Asmo
Site Admin
Joined: 26 Oct 2004
Posts: 663
Location: Undernet
|
 Posted: Wed Oct 27, 2004 10:29 am?? ?Post subject: September 2004
|
 |
|
Extortion by DDoS
Wednesday, October 27 2004 by Asmo
Malicious users don't just need no reason to launch an attack, they could also perform it for extortion. 'Either pay up, or your online business is offline' is the working method.
This article in the Houston Chronicle has a Steve Gibson like story detailing the story of one such attack.
More 'good' exposure for IRC...
There have been 0 comments added to this article.
Rizon's DNS woes
Tuesday, October 26 2004 by Asmo
Deliberately leaving out a correct address for the registree left the Rizon.net network without a working DNS for several days.
"The error it appears was caused because the owner of the domain filled in random letters and numbers for the contact information address which was flagged", K\sd, service operator at Rizon.net said in a reaction to IRC-Junkie. Why a legitimate address was left out K\sd was not able to answer.
At this moment the domain is fixed again, and the network is in normal operation again. Statistics at NetSplit.de show the impact of the DNS failure.
There have been 1 comments added to this article.
Bahamut 1.8.3 released
Tuesday, October 26 2004 by Asmo
"The Bahamut Coding Team is proud to announce the release of Bahamut 1.8.3.
This release is a loose-ends release, including many bug fixes and a few
new and refined features. It is availible from ftp://ftp.dal.net and
http://bahamut.dal.net.", Epiphani announced on the DALnet ircd list. The release mainly contains various type of bugfixes.
There have been 0 comments added to this article.
Hacked .Edu Host A First?
Saturday, October 23 2004 by Asmo
This is more a personal rant then a news item. --- Big news today at CNN. In the article named Hackers crack Purdue's computer system we can read about the universities computer being hacked as if it is a world first: "Someone gained unauthorized access to Purdue University's computer network, prompting school officials to urge all students, staff and faculty to change their passwords."
On IRC the .edu hosts are known to be almost exclusively being abused by malicious users to host their BNC, or they are being used in flood nets. Not uncommon bigger channels have banned *!*@*.edu as necessary standard.
From personal experience, notifying the university that their machines are being compromised is a futile attempt of being a helpful citizen. In less then 10% of the attempts you will get a reply, more often then once also including the question on how to secure their system again. And that is assuming the cracker does not control the mail server as well and intercepts the mail being sent (I even got replies from the cracker them self).
Someone, please wake these people up 
There have been 5 comments added to this article.
SorceryNet Founder Leaves Network
Friday, October 22 2004 by Asmo
The past year have been a quite turbulent for the SorceryNet IRC network. Several admins delinked and moved their servers to the DarkMyst network.
Yesterday one of the original founders and server admin Skandranon made a decision to part the network. In an email to the public he lists some of his reasons to leave the network: "sorcery.net admin have, as a whole, shown very little respect for each other and other would-be admin", "I have paid for the domain registration fees for sorcery.net for most of the years it has existed, and for the last three years have paid nearly $100 on average per month for astral.sorcery.net and kechara.sorcery.net." Additionally Skandranon was the coder of a network service in use, which got replaced by an in his eyes inferior service without his consent. "Because I am paying $100 to be treated like a bastard, I chose to walk away and let the network fend for itself. My only regret is that the users will suffer a bit", he concludes.
By delinking his servers the network is now left with only 2 servers (cookie.sorcery.net and iuturna.sorcery.net) which can be used by users, only iuturna.* is able to handle the network's high traffic.
One of the events that has escalated the problems to the current situation is the application for a server by Zaphire which got declined with the reason; "Sorry we don't want you here. You are klined and unwanted because of the staff that you have submitted on your application. (10/14/2004)". Some of the indicated opers on the application also use DarkMyst.
In a separate email directed to some of the network staff Skandranon 'thanked' some of his ex-colleague staff for actions performed against him. He does also has a last message for them: "One last parting comment: Be nice. Remember, I still own the domain name. Continue to be rude to me or any former admin or operator of kechara, and I'll do what I've been accused of many times -- trying to keep the name." In a reaction to IRCJunkie Skandranon assured that he has "no intent to hurt the users of sorcery.net, and the domain will always be used to support sorcery.net users."
"Suffice to say the network is in big trouble, and may collapse completely because of this. There are now only a handful of staff left on the network, and the future of Astral and the domain name are in question" said Tom Coussell, who greatly helped with the background research for this article.
Skandranon explained Astral.*'s future is not in question: "It is owned by the network, and is in a colo facility, and those fees are paid up until the end of the year." It is the main hub in use by the network.
We asked Skandranon what he will do now; "I believe I've had my time in the IRC world, and will find other things to do."
"sorcery.net started nearly 8 years ago now from a group of servers leaving dal.net. The network has built a very strong and loyal user base, many of which are gamers or other role playing groups. It was not an easy decision to leave, but it was time."
"I've had many good times, and many bad times on IRC and specifically in sorcery.net. I simply cannot agree with recent behavior or personalities which are dominant in the network administration. Internal hostilities were never in short supply, and consideration and respect were never common."
"I wish the network the best."
There have been 4 comments added to this article.
QuakeNet Services Changes
Wednesday, October 20 2004 by Asmo
Yesterday QuakeNet announced new and changed features on their Q service: As many of you will have noticed, Q was given a bit of an upgrade last night. A number of features were introduced:
* A maximum number of 2 users may AUTH to any one account.
* +b CHANLEVs are now hidden in a Q WHOAMI, unless +m or +n CHANLEV is combined with it.
* Only CHANLEVs for common channels are shown in a Q WHOIS, like L.
* Staff members may be identified by a Q WHOIS.
* Q will now use a PART message when leaving a channel.
* Global auth levels have been removed from the Q WHOIS.
"In order to help reduce the effects of compromised accounts, as well as idler clones, it has been decided to limit the maximum number of concurrent logins to 2 per account", magpie gives as reason for the changed max logins. On December 30 2002 Undernet decided to bring down the max logins allowed down to 1 from 3. The feature was abused by maliscious users who would supply their floodbots with the hostmask hiding feature to circumvent the +r channel mode, wich only allows registered and logged in users to join a channel.
There have been 0 comments added to this article.
Accounts with Hotmail's accidentally suspended at QuakeNet
Monday, October 18 2004 by Asmo
"At approximately 17:40 BST (18:40 CEST) all Q accounts with a "hotmail.com" email address were accidentally suspended by QuakeNet", magpie reports at the QuakeNet website.
A QuakeNet user saw a line from a QuakeNet admin that gives a bit more insight into what happened: (@Deckard): I've accidentally suspended all Q accounts using hotmail, which is taking some of my time
O broadcasted a message network wide on the error: Due to an administrative error in the form of a slight typo, all Q accounts that use email addresses registered under hotmail.com are presently suspended and are not usable. Rest assured we're sweating over typewriters to resolve this problem as soon as is possible. Q will return shortly tonight once relevent repairs are made to the database and certain people are vandalised with SCSI cables.
"We are currently in the process of removing suspensions on accounts hit in error, and ask that you remain patient whilst this is taking place - Q will return once this is finished. Due to the number of accounts affected, this may take some time", magpie concludes.
There have been 11 comments added to this article.
BNC proxy contains remote command execution exploit
Sunday, October 17 2004 by Asmo
"BNC contains an input validation flaw which might allow a remote attacker to issue arbitrary IRC related commands", Thierry Carrez wrote in an email to Security Focus.
The affected BNC versions are 2.8.8 and below.
"A flaw exists in the input parsing of BNC where part of the sbuf_getmsg() function handles the backspace character incorrectly", Carrez explained the exploit. The maliscious user can use fake authentication credentials which can make it possible for him to gain access to scripts installed on the client.
There are no known workarounds, so upgrading is the only path to security. You can download BNC here.
There have been 0 comments added to this article.
Undernet's #help launches new website
Friday, October 15 2004 by Asmo
The channel #help is one of Undernet's official help channels. Over the past period webmaster Chemunga has been bussy redesigning the website.
The website is not yet fully done, but is available for viewing already.
There have been 0 comments added to this article.
Result IRCJunkie's smiley contest
Friday, October 8 2004 by Asmo
Time to announce the winner of the IRCJunkie smiley (emoticon for some fundamentalists) contest! I am glad to say we got quite a few submissions, so we might repeat with a new contest in the future.
Goal was to come up with an as original, weird or funny smiley as possible, which would be awarded with a copy of the recently released IRC Hacks from O'Reilly's Hack Series.
And the winning smiley is ...
¤_¤
Which was described as: "My smiley for the contest is ¤_¤ which is a "i'm so full of coffein I won't be able to sleep for 2 weeks" smiley. enjoy "
Although many of the submitted smiley's were quite complex and seem to follow the principle 'the more the better' (number of characters) this one struck us as very effective, and getting the point over, which seems to be the whole point of using emoti.. uh, smiley's in the first place!
Congratulations Mathias Rodstedt from Sweden, we will send you the book as soon as possible.
There have been 9 comments added to this article.
More virus news
Friday, October 8 2004 by Asmo
"Security experts have spotted a new, ?“sophisticated?” worm that uses uncustomary techniques to spread via IRC (Internet Relay Chat) systems", this article on Webuser starts.
Once infected, the worm will connect to IRC where it will join channels and start to offer files such as a Britney screensaver or the Burnout 2 car game. Naturally the links lead to the worm instead of the promised files. Also any security software found will be disabled, such as firewalls and antivirus software.
"The way in which Noomy.A uses social engineering to trick IRC users seems to be an attempt to open a new means of virus propagation. For this reason, users must be on the alert, ignoring any messages that offer content they have not asked for, whatever internet service they are using." New? Spreading of viruses with the use of tempting download links is a many-year-old phenomena on IRC, unfortunately.
Think before you click is a important motto on IRC. Also basic security practices like installing all the updates for your OS, and installing a decent firewall and antivirus are a necessity. The last two can be found for free on the Net (and I don't mean as warez!). Check out the links page for a list of free downloads.
There have been 13 comments added to this article.
Attack of (all?) the bots
Wednesday, October 6 2004 by Asmo
"If there is one eye-catching trend in Symantec's latest half-yearly Internet security threat report, it is that bots are upon us", this article in C|Net starts.
Good bots, bad bots. Although at least this article mentions some good use of bots on IRC, IRC is getting quite a share of negative publicity lately as the plarform of choice for maliscious users to host their drones (bad bots!) on.
There have been 6 comments added to this article.
Undernet CService member dies
Tuesday, October 5 2004 by Asmo
"It is with great sadness that we announce the death of Lt. Daniel McReady, known to us all as chip. He passed away on the 23rd of September on the battlefield in Iraq, while striving for peace", the Undernet News page announced.
Chip was a member of the channel service on Undernet, CService. A thread has been started where condoleances, thoughts and prayers can be put.
There have been 3 comments added to this article.
jIRCii Beta 15 released
Monday, October 4 2004 by Asmo
"jIRCii beta 15 has been released. Additions include proxy server support, updated scripting library, and the usal bug fixes and enhancements. Overall over 20 changes have been logged", IRCJunkie received in a press-release.
New is the jIRCii Launch Service. It allows to start the client straight from the developers website. More about that can be found here.
There have been 1 comments added to this article.
IRC Hacks contest
Saturday, October 2 2004 by Asmo
IRCJunkie received a complimentary copy of the IRC Hacks book recently released by O'Reilly.
If you want to win this book, all you have to come up with is a new smiley. The weirder, the better! Take a look at these examples to get your creative juices flowing:
12x@>--->--- (a dozen roses), -=# (wizard), M-), :X, (see no evil, hear no evil).
To enter the contest, send us your smiley with your complete address on via the contact page. Do not forget to include the meaning of your smiley!
Friday the 8th of October I will then announce who is the winner. Failing to include your address means I can't include you in the contest.
Naturally we will not use your address for anything else then to sent you off your book if you might win. We won't keep your addresses either once the contest is over.
There have been 13 comments added to this article.
JPG virus found in the wild
Wednesday, September 29 2004 by Asmo
After the release of the proof of concept code last week, now a real virus have been found in the wild which is making use of the recently discovered buffer overrun exploit in the way Microsoft programs handle the JPEG format.
It is the GDI+ object which is used in programs such as Internet Explorer, Outlook and others that contains the exploit. It is said only Windows XP machines are vulnerable, and even then some installations seem to be immune for the exploit. Microsoft released a patch to fix the exploit.
The virus have been found in porn images which have been distributed over porn newsgroups. After the initial infection, the virus will download additional software from a FTP server, including WinVNC and Radmin. Naturally, the virus will connect to an IRC server and wait for commands from the dronerunner.
There have been 20 comments added to this article.
Alternative mIRC helpfile
Monday, September 27 2004 by Asmo
"Lots of scroooolling always annoy me.. So for that i converted it.. Hope you'll enjoy it.." Adrenalin wrote in an email to IRCJunkie.
Adrenalin has created an alternative help file in the .chm format for mIRC. Removing the need to scroll a lot is not the only thing removed compared to the original help file. Adrenalin also anchored all keywords so you can move quickly around the help file to look up what you need.
You can download the file here.
There have been 6 comments added to this article.
Arrest made in Cisco code theft case
Saturday, September 18 2004 by Asmo
A 20-year-old man has been arrested by the Manchester, U.K. and Darbyshire, U.K Metropolitan Police Computer Crime Unit's. The police refused to go into the specifics of the reasons to arrest the man, but it is said to be linked to the Cisco code theft in may this year.
800Mb worth of Cisco's Internetwork Operating System (IOS) code has been stolen on a Russian website. Not long after the alleged break in, someone nicknamed Franz has been bragging about the break in on IRC and posted about 2,5Mb of compressed code.
There have been 8 comments added to this article.
SDBot sniffs network traffic
Thursday, September 16 2004 by Asmo
Another new development has been found in the SDBot type of viruses. In recent versions of SDBot the feature of network sniffing has been found. SDBot-UH also contains more common features such as keystroke logging, and is spreading using a list of common Microsoft exploits (Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability, Buffer Overflow in SQL Server 2000, IIS5/WEBDAV buffer overrun and the LSASS vulnerability).
The network sniffing feature makes it particularly easy for malicious users to gain passwords, financial information, credit card details, etc. SDBot-UH is in particular looking for PayPal account information, and CD keys of games. It is also capable of performing DDoS attacks.
There have been 7 comments added to this article.
IRCd Galore
Tuesday, September 14 2004 by Asmo
Two major IRCd's have had an update:
Bahamut 1.8.2 got announced to a DALnet mailinglist by epiphani: "he DALnet coding team is proud to announce the release of Bahamut 1.8.2. This release consists of hundreds of bug fixes across the board, including some outstanding bugs from the 1.4 tree. We're now recommending everyone make the transition from Bahamut 1.4 to Bahamut 1.8. Please use ftp://ftp.dal.net to get the new version."
The second IRCd to have an update is Unreal 3.2.1b for Windows. Codemastr announced on the UnrealIRCd website: "Unreal 3.2.1 has proven to be a pretty stable release. However, a few Windows specific issues have been found. As a result, we have decided to release a Windows specific upgrade."
There have been 0 comments added to this article.
GameSurge introduces mode changes
Tuesday, September 14 2004 by Asmo
GameSurge introduces some mode changes. The first is a brand new channel mode. "channelmode +z, which keeps your channel open even when no one is around. This mode exists only on registered channels, and has numerous advantages: for example, your channel bans, modes and the topic will (almost) never disappear!" We can read on the GameSurge website. The mode can only be used on registered channels.
Secondly, by default all connecting users are being set +iw. The +i (invisible) usermode is almost a necessity these days to prevent you from being spammed constantly on IRC.
"We will be using user mode +w to determine if you wish to see community announcement globals, so if you don't want to see those you should set -w every time you connect to the network" the website explains.
There have been 0 comments added to this article.
New mIRC servers.ini
Sunday, September 12 2004 by Asmo
A new servers.ini is available from mIRC's website.
Simply overwrite the old file, the new servers will be available directly in mIRC.
There have been 0 comments added to this article.
A new Gibson in the making?
Saturday, September 11 2004 by Asmo
"A computer security major at Mississippi State University used cyber-investigative techniques he learned in the classroom to thwart the activities of a would-be hacker from another institution."
A Steve Gibson like story I just stumbled upon doing my newsround today. It might be of interest to you
There have been 6 comments added to this article.
Newnet splits in two
Friday, September 10 2004 by Asmo
Disagreement over an upgrade of the services code have led to a split in the Newnet IRC network. As an consequence Newnet's user count have went down to about one third it's usual user count, these graphs show at NetSplit.de.
We asked eteb, one of the admins who split off and formed the new network UnitedUsers, what the disagreement was about. "Basically the NewNet founder (and services admin and domain holder) didn't update the current services even though a critical update had been made available to him several months ago. The update fixed issues such as channels dropping and services going suicidal when editing channel access lists."
In a reaction to IRCJunkie, Newnet's network admin Nanook said; "People made coding changes to services and wanted it installed. I didn't have time to do it in a time frame they wanted so to force the issue they split off and formed a new network."
In a reaction, eteb said "it took around four months from the time he was given the code till it was decided to take action."
Nanook continues, "The changes they made to services were not really well debugged, and instead of making encryption work right they tore encryption out altogether, so on the network the split off servers formed, they're calling it unitedusers.net, their services database is entirely unencrypted, which means that if their services box is ever hacked, every single nick and channel password and any other information services keeps, will be compromised as it is all in plain text." According to eteb, these issues have been fixed since then on the services code in use on UnitedUsers.
Nanook now implemented the requested code, albeit with some touching up: "At this point I've hacked encryption back into their new code, took out a feature that expired a channel when the founders nick expires because it was causing services to core dump and be unable to save it's databases. They fixed one exploit that could be used to crash services but added a bug that crashed it without anybodies help."
"So all in all I feel that they misrepresented the state of readiness of their code and I think few of the servers would have left if they had really understood how not ready it was. Over the years, since 1995, I think there have been seven occurances now of servers splintering off of Newnet and forming new networks, and only one has survived for any period of time." Nanook concludes.
There have been 20 comments added to this article.
10k botnet shut down by Norwegian ISP
Thursday, September 9 2004 by Asmo
"A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages" this article in Netcraft reads today.
A little later in the article we can read about the connection with IRC, which seems to always being made in DDoS related articles; "IRC (Internet Relay Chat) is a live chat system that allows users to create private discussion rooms. While IRC has a lengthy history of legitimate use, it is also a medium for discreet communication between hackers. In February the FBI shut down a large IRC provider, Ohio-based CIT/Foonet, saying it was operating a DDoS-for-hire scam. CIT operator Jay Echouafni is now a fugitive, charged with paying hackers to use botnets of between 5,000 and 10,000 hosts to launch crippling digital attacks on the websites of business rivals."
There have been 4 comments added to this article.
IceChat goes open source
Wednesday, September 8 2004 by Asmo
The Windows IRC client IceChat is going the open source route.
"IceChat , the popular IRC Client, is undergoing a complete Re-write, in C# (.Net). Version 6 will now be Open Source, with code made available at SourceForge.Net. It is currently in the Alpha stage, but making great progress" IceChat coder snerf told IRCJunkie.
A first "full beta" will not be released untill the beginning of 2005 the website reports.
You can find the SourceForge project page here.
There have been 1 comments added to this article.
Internet going to crash?
Wednesday, September 8 2004 by Asmo
"Just when you thought it was safe to do all your business online comes another warning that the internet is about to crash. Wendy Grossman talks to the doomsayers", this article reads in the Independent.
What will the future bring for the Internet? This article is describing the negative sides of the current Internet infrastructure. Further down the article the point of DDoS is also brought up:
"Denial of service (DOS) attacks don't just take out a few big e-commerce sites for a few minutes any more; BT's entire ADSL network had a slowdown one weekend earlier this year because of such attacks, and Telewest's mail server was barely usable for several days last year. The Internet Relay Chat (IRC) network Dalnet was so disabled last year by similar attacks it has never recovered."
There have been 6 comments added to this article.
New Undernet newsletter
Wednesday, September 1 2004 by Asmo
A new Undernet Newsletter is released. One of the articles includes an Undernet IRCop FAQ (for Non-IRCops) which clarifies some of the mysticism around opers.
There have been 0 comments added to this article.
_________________
Asmo
webmaster www.IRC-Junkie.org
|
|
???
