View previous topic :: View next topic |
Author |
Message |
skalek Just Arrived
Joined: 15 Sep 2003 Posts: 0
|
Posted: Mon Sep 15, 2003 11:37 pm Post subject: How IRC Bots/Trojans hide their ip address/domain? |
|
|
I have seen a few machines that are hacked with IRC bots. When i sniff or check out the config files for these bots, I will sometimes follow them to the server they are connected to and join the channel.
One of the things that I see when I join the channel, are obviously quite a few bots, but also the fact that if i do a whois on their nick, I dont see their hostname or ip address.
Most of these bots are generally mirc from my experience with them. Yet I am pretty sure IRC does not have the ability to hide your ip address.
How are these bots doing it? For exmaple when i check a whois the bot will look something like:
XDCC-1201-DS@KJDKJHASLNASLKJ:SAKLJNLFJKNALSN
Instead of a host name or ip address.
Any provide any insight on this?
Thanks
Skalek
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Mon Sep 15, 2003 11:42 pm Post subject: |
|
|
They don't use mIRC they use custom IRC bots and they generally use custom IRC servers which will mung the hostnames in the way you describe.
This means if you have the key for their chan and the network you still can't see the real IP's of their zombies, unless of course you get DDoSed by them, then well you'll get to see ALL the IPs
|
|
Back to top |
|
|
lostbuffer Just Arrived
Joined: 04 Feb 2003 Posts: 0
|
Posted: Tue Sep 16, 2003 6:51 am Post subject: |
|
|
alot more effective ways to get the bot's ip than to get packeted....if you have there binary just sniff em till u figure out how they work and the password...once have password could make em download something off ur site and view ur apache logs...alot of times the botnet will be running on compramised machine, could own the ircd and packet sniff the whole ircd...or find out who owner of the box is and talk to them about which also works very well...gettin DDoS isn't cool at all...laters
|
|
Back to top |
|
|
pinglacson Just Arrived
Joined: 22 Aug 2003 Posts: 0 Location: Fy_Iceworld, Philippines
|
Posted: Tue Sep 16, 2003 11:40 am Post subject: |
|
|
hi, im a newbie with security. i use irc often.. may i know what are these bots you are referring to? are these computers infected with some sort of trojan? i would appreciate it if someone can explain this thread's 1st post.. thanks!
|
|
Back to top |
|
|
CHeeKY Just Arrived
Joined: 13 Feb 2003 Posts: 3
|
Posted: Tue Sep 16, 2003 1:36 pm Post subject: |
|
|
there are 2 ways this can be done,
you can either run a thing called a bnc (google psybnc) this then lets you create your own "vhost" thats what the funny things after the name are on connection.
Some servers help and hide your ip, while others just show it, look into psybnc, many folk host bnc's on sql shells which are cheap as hell, many hackers actually use the machines they hack to install bots for example , hacker install bots, and connects via his irc client to the bot, then bot to irc server thus he gets all options and even if ip was showing, it aint theirs.
Cheapest way is buy a shell, cost about 90pence a month
Some servers offer vhosts for free, so always check around
|
|
Back to top |
|
|
pinglacson Just Arrived
Joined: 22 Aug 2003 Posts: 0 Location: Fy_Iceworld, Philippines
|
Posted: Thu Sep 18, 2003 1:49 pm Post subject: |
|
|
so these bots are ran by hackers? what do they do? my friend uses some sort of bnc. her ip is proxied/bounced to japan. but im 100% sure she doesn't pay for anything. is this possible?
|
|
Back to top |
|
|
alt.don SF Boss
Joined: 04 Mar 2003 Posts: 16777079
|
Posted: Thu Sep 18, 2003 3:04 pm Post subject: |
|
|
Hello pinglacson, I would like to suggest that it would be simpler to google for "irc bots" "hackers" or some such search string. The questions you are posing are wide ranging and cannot be answered in a simple sentence or two. Once you have read some material on the subject you have rasied, and would like some clarification please come back and post the questions in this thread or start a newer one which is more pointed. Remember google is your friend!
|
|
Back to top |
|
|
|