Help! My Network is in Servers.ini!

Asmo

Assuming this was a commonly known fact, it was never reported before on IRC-Junkie. But as I had contact over the past few weeks with several smaller IRC networks, it became clear not many small networks with servers.ini aspiration also realize the potential negative effects of being listed in the world largest IRC server list.

It is not just humans that make use of this extensive list of IRC networks. You might remember the Fizzer worm which was causing havoc over IRC networks in 2003. That worm created such problems that a special task force was created, named IRC Unity, to tackle the problem. On their website we can read: "irc/unity was formed in May 2003 as a direct result of what was known as the "fizzer crisis". In early May, the Fizzer worm was becoming a problem for IRC Networks around the world. This was due to the fact that it had a built-in list of IRC servers to connect to, gathered from the mIRC servers.ini file."

In the last servers.ini update the Beirut IRC Network first got listed. Within a few days I got this email from Nat, who is handling the PR for the network: "Since we got added on servers.ini we are invaded by turkish porn spambots. We are daily glining about 1000 IPs. Our boys, with aid of an Undernet scripter, finally started to control the situation, made a script and it started glining them before they reach the channels."

Among abuse-exploit team members the use of servers.ini by drones and spambots is a know problem. An Undernet abuse-exploits team member who wishes to remain anonymous gives an example. "GTBot (an mIRC client with added backdoors and *.ini files) uses the servers.ini file from mIRC. An GTBot spreads by advertising (amongst others) an URL to other users. (Example: hey look at me in the nude @ http://ip-number-here/me-nude.jpg, which is in reality an EXE file. It (ab)uses the servers.ini file to go to all networks it contain."

IRC-Junkie asked Tjerk Vonck, who is the webmaster of mIRC.com if he is aware of the problem. "No. And really, I doubt there is such a problem", he replied.

"Making the servers.ini file for non-humans hard to download does not solve this situation", the Undernet abuse-exploits team member explains. "The abuser could manually download the ini, and put it on his own website." Also Tjerk agrees: "Especially not since the ini hardly changes over time, so any old copy would do perfectly fine, for normal users, and the drones you're looking for."

It seems that for now, IRC networks with servers.ini aspiration better realize that being listed can potentially have unwanted side effects.
_________________
Asmo

webmaster www.IRC-Junkie.org

Skip · Joined: 14 Nov 2004 Posts: 35 Location: Darwin, Australia

SuMiT · Joined: 28 Feb 2006 Posts: 6 Location: Dhaka, Bangladesh

is nt it just simply an example not a link!!
_________________
SuMiT

Delta · Joined: 11 Feb 2005 Posts: 10

Is there really many people that even use the servers.ini to get to a network?

I really doubt IRC has this huge slew of users coming in that don't know a lick about IRC and just start clicking around, few if any. If people are coming on IRC, they already know their destination pretty well (be it a channel or otherwise).

A network doesn't need to be in the mirc listings anymore to get big - mine sure isn't. We've worked our way into the top 30 nicely with just hard work, no warez and just being good to our users.

We've considered getting our selves in the servers.ini, but we couldn't outweigh the bad points of it todo it. Sure it would be cool to be in there, but one of our opers, opers for one of the bigger networks around and has stated truthfully, it's caused more headaches with spambots, etc.

With that being said, though, most of these spammers, etc, all have a pattern within their name. Users of the UnrealIRCD should really sit down with their staff and learn howto use /spamfilters with regexp. We've had 1000 user botnets load up w/o a rally channel, just idle, and clean them out by simply pattern matching fields in the nick/ident/realname/etc. A lot of people give unreal a hard time as the 'kiddy' solution, but you get back to me when your net is being smashed by some 800 user 'net because you decided you wanted to be hardcore and use hybrid Razz

~Francisco

Skip · Joined: 14 Nov 2004 Posts: 35 Location: Darwin, Australia

SebDE · Joined: 30 Oct 2004 Posts: 34

Asmo · Posted: Wed Mar 01, 2006 12:23 pm?? ?Post subject:

PS, I also got a rpely from Khaled now, and he says over the years he as well had discussions over the way servers.ini can be abused with admins. But as the article above implies, theres not really a lot you can do about it. If you make the download impossible for drones to download for example (type text strings over from an image for example), then simply drone runners will downlaod it first and feed it to their bots, etc.

New networks admins will have to decide for themself if they want to be listed in servers.ini or not. I hope this article have helped them to decide if being listed there is worthwhile for them or not.
_________________
Asmo

webmaster www.IRC-Junkie.org

Skip · Joined: 14 Nov 2004 Posts: 35 Location: Darwin, Australia

SanitariuM · Joined: 03 Mar 2006 Posts: 1

Hello IRC Junkies... I was directed to this site by an oper on the Beirut network mentioned in the front page article. I am the Undernet Scripter in mention.

I've extensively examined these bots. They are indeed GT Bots as mentioned. There's a total of somewhere around 10,000 drones run by that trojan. On a small network like Beirut, they were counting for over 80% of all connections to the server as well as joins in the affected channels.

Different networks are taking different approaches to dealing with these drones. Some are locking off the channels with +r +i or +k modes... while others filling their banlists to max and having all sorts of problems.

If any of you on these affected networks would like my assistance in dealing with these drones... feel free to email me at fixxxxxer@gmail.com or leave me a msg on this forum.

Affected Networks :

mite · Joined: 30 Oct 2004 Posts: 107

Individuals deeply involved in the mIRC project sure do like to disavow all knowledge...

hehe, sup.. SanitariuM.. your scripting skills have finally gotten you some much deserved publicity. Goob job, dude. Wink

Bynw · Joined: 17 Nov 2004 Posts: 3 Location: Psionics.Net

As the network admin of a small and slowly but surely growing net. I like being listed in mIRC's servers.ini file. We have been listed now for 3+ years. Yes it does have some unwanted side effects but those can be delt with. Other side effects are that other irc clients get their server listing from mirc as well so you end up in more listings.
_________________
Psionics.Net IRC Network
The Internet's Premiere Role-Playing Chat Community
Network Founder/Administrator
http://www.psionics.net
/server chat.psionics.net
Listed in mIRC and other popular clients under network name of "Psionics"

Stefano · Joined: 01 May 2005 Posts: 33 Location: Beirut

damn those bots were pain in the ass. but now that we have everything under controle and tx to sanitarium who halted that invasion, i remember more some fun moments like when i joined one morning found all IRCops glining and counting the bans as if its an RPG game..
im sorry to hear that some networks have shut down or were about to shut down..
i honestly advice all new people starting a new network to not apply to servers.ini unless you are up to it and not just 2 ircd with basic irc knowledge and yeah life is cool.. no! you will face flood, spambots, ddos... being listed will make you lose your neutrality.
_________________
Administrator @ Beirut IRC Network
Webmaster @ Beirut Scripts
DJ @ Beirut Radio