way to go, you 3r337 |-|4ck3Rz!! 
Mirc.Net shows IRCNews.com how it works
Wednesday, October 30 2002 by Asmo
In a reaction on recent news postings from IRCNews, another IRC news website, Mirc.net strongly opposed on the way LMNOP, the news reporter in question, reported on this.
In the articles IRCNews at least suggested that Undernet's admin team loaded clones themself to get a new userrecord. And even tho LMNOP had contacted a Undernet admin and got explanation on how a 17000 drone net was reduced he still comments on how the usercount can not be humans:
So the mystery lives on. Undernet has ruled out drones, and atleast one of their officials is skeptical (along with us) that it was a high number of individual users that caused the anomalous peak. At any rate, Undernet's user count has returned to normal for the time being, and we are left to scratch our heads and wonder!
Does IRCNews really think QuakeNet's, DalNet's or any other IRC network userrecord holds of entirely humans? It is estimated that there are 40% bots on Undernet at any time, despite efforts from Undernet to keep malicious connections out. Such must also be true for any other IRC network, new userrecord or not.
Efnet links their first hawaiian server
Tuesday, October 29 2002 by Hardy
EFnet`s US Routing approved earlier today the first hawaiian server on EFnet . The server is sponsored by Hawaii Online and the administrators nick is wiz.
The server will during their trial allow hawaiian clients only, but will be completly open for IPv6 clients. The server is the third IPv6 server on EFnet.
At the same time, irc.minefields.net was turned down as it doesnt match the requirements.
Backdoor spreads as IRC bot
Tuesday, October 29 2002 by Asmo
Trojans are a virus, worm or backdoor spreading conceiled as a valid program, hoping the receiver will run the program, and thus infect himself. This trojan comes in the form of a program that looks like a IRC bot program with a graphical user interface for Windows.
The nice folks at Symantec's Security Responce named it Trojan.Iblis.
The trojan enables the cracker to perform things like deop users and flooding the channel.
It is always a good practice to not trust any files you are not very sure of what they do. Proper bots to run on Windows would be WinBot, or the Windows port of Eggdrop.
New Klient Beta
Monday, October 28 2002 by Asmo
And another beta version is released of the shareware Windows IRC client Klient. Version 2.0.9 consists of mostly bugfixes and only a few minor new features.
EFnet server irc.du.se down due to hardware problems
Sunday, October 27 2002 by Hardy
The Swedish EFnet server irc.du.se, hosted by the University of Dalarna is currently down due to hardware problems. The server should be back online within few days.
EFnet is the 4. biggest IRC Network in the world accourding to stats from Netsplit.de.
Trojan goes around QuakeNet
Sunday, October 27 2002 by Asmo
There are trojans going around IRC networks all the time. But apparently one is causing a lot of havoc on QuakeNet that it justifies a newspost on their website.
A QuakeNet operator told us that a group of kiddies active on QuakeNet modified the code of a existing backdoor, which allows the cracker to access the infected computer, and execute and upload files to it. It will also pass the username and password of the channel service Q to them.
In case you are infected, you can get help on #help.script or on the support forum.
As always, dont accept any files from anyone automatically. And make sure when you get a file that it is valid, since even a friend of you could get infected and thus sending you a file...
Undernet reaches new user record
Saturday, October 26 2002 by Asmo
Today a new user record has been set on Undernet. A total of 134297 concurrent users (read: a lot of bots and a few users ) have been connected. This makes Undernet the third network to cross the 130000 user barrier after IRCNet and QuakeNet.
This record does not come from the popular IRC statistics website NetSplit, which has a large record of numbers concerning IRC networks. This website does not monitor around the clock, so can occasionally miss a high peak like this record for Undernet which is monitored by Undernet services.
Popular Mac client Snak has a update
Saturday, October 26 2002 by Asmo
The popular Mac client Snak has been updated to 4.8.6. New features include support for RatServ AutoAway AppleScript, text antialising in OS X 10.1.15 and up, 20 channels in a window instead of the old 10, support for Undernet's 330 RAW numeric, and a long list of others, as well as bug fixes.
Snak means "talk" in Danish. Snak is shareware and costs 20$ after the initial 30 day trial period.
And another IRC related virus
Friday, October 25 2002 by Asmo
For the third day in succession we see a virus which also uses IRC to spread itself. W32.HLLW.Merkur@mm is a worm that spreads itself using MS Outlook, KaZaA, Bearshare, eDonkey as well as mIRC.
It will come as a file named Taskman.exe which on running would overwrite Notepad.exe as well as overwrite all .jpg, .mpg, .bmp, or .avi files in your sharing directories with itself. On IRC it will try to DCC Send itself to any users joining a channel as Screensaver.exe.
New release candidate of Darkbot 7.0
Thursday, October 24 2002 by Asmo
LuizCB, the Project Administrator of the A.I. type IRC bot known as Darkbot announced today that release candidate 4 is out. Besides a lot of bugfixes it also contains new commands like the RANDQ command that would output a random line from your randomstuff.ini from a search string. Several new defines have been added too, like the ability to add and delete topics in PRIVMSG.
For a future version functions like a command that lets helpers perform all commands in the perform.ini are planned.
Darkbot is a A.I. type of bot that can be very usefull in especially helpchannels where it can answer questions from users seeking help. We have a log of a darkbot named Tween here on IRCJunkie that used to sit on #flash, Undernet.
And another 2 virii
Thursday, October 24 2002 by Asmo
Symantec's Security Responce reports today on another two virii who are related to IRC.
The first is Backdoor.Sdbot.B, which the name says clearly, is a backdoor. The infectee will have a backdoor that connects itself to IRC, where it will sit in a hidden channel to wait and receive commands from it's master.
The second is a very notorious backdoor which is responsible for quite a few DDoS attacks, Backdoor.Litmus.203.b. On infection it will add registry values so it will start on Windows bootup. As usually with these type of backdoors it will connect to IRC, and sit in a channel to wait for commands issued by the master. The master is also possible to download and execute programs on the infected computer, as well get passwords and manage the installation of the backdoor.
QuakeNet second network to pass the 130000 user border
Wednesday, October 23 2002 by Asmo
The IRC statistics website NetSplit reports:
" Yesterday at 19:09 GMT QuakeNet had 130981 concurrent clients. So it's the second network (behind DALnet) that reached the border of 130000 concurrent clients. DALnet reached it already in April 2002 before it got bigger problems through DoS-attacks."
Two new virii
Wednesday, October 23 2002 by Asmo
VBS.Krim.C is a worm that copies itself over your harddrives and the network as Valentina.jpg.vbs, it also uses mIRC to spread itself over IRC when users join a channel to DCC itself to them. It is a pretty nasty working worm which does things like overwriting .doc, .mp3, .txt to formatting drive C:.
The second for today is Backdoor.Synrg which allows unauthorized access to your computer. It will add a registry entry so it will run on Windows startup. It is able to update itself over the Internet, and uses port 80 and several IRC ports to communicate. As usual, it tries to spread itself with the use of mIRC to DCC itself to any client joining a channel where the infected person is in.
To prevent getting infected always run a up to date antivirus product, and reguraly do a scan on your complete system. There is a free online service from Trend Micro which you can se to scan your system. Click scan without registering on their site to do a scan.
If you think you have a infection, you can also join channels like #virushelp, #nohack or #dmsetup to get help getting rid of a virus.
New EFNet server
Wednesday, October 23 2002 by Asmo
For those who arein the need of a new EFNet server in the USA, you might want to check out irc.choopa.net. As the serverhost already suggest, the server is sponsored by Choopa.
New DALnetizen issue
Tuesday, October 22 2002 by Asmo
DalNet released a new version of their e-zine DALnetizen. This time the focus lays on the DDoS attacks that are affecting the network now for a long time. In one article DalNet admin Curve explains how these DDoS attacks are not only affecting the IRC network being attacked;
"Behind the scenes, the effects of these attacks were far worse. LineOne was a large ISP, it had over 1,000,000 members who used it for Internet access and email. The attacks got so bad that, at times, all those members were simply unable to pick up their email or browse the Internet. These are people who, for the most part, had never heard of IRC - let alone DALnet. Some were trying to run small businesses from home, so we can only guess what those attacks did to their livelihood."
Further you can read a article on what a DDoS attack is, and how you can protect yourself against being infected with files that can be used in DDoS attacks and interviews with users of DalNet. IRCJunkie also has a article on how to protect yourself with basic Internet/IRC security measurements.
A while back a admin in the DalNet team told IRCJunkie a man from Turkey was responsible for the attacks, after he got insulted by someone on the network.
New WinBot 2.3 release
Saturday, October 19 2002 by Asmo
Not to long ago we reviewed version 2.2 of this Windows based bot. Version 2.3 updates WinBot Scripting with more event types and commands, "making WBS script equal to many other IRC scripting languages" according to their news on the homepage. Further they added more plugin and customisability options as well as several new protection routines. They also added support for Socks5, although I have no idea if the IRC community should be glad with more open proxy using bots...
More DalNet troubles
Friday, October 18 2002 by Asmo
As if the ongoing DDoS attacks are not damaging this former number 1 position (according to usercount) IRC network enough, admins of this network are battling a internal fight reports IRCNews.
All Internet adresses end with a Top Level Domain (TLD), some well known ones are .com, .net, .org, but you also have all the country specific ones like .nl for Netherlands and .ro for Romania. There are several alternative TLD organisations who issue TLD's that are not official. And for those TLD's to work, you need alternative DNS servers, or special software installed on your computer in order for them to work. Several TLD's that for example are offered by New.Net are; .agent, .chat and .family.
You can see clearly why these TLD's are very usefull for making up intersting vHosts on IRC. And that is where the problem lies. Big european ISP Tiscali, which also happens to sponsor a DalNet server, supports these extra TLD's, and thus making it possible for users on their server to have a vHost with these unofficial TLD's. The problem arises when these users get abusive. For these TLD's it is virtually impossible to get administrator contact information, so it is hard to fight any abuse.
According to IRCNews, the admins are roughly split up fifty-fifty on this case, and possibly the networks CEO has to make the final descision. Since he uses the dalvenjah@secret.agent vHost we probally already kow what the outcome would be...
New worm W32.Appix.C.Worm
Friday, October 18 2002 by Asmo
Symantec's Security Responce reports on a new worm which also uses the popular mIRC client to spread itself. Once infected the worm will add itself to a wealth of other filetypes like; bat, .com, .cmd, .exe, .scr, .pif, and .msi files, but also .php, .phtml, and .php3 files after which they will try and infect other web related files.
On visiting a website with such infected files, the victim would download a copy of the worm. And the worm tries to spread itself through mIRC, The Bat! filesharing network, and it uses the client email program, and if necessary, it's own build in SMTP engine to send itself to all email adresses found in the Windows adress book.
ZoneAlarm fails to protect with DDoS
Thursday, October 17 2002 by Asmo
A recently discovered exploit in the very popular ZoneAlarm firewall, who also releases a freeware version, leaves possibilities open for crackers to render a computer useless while performing a DDoS attack. A quote from the post on BugTraq:
Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would let the attacker consume all your CPU and Memory usage that would result to Denial of Service Attack through Synflooding that would cause the machine to stop from responding. Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 is also vulnerable with IP Spoofing. This Vulnerabilities are confirmed from the vendor.
ZoneAlarm's developers have been contacted about this exploit about 1 month ago, and said to make a update available to patch the problem.
New feature on IRCJunkie
Wednesday, October 16 2002 by Asmo
Old time visitors of this site might remember the IRC Search engine we had up for a while. It enabled users to search through the topics and channel names of the biggest 4 networks. After we got IRCJunkie back it was decided it was one of the features we could not support ourself anymore due to overhead and time.
Luckily for us there is XGoogle, a website who is specialized in searching IRC networks. They dont only handle the biggest networks, but are picking up information for a long list of networks.
In cooperation with XGoogle we can now offer their services right on IRCJunkie. We made a menu entry on the left for you so you can easily start a search from there.
Undernet introduces new user mode and channel mode
Tuesday, October 15 2002 by Asmo
Undernet finally introduced the long waited for +x user mode. With this feature it is finally possible for everyone to have a host that will make them anonymous to other users. To use this new feature you can set the usermode +x when you login on Undernet with: //mode $me +x, and after you are logged into X, your host will change to ident@username.users.undernet.org, with "username" being the username you have on X.
Dont forget to IDENT yourself on any eggdrops you are added, since those bots will not recognise you innitially since you have a new host
Secondly, you can now also set the +r channel mode. This will set a flag on the channel so only registered and logged in users will be able to join a channel. Note that your channel does not necessarily have to be registered to use this mode.
Some other new features include:
- It is now possible to invite users through channel modes. So if you are a op, and banned *!*@*aol.com but want your single friend in who is on AOL, you can still invite him back into the channel. The same goes for other channel modes like +i, +k and +r.
- A server will now remember your X login. So if the server you are on is split, after it will join back on Undernet, you will not have to relogin to X.
New IRC based worm
Sunday, October 13 2002 by Asmo
Symantec reports of a newly found worm named W32.HLLW.Tufas which uses IRC to spread itself to clients joining the same channel the infectee is in. The worm will install itself in the WIndows directory, set hidden, and add a registry value to make it run when you start Windows.
It will also open ports so the cracker has access to your computer.
IRCNet regains top position in userrank
Sunday, October 13 2002 by Asmo
The 10th of this month we reported that QuakeNet became the biggest network usercount wise by taking over IRCNet's number 1 position. Today statistics website NetSplit.de reports that IRCNet regained number 1 position again. Both networks now have a average of in the 115000 clients connected.
Only 20% of China's computers are virus-free
Saturday, October 12 2002 by Asmo
It is a well known fact with managment of IRC networks that a .cn host, which stands for China, usually always is a compromised host being used as a proxy or something other not quite in order.
Reuters now posted a new article that showed that 80% of the Chinese computers are infected with a virus. When you realise there are 45 million Internet users in China, you can image this to be a very serious security threat for the Net.
New Anti NetRider code in Undernet's ircd software
Friday, October 11 2002 by Asmo
You might already have noticed it a few times, after a server relinked to the network you might see users being kicked with the reason Net Rider. This is part of new code that makes it impossible to "net ride" into channels.
When netriding you can enter +i and/or +k channels by making use of a split server without any users on it from that channel. After the server joined the network again you would be inside the channel even tho it is +ik.
The new ircu version makes this impossible by kicking any users who joined a channel while the server was in a split, before the server is fully linked back.
Two eggdrop related security notices
Friday, October 11 2002 by Asmo
Slennox's eggdrop site reports on two eggdrop addons that have serious security flaws, MegaHAL module, and the quotes v1.1 tcl script.
The MegaHAL module has a new version to fix the security flaw. The quotes script unfortunally has a serious flaw in the way a expr command is used. For this script there unfortunally is no fix or update available. Slennox recommends users of this script to remove it from their bot.
QuakeNet now biggest network according to NetSplit
Thursday, October 10 2002 by Asmo
The network statistics website NetSplit reports that QuakeNet passed IRCNet in number of users and is now the biggest IRC network. Currently the average usercount on QuakeNet is 115575 users against that of 115522 of IRCNet. QuakeNet's growth over the last 2 years in nothing but amazing, and shows a very steady growth of both users and channels.
IRCNet links new server
Wednesday, October 9 2002 by Asmo
IRCNet links a new server owned by Rostelecom. The server ircnet.rt.ru accepts clients comming from the "Commonwealth of Independent States".
Rostelecom is also the owner of the irc.rt.ru EFNet server, and the Moscow.RU.EU.Undernet.ORG Undernet server.
Popular Romanian ISP blocks SSH port
Sunday, October 6 2002 by Asmo
Take away the possibility to communicate with their compromised machines, and you take away the script kiddies tools to DDoS. That must be what the big Romanian ISP Romania Data Systems must have been thinking when they closed off port 22 for their customers today.
In a email responce from RDS they confirmed they closed down port 22 to prevent script kiddies to make abuse of vunerable SSH deamons, and to make it impossible to login to compromised machines. In case you need SSH to work for your work, excemptions can be made for you, as explained by a RDS employee in an email responce:
Yes, the great majority of our clients do have filters on outgoing port 22 connections because of the obvious reason explained by yourself, which is, trying to stop ssh scannings by our clients. We do know ssh has legit uses, that's why we can allow you to SSH, we just have to have the list of IPs you want to connect to.
Let's hope RDS realises there is more into preventing script kiddies to abuse compromised machines then just closing port 22. Script kiddies usually start a backdoor on a different port, so using this filter to stop them from logging on to their compromised boxes is wrong...
DoD member answers questions on SlashDot
Sunday, October 6 2002 by Asmo
In may of this year the FBI arrested many members of this worldwide group who were involved in cracking software under the operation name Operation Buccaneer. This group who used the name DrinkOrDie, used the EFNet network as their homebase.
On 16 august of this year Christopher Tresco, one of the DoD members, got convicted to a 33 month jail sentence. For a while back, the popular geek website SlashDot gave the oppurtunity to its users to sent in any questions they had for Christopher Tresco. And today those questions got answered.
Efnet server changes name
Saturday, October 5 2002 by Hardy
All of concentric`s servers on EFnet have renamed to the *.xo.net domain. the hub is renamed from ircd-w.concentric.net to ircd-w.us.xo.net and the client server irc.concentric.net have been renamed to irc-efnet.svc.us.xo.net. The client server still does only allow clients from providers who peers with them.
The company Concentric changed name about a year ago, but so the namechange have been planned for a while. That it happend now were just a covicidence as the servers had some downtime allready.
IRCNet DDoS'er and rootkit coder arrested
Saturday, October 5 2002 by Asmo
Wired News reports that Surrey police have arrested a man named Samir Rana using the nick Torner. He is believed to be the coder of the rootkit named Tornkit, a kit designed to hack into Linux machines and make them available to attack other machines.
A group of IRCNet operators collected a CDRom full of evidence including log files, webpages and the like that show that the arrested man also used the rootkit himself to DDoS IRCNet. Besides being involved in DDoS Torner was also involved in defacing websites, including CNN's N-tv.de site.
Torner is currently free on bail, but has to return on October 29 for more interviews, and possible charges.
New way to get latest Eggdrop
Saturday, October 5 2002 by Asmo
Besides the wget geteggdrop.com, Egg Heads made a second domain available where you can get the latest eggdrop bot from: wget eggheads.org.
Eggdrops are possibly the most popular bots used on IRC, the project is originally started by Roby Pointer. Recently IRCJunkie interviewed guppy, the maintainer of Eggdrop 1.6 and head of eggheads.org, where he explains how it is to run such a open source project, and tells whats comming up in the new 1.7 release.
Two new IRC related worms
Friday, October 4 2002 by Asmo
Not just 1, but 2 new worms have been discovered for today.
First off, VBS.Pelic.Worm is a worm that can also spread itself through the popular KaZaa filesharing network. Once installed on the computer it will try to disable any installed anti-virus software. It will copy itself into the KaZaa share folder, as well on several system folders. It will add a entry in the mIRC script.ini that will make it automatically DCC the file to each person joining any channel where the infected person is in.
The second worm only spreads itself using the popular mIRC client, and has been given the name W32.Gillich.Mirc. When the worm runs it will popup a requestor with the next message:
This piece of code was written for, 4 of my friends, who died in a car accident!. Its very terrible,isn't it?
If you would answer "yes" the worm would quit with a thanks for the condoleance, but on answering "no" it would display another popup claiming you are responsible for the accident, after which it wll start to overwrite .exe files in the Windows system directory. As usual this worm will try to spread itself with the use of DCC.
As always, have a up to date anti-virus product running to prevent getting infected. These days even several freeware products are available, so it wouldnt have to cost you anything if your short on money. Check the links page for a list of links.
Popular EFNet server renames
Friday, October 4 2002 by Asmo
One of the more popular EFNet server have renamed their domain. The irc.concentric.net server will from now on be called irc-efnet.svc.us.xo.net. Likewise, the hub server that was named ircd-w.concentric.net will from now on be named ircd-w.us.xo.net.
Popular Telnet/SSH client released new version
Thursday, October 3 2002 by Asmo
Today version 0.53 of the popular freeware Telnet/SSH client Putty is released. Besides several added features and a lot of bug fixes the program now for the first time also comes with a installer.
AOL links server to DalNet
Wednesday, October 2 2002 by Asmo
It was good for dozens of emails on DalNet's routing mailinglist, but nonetheless the routng commitee of this network granted the server a testlink. Admins voted 12 yes, 0 no, and 1 no opinion to have the tricky.dal.net server linked.
For a few weeks the discussion went on if DalNet should allow a AOL server, where conspiracy theories where discussed like this is the way for AOL to "infiltrate" DalNet. A small quote from a typical mail:
As to the issue at hand, AOL is a source of DDoS, SYN Floods, zombies, etc. Why? The simple answer is that AOL does NOT check outbound traffic for signatures of such attacks. As they are dialups, the load to do so on each connection is certainly manageable within each AOL POP, yet AOL has yet to institute such a policy.
Also users questioned AOL's lack of educating users concerning security, and lack of responce when dealing with compromised machines being used to DDoS. Other networks have a server sponsored by AOL for years without any problems, like the washington.dc.us.undernet.org server on Undernet.
New EU EFNet server
Wednesday, October 2 2002 by Asmo
If you are a EFNet user, and based in the EU, it might be worth noting that a new server is available for your use: efnet.dkom.at
The server will undergo a 60 day testlink to see if it meets the EFNet requirments for a link, and is adminned by kurd and nameless.
QuakeNet adds new Trusted hosts FAQ
Wednesday, October 2 2002 by Asmo
A trusted host on QuakeNet can have more clients simultaniously online then the max. 5 allowed normally. These are especially usefull for schools, cybercafe's, shellcompanies and likewise organisations where multiple users are often working from the same IP adress. QuakeNet added a new FAQ explaining what a trusted host is, and how you can get one.
One QuakeNet user commented that in his eyes the rules where still the same, where Operator Deckard answered:
Not entirely. Before, under the old system, trusts were pretty much granted to anyone with a static connection and no instances of abuse in their history. Unless we had reason to be suspicious, or our better judgement told us otherwise, a trust could be added for the user. Also under the new system, we no longer accept trusts that would require a long-term commitment on our behalf to hosts that do not reflect serious intent, eg) ISP hosts for bouncers. These hosts can still be trusted for LANs.
New mIRC worm
Tuesday, October 1 2002 by Asmo
A new worm has been found which spreads itself using a multitude of networks. W32.Cianam.Worm can spread itself through the KaZaa filesharing network, IRC, as wel as over email.
The worm itself is sent with a random selection of names and extensions. Once runned it will also make a registration entry so it will be run automatically on Windows startup. If mIRC is found it will write a script.ini file in its directory so it will try to DCC send itself to users joining any channel you are in.
_________________
Asmo
webmaster www.IRC-Junkie.org
|
|
???
