Polarhome IRC Server Attacked.

Irc, Eggdrop, BNC problems and discusion.

Moderator: Moderators

Postby sjaz » Sat May 29, 2004 12:19 pm

Dear All,

Between the hours of 7:20am-9:20am GMT the IRC server was client flooded.. Network services (Operserv) was able to handle most of the clients thus keeping things fairly under control.

Shown below is a log of what happened... My interpretation is that the user joo was in the channel before this happened and the user Guest****** was the attacker..

[07:20:55] ‹ joo › you're a fucking dumbass
[07:20:56] ‹ joo › ROFLMAO!!!!!!!!!
[07:21:03] ‹ joo › you're so fucked
[07:21:08] ‹ joo › i'm glad i'm not you :)
[07:21:55] ‹ Guest1863 › heheehehe
[07:22:01] ‹ joo › hahaaaaahaha
[07:22:02] ‹ joo › HAHAHAA
[07:22:06] ‹ joo › you fucking tool
[07:22:22] ‹ joo › (07:23:19) -Guest1863- DCC Chat (62.215.60.42)
[07:22:23] ‹ joo › haha
[07:22:37] ‹ Guest1863 › send chat to me
[07:23:13] ‹ joo › 62.215.60.42 is your ip at 07:23:46 GMT
[07:23:15] ‹ joo › hahahahahaa
[07:23:16] ‹ joo › HAHAHAHA
[07:23:20] ‹ joo › YOU'RE A NOOB
[07:23:44] ‹ joo › 62.215.60.42
[07:23:45] ‹ joo › 62.215.60.42
[07:23:56] ‹ Guest1863 › hehehe
[07:24:03] ‹ joo › i have a guy from my isp watching you too
[07:25:24] ‹ Guest1863 › :P
[07:25:29] ‹ joo › 62.215.60.42
07:26:14] ‹ Guest1863 › lol
[07:26:20] ‹ joo › that's your ip
[07:26:24] ‹ joo › you are so stupid
[07:26:32] ‹ joo › do you know how mich trouble you're in?
[07:26:48] ‹ Guest1863 › hahahy
[07:26:57] ‹ Guest1863 › wher are u from
[07:27:16] ‹ joo › ripeadmin@fasttelco.net
[07:27:18] ‹ joo › :)
[07:27:21] ‹ joo › emailed
[07:27:32] ‹ joo › with logs of you flooding, ddosing and many other things
[07:27:45] ‹ joo › also some interesting logs from your own pc :)
[07:28:57] ‹ Guest1863 › :P
[07:29:05] ‹ joo › lmao you are so fucking STUPID
[07:29:21] ‹ joo › you ARE IN SERIOUS TROUBLE
[07:29:22] ‹ Guest1863 › i want fuck u
[07:29:23] ‹ Guest1863 › :{
[07:29:25] ‹ joo › hahahahhaa
[07:29:34] ‹ joo › you can get fucked by the black guys
[07:29:36] ‹ joo › in prison
[07:29:39] ‹ joo › up the ass
[07:29:39] ‹ joo › hahaha
[07:29:49] ::: Quit: (joo) (joo@polarhome-99ABEA9.range81-153.btcentralplus.com) (Quit: 62.215.60.42 62.215.60.42)
[07:33:46] ::: Part: (Guest1863) (Never@ED5F075.8D87DB88.19170FD.IP)


Need I remind users that this kind of behavior is not tolerated and ultimately, polarhome systems cannot handle abuse.
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 694
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK

Postby afonic » Sat May 29, 2004 12:27 pm

I don't understand why would someone attack PH IRC server, I mean there are not more than 15 users connected.

From the conversation it may seems that Guest1863 is the attacker and he seems to use a proxy or something. Anybody seacrhed out 62.215.60.42?

Man sometimes I feel bad that I cannot kick some people really hard, world is not fair.
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby DenisF » Sat May 29, 2004 1:34 pm

No point in trying to ban his ip and stuff, that's probably a bnc/proxie'd host.

This isn't unusual though, this is in no way different than people who upload(ed) spam scripts or exploited the polarhome machines with xyz bugs..

anyway, you handled it well chaz, but for the future - i suggest something like a maxclients-per-ip or something of that sort, a good limit would be 3 per ip, with exception to trusted masks.

If you already have that implemented, ignore the above statement :)
Image
[ FAQ ] :: [ Policy ] :: [ Port Forwarding Guide ] :: [ Search ]
User avatar
DenisF
Forum Admin
Forum Admin
 
Posts: 679
Joined: Mon Dec 16, 2002 9:09 pm
Location: Israhell

Postby sjaz » Sat May 29, 2004 5:35 pm

It is already implemented which was why there was never more than 3 connected before Operserv removed them. I will however look at lengthening the "ban time" for Session Exceptions and also install the bopm open source proxy server.

It angers me though that some people are like that.

BTW, for those who dont know ... Denis is planning on linking another Polarhome IRC server to the solaris one so we will start to offer redundancy.. (I'll possibly get Z to forward 6668 to denis' ircd)..
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 694
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK

Postby DenisF » Mon May 31, 2004 10:42 am

K mine is up

the fix was under my nose the whole time..
export TMPDIR=~/tmp
mkdir ~/tmp


anyway chazzeh,
irc.polarhome.com:8200 until Z forwards 6668 there :)
Image
[ FAQ ] :: [ Policy ] :: [ Port Forwarding Guide ] :: [ Search ]
User avatar
DenisF
Forum Admin
Forum Admin
 
Posts: 679
Joined: Mon Dec 16, 2002 9:09 pm
Location: Israhell

Postby sjaz » Mon May 31, 2004 1:57 pm

Did you compile with

> ipv6
> ziplinks
> +oa custom prefixes

?

Linkblock added, msg me on MSN when your around.
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 694
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK

Postby afonic » Mon May 31, 2004 1:59 pm

Server works, but ti is not linked yet, is?

Also the main server seems to have some trouble~~~....
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby sjaz » Mon May 31, 2004 2:03 pm

Afonic ? ... what kind of trouble?
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 694
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK

Postby afonic » Mon May 31, 2004 2:27 pm

Services (chanserv, nickserv) seem down and the only users in the channel are me, ~chaz and &PolarFox, &PolarScan.
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby sjaz » Mon May 31, 2004 3:21 pm

Services are up and running.

PolarFox is a ServicesBot
PolarScan is a bopm
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 694
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK

Postby afonic » Mon May 31, 2004 5:13 pm

Maybe they lost all data? I don't get an identify message nor the channel I had seems registered.
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby DenisF » Mon May 31, 2004 5:17 pm

*o* did you miss the part where we unlinked from Titanix? :))
Image
[ FAQ ] :: [ Policy ] :: [ Port Forwarding Guide ] :: [ Search ]
User avatar
DenisF
Forum Admin
Forum Admin
 
Posts: 679
Joined: Mon Dec 16, 2002 9:09 pm
Location: Israhell

Postby afonic » Mon May 31, 2004 5:18 pm

Something else, now that we discussed it maybe you should remove the log, it is not very... polite! :-)
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby afonic » Mon May 31, 2004 5:20 pm

Yes I think I missed it! Anyway, it's OK, now I understood what happened to my valueable data.
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby DenisF » Mon May 31, 2004 5:38 pm

Heh, valueable data?
Image
[ FAQ ] :: [ Policy ] :: [ Port Forwarding Guide ] :: [ Search ]
User avatar
DenisF
Forum Admin
Forum Admin
 
Posts: 679
Joined: Mon Dec 16, 2002 9:09 pm
Location: Israhell

Postby afonic » Mon May 31, 2004 6:01 pm

Just kidding.... :)
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece


Return to Polarhome IRC

Who is online

Users browsing this forum: No registered users and 10 guests