Help!

[ibanez]

Hi,
I am an admin at a large IRC network, these sub7 crossed with an irc client kinda bots have been idling in secret channels on our servers. The users arent on the network ( apart from the bot ) so im guessing its a virus.! anywayz,. theres like 4 or 5000 of them set to idle in channels on our net and when we apply filters to block them our entire network goes unreachable from the traffic that is no doubt created by 5000 drones hammering the gateway.

I just wondered, ISP's dont want to hear about it, its the users responsibility as far as there concerned, the ppl behind it aren't linked to the vicsious activity performed on their behalf by these drones; how can we fight this ? these bots can make _any_ network go unreachable, our OC48 goes unreachable within minutes of applying filters. Im sure our network connection providers will be oh so pleased to take the load for us, NOT. what can we do ??? help i can only begin to imagine there are millions of thees things out there, and they are very dangerous in the hands of 13 yr olds! i say 13 yr olds becuase thats the level of mentality required to create these good for nuthing but damage bots.

Help me please.

[r-22]

I have recently looked on www.attrition.org and noticed a fairly large archive of logs and other things of the sort that refer back to JP and AntiOnline participating in questionable and fraudulant acts. Due to my support for www.attrition.org and www.netflood.net I am currently pulling all my posts from this site and ask for my account termination. If you, JP, find that at any point you feel you can be at least half ass honorable then I will consider posting here again.

[ibanez]

Do you want to be the one to ask my isp if they can apply over 5000 hosts to their firewall,. its like ordering 10,000 bigmacs without pickle.. they would look at you funny and ask, " Are you serious "?

[r-22]

I have recently looked on www.attrition.org and noticed a fairly large archive of logs and other things of the sort that refer back to JP and AntiOnline participating in questionable and fraudulant acts. Due to my support for www.attrition.org and www.netflood.net I am currently pulling all my posts from this site and ask for my account termination. If you, JP, find that at any point you feel you can be at least half ass honorable then I will consider posting here again.

[r-22]

I have recently looked on www.attrition.org and noticed a fairly large archive of logs and other things of the sort that refer back to JP and AntiOnline participating in questionable and fraudulant acts. Due to my support for www.attrition.org and www.netflood.net I am currently pulling all my posts from this site and ask for my account termination. If you, JP, find that at any point you feel you can be at least half ass honorable then I will consider posting here again.

[ibanez]

Thanks for you help dude, i will tyake it all with a grain of salt and let you know how i go

[redpriest]

Hello,

What seems to be going on is, someone is using your network to host bots not necessarily a network of them. Groups of blackhat hackers use these types of setups for launching Denial Of Service attacks. You made it clear the machines on your network seemed to be infected with some type of trojan horse/virus. Have you seen any type of commands going through the irc channel? Is there interaction with the users and the bots? I would call your uplink/provider and make it clear to them whats going on. A link of intrest....

http://grc.com/dos/grcdos.htm

[ibanez]

I have since learned the bots i decribed are coded by a group of UK internet terrorists. They call the bot HaCore another is called GT and yes its main goal is for DDoS attacks, these bots sit on our network using a myriad of hosts, over 150 diff isp's and over 2000 individual subnets. I fear when i ask my isp to filter 150 isp's and over 2000 subnets, the answer will be WHAT @@!#@!#?

ill let you know how i go, have been a little busy recently, but plan to sort this out asap.