• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How IRC Bots/Trojans hide their ip address/domain?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
skalek
Just Arrived
Just Arrived


Joined: 15 Sep 2003
Posts: 0


Offline

PostPosted: Mon Sep 15, 2003 11:37 pm    Post subject: How IRC Bots/Trojans hide their ip address/domain? Reply with quote

I have seen a few machines that are hacked with IRC bots. When i sniff or check out the config files for these bots, I will sometimes follow them to the server they are connected to and join the channel.

One of the things that I see when I join the channel, are obviously quite a few bots, but also the fact that if i do a whois on their nick, I dont see their hostname or ip address.

Most of these bots are generally mirc from my experience with them. Yet I am pretty sure IRC does not have the ability to hide your ip address.

How are these bots doing it? For exmaple when i check a whois the bot will look something like:

XDCC-1201-DS@KJDKJHASLNASLKJ:SAKLJNLFJKNALSN

Instead of a host name or ip address.

Any provide any insight on this?

Thanks

Skalek
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Sep 15, 2003 11:42 pm    Post subject: Reply with quote

They don't use mIRC they use custom IRC bots and they generally use custom IRC servers which will mung the hostnames in the way you describe.

This means if you have the key for their chan and the network you still can't see the real IP's of their zombies, unless of course you get DDoSed by them, then well you'll get to see ALL the IPs Very Happy
Back to top
View user's profile Send private message Visit poster's website
lostbuffer
Just Arrived
Just Arrived


Joined: 04 Feb 2003
Posts: 0


Offline

PostPosted: Tue Sep 16, 2003 6:51 am    Post subject: Reply with quote

alot more effective ways to get the bot's ip than to get packeted....if you have there binary just sniff em till u figure out how they work and the password...once have password could make em download something off ur site and view ur apache logs...alot of times the botnet will be running on compramised machine, could own the ircd and packet sniff the whole ircd...or find out who owner of the box is and talk to them about which also works very well...gettin DDoS isn't cool at all...laters
Back to top
View user's profile Send private message MSN Messenger
pinglacson
Just Arrived
Just Arrived


Joined: 22 Aug 2003
Posts: 0
Location: Fy_Iceworld, Philippines

Offline

PostPosted: Tue Sep 16, 2003 11:40 am    Post subject: Reply with quote

hi, im a newbie with security. i use irc often.. may i know what are these bots you are referring to? are these computers infected with some sort of trojan? i would appreciate it if someone can explain this thread's 1st post.. thanks!
Back to top
View user's profile Send private message
CHeeKY
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 3


Offline

PostPosted: Tue Sep 16, 2003 1:36 pm    Post subject: Reply with quote

there are 2 ways this can be done,

you can either run a thing called a bnc (google psybnc) this then lets you create your own "vhost" thats what the funny things after the name are on connection.

Some servers help and hide your ip, while others just show it, look into psybnc, many folk host bnc's on sql shells which are cheap as hell, many hackers actually use the machines they hack to install bots for example , hacker install bots, and connects via his irc client to the bot, then bot to irc server thus he gets all options and even if ip was showing, it aint theirs.

Cheapest way is buy a shell, cost about 90pence a month Smile

Some servers offer vhosts for free, so always check around Smile
Back to top
View user's profile Send private message
pinglacson
Just Arrived
Just Arrived


Joined: 22 Aug 2003
Posts: 0
Location: Fy_Iceworld, Philippines

Offline

PostPosted: Thu Sep 18, 2003 1:49 pm    Post subject: Reply with quote

so these bots are ran by hackers? what do they do? my friend uses some sort of bnc. her ip is proxied/bounced to japan. but im 100% sure she doesn't pay for anything. is this possible?
Back to top
View user's profile Send private message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Thu Sep 18, 2003 3:04 pm    Post subject: Reply with quote

Hello pinglacson, I would like to suggest that it would be simpler to google for "irc bots" "hackers" or some such search string. The questions you are posing are wide ranging and cannot be answered in a simple sentence or two. Once you have read some material on the subject you have rasied, and would like some clarification please come back and post the questions in this thread or start a newer one which is more pointed. Remember google is your friend!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register