Well, it’s about time for there to be another Lulz of the Day! Today we’ll be lulzing about Ark, my IRC anti-floodbot script. As an IRCop on a network, I am constantly figthing floodbots who join, /msg everyone on the network some spam and then disconnect. I figured that there must be a way to stop them, and so I diligently started working on Ark. Ark is a perlscript that connects to an IRC server as an IRCop and joins the most popular channels (which you specify). It then waits quietly, bidding its time until it gets /msg’d. Once it receives a message, it springs into action, checking the received message against a list of regexs. If any of them match, it will /kill the bot and resume its slumber.
This very simple, yet oddly helpful script can be downloaded from my code site
Peace and chow,
Well, today I helped diffuse a botnet by destroying it's control method. Some of you may not know, but I happen to be a services operator on CAIRC, and I was noticing some strange connect lines, with users from all over with the nick: XP|USA|000|2394 that were all idling in a channel called #V3NOM. So I decided to join and see what was going on, and lo and behold, there were about 10 of them idling along, not responding to any message or private messages. I looked at their IPs and they were connecting from all over (Belgium, USA, Estonia, etc…) so I assumed that they were part of a botnet. I started by taking over the channel and setting the mode to +mutn (so they couldn't talk and see anyone else in the channel), just to neutralize any control mechanism, and I set a JAKILL (regex AKILL) which easily took them all out
This is my second botnet that I detected and stopped, though this one was larger than the other one. So hopefully I'm doing my part to help slow the growth of the "zombie armies".
EDIT: After talking with the other IRCops, it was decided to let them join, but join the channel with a bot like nick, hopefully gathering the passwords so we can remove/disarm the bots.
Peace and chow,