Blame
Date:
Wed Feb 1 05:00:29 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
03
2023-01-22
jrmu
author=xfnw
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=ip addresses should be sorted with sort -V
06
2023-01-22
jrmu
ctime=1644443390
07
2023-01-22
jrmu
host=71.246.231.249
08
2023-01-22
jrmu
name=Police.Fingerprints
09
2023-01-22
jrmu
rev=10
10
2023-01-22
jrmu
targets=Police.Intro
11
2023-01-22
jrmu
text=You will always need to be vigilant and watch out for abuse.%0aCrimes such as stealing credit cards, ddos botnets, and phishing%0ascams do happen on IRC, and it's our job to prevent our network%0afrom being overrun with criminals.%0a%0aDon't get discouraged if you can't stop all crime. Even stopping%0ahalf of them will go a long way towards deterring criminals.%0a%0aThe first tool at your disposal is to check the available metadata%0aon users that connect to your server. For example, for users that%0aconnect to IRC, you can run this command:%0a%0a/whois username username%0a%0aThat will decloak the user's hostmask and reveal their IP address.%0aYou can then perform a host and whois lookup (see [[police/intro|police]]%0afor more details):%0a%0a[@%0a$ host 192.168.0.1%0a$ whois 192.168.0.1%0a@]%0a%0aIn addition to this metadata, you can also check the fingerprints that botnow collects on users:%0a%0a[@%0a$ doas su botnow%0a$ sqlite3 /var/www/botnow/botnow.db%0a@]%0a%0aTo select all the rows of data from the bnc table:%0a%0a[@%0asqlite> select * from bnc;%0a@]%0a%0aTo select all the rows of data from the shell accounts table:%0a%0a[@%0asqlite> select * from shell;%0a@]%0a%0aAnd to select all the rows of data from the irc client table:%0a%0a[@%0asqlite> select * from irc;%0a@]%0a%0aFor example, you might see this data for a bnc row:%0a%0a[@%0a|1026844251|||criminal|criminal@example.com|$2b$11$99a4jtzu7BnmeXOcESf5E.I2aGeyhY0mka8AeMBVK3x.VaCevCu2h||394%0a@]%0a%0aThis tells you that for IRC id 1026844251, username criminal had an email address of criminal@example.com with password hash of $2b$11$99a4jtzu7BnmeXOcESf5E.I2aGeyhY0mka8AeMBVK3x.VaCevCu2h and a captcha of 394.%0a%0aTo find out more metadata about this user's IRC client, you can issue:%0a%0a[@%0asqlite> select * from irc where id = 1026844251;%0a1026844251|criminal!~criminal@192.168.0.1|criminal|||||mIRC v7.64|Sun Feb 06 00:22:30 2022|1644081761||||||20220205%0a@]%0a%0aThis tells us that for the user with id = 1026844251, the hostmask is criminal!~criminal@192.168.0.1, the CTCP Version reply is mIRC v7.64, the CTCP Time reply is Sun Feb 06 00:22:30 2022, and the registration date is 2022/02/05 (Feb 5th, 2022).%0a%0aWe can quickly compile a dossier of the user as follows:%0a%0a[@%0aUsername: criminal%0aEmail Address: criminal@example.com%0acriminal!~criminal@192.168.0.1%0amIRC v7.64%0aSun Feb 06 00:22:30 2022%0aRegistration Date: 2022/02/05%0a@]%0a%0a!! Matching IPs%0a%0aTo see all connections all users have made to znc:%0a%0a[@%0a$ doas less /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a@]%0a%0aYou can search existing connections to znc using grep.%0a%0a[@%0a$ doas grep -iRE '\[$USERNAME\] connected to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a@]%0a%0aYou will want to replace $USERNAME with the actual username.%0a%0aThis will show all connections of USERNAME to znc. We can use sed to output %0aall unique IPs to a file:%0a%0a[@%0a$ doas sed -n 's/.*\[$USERNAME\] connected to ZNC from \(.*\)/\1/p' /home/znc/home/znc/.znc/moddata/adminlog/znc.log | sort -V | uniq > ~/$USERNAME%0a@]%0a%0aYou can also search by IP addresses and using regular expressions:%0a%0a[@%0a$ doas grep -iRE '(192.168.0.1|192.168.0.2)' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a@]%0a%0aThis can help you find multiple IP addresses.%0a%0aOne helpful technique is as follows:%0a%0a!! Connected networks and channels%0a%0aYou can see what networks the user USERNAME is connected to by typing (inside IRC while connected to znc as admin):%0a%0a[@%0a/msg *controlpanel listnetworks USERNAME%0a@]%0a%0aYou can also connect to his network and /whois USERNAME to find all the channels he is a part of.%0a%0a!! Detecting patterns%0a%0aI've noticed a pattern. Let's say we have a scammer called '''criminal'''.%0aWhat this scammer does is he names his networks by letters like D E F.%0aAnytime I find a suspicious person from an his subnet's IP address,%0aI just run /msg *controlpanel listnetworks username. If I see something%0asimilar to:%0a%0a13:34 %3c*controlpanel> | E | Yes | irc.example.com | Guest55013!criminal@example.com | 2 |%0a%0aIt's probably '''criminal''', only he would name his network E. Sometimes a trick%0aI use is to scan /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0afor a single capital letter.%0a%0aIf it's a user from his subnet + single letter network names + in suspicious%0achannels + he likes to customize his realname, that's usually a good sign%0ait is '''criminal'''.%0a%0aI have some ideas for how to automate but I think it will be an arms race.%0aOnce he figures out how i detect him, he might change his signature.%0a
12
2023-01-22
jrmu
time=1644674959
13
2023-01-22
jrmu
author:1644674959=xfnw
14
2023-01-22
jrmu
csum:1644674959=ip addresses should be sorted with sort -V
15
2023-01-22
jrmu
diff:1644674959:1644674865:=97c97%0a%3c $ doas sed -n 's/.*\[$USERNAME\] connected to ZNC from \(.*\)/\1/p' /home/znc/home/znc/.znc/moddata/adminlog/znc.log | sort -V | uniq > ~/$USERNAME%0a---%0a> $ doas sed -n 's/.*\[$USERNAME\] connected to ZNC from \(.*\)/\1/p' /home/znc/home/znc/.znc/moddata/adminlog/znc.log | sort | uniq > ~/$USERNAME%0a
16
2023-01-22
jrmu
host:1644674959=71.246.231.249
17
2023-01-22
jrmu
author:1644674865=xfnw
18
2023-01-22
jrmu
csum:1644674865=use neutral pronouns
19
2023-01-22
jrmu
diff:1644674865:1644538251:=15c15%0a%3c That will decloak the user's hostmask and reveal their IP address.%0a---%0a> That will decloak the user's hostmask and reveal his IP address.%0a
20
2023-01-22
jrmu
host:1644674865=71.246.231.249
21
2023-01-22
jrmu
author:1644538251=jrmu
22
2023-01-22
jrmu
diff:1644538251:1644537570:=68d67%0a%3c [@%0a75,76c74%0a%3c @]%0a%3c %0a---%0a> %0a85,86c83,84%0a%3c You can search existing connections to znc using grep.%0a%3c %0a---%0a> You can search existing connections to znc using grep:%0a> %0a88c86%0a%3c $ doas grep -iRE '\[$USERNAME\] connected to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a---%0a> $ doas grep -iRE '\[USERNAME\] connected to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a91,95c89,91%0a%3c You will want to replace $USERNAME with the actual username.%0a%3c %0a%3c This will show all connections of USERNAME to znc. We can use sed to output %0a%3c all unique IPs to a file:%0a%3c %0a---%0a> This will show all connections of USERNAME to znc. If you output this%0a> to a file, you can then track down all IP addresses:%0a> %0a97c93%0a%3c $ doas sed -n 's/.*\[$USERNAME\] connected to ZNC from \(.*\)/\1/p' /home/znc/home/znc/.znc/moddata/adminlog/znc.log | sort | uniq > ~/$USERNAME%0a---%0a> $ doas sed -n 's/.*\[USERNAME\] connected to ZNC from \(.*\)/\1/p' /home/znc/home/znc/.znc/moddata/adminlog/znc.log | sort | uniq > ~/USERNAME%0a
23
2023-01-22
jrmu
host:1644538251=38.87.162.8
24
2023-01-22
jrmu
author:1644537570=jrmu
25
2023-01-22
jrmu
diff:1644537570:1644536121:=86c86%0a%3c $ doas grep -iRE '\[USERNAME\] connected to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a---%0a> $ doas grep -iRE 'USERNAME.*to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a93c93%0a%3c $ doas sed -n 's/.*\[USERNAME\] connected to ZNC from \(.*\)/\1/p' /home/znc/home/znc/.znc/moddata/adminlog/znc.log | sort | uniq > ~/USERNAME%0a---%0a> $ doas grep -iRE 'USERNAME.*to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log > ~/USERNAME%0a
26
2023-01-22
jrmu
host:1644537570=38.87.162.8
27
2023-01-22
jrmu
author:1644536121=jrmu
28
2023-01-22
jrmu
diff:1644536121:1644528176:=
29
2023-01-22
jrmu
host:1644536121=38.87.162.8
30
2023-01-22
jrmu
author:1644528176=jrmu
31
2023-01-22
jrmu
diff:1644528176:1644526865:=34c34%0a%3c sqlite> select * from bnc;%0a---%0a> sqlite> select * from bnc ;%0a40c40%0a%3c sqlite> select * from shell;%0a---%0a> sqlite> select * from shell ;%0a43,48d42%0a%3c And to select all the rows of data from the irc client table:%0a%3c %0a%3c [@%0a%3c sqlite> select * from irc;%0a%3c @]%0a%3c %0a51d44%0a%3c [@%0a53,56c46,48%0a%3c @]%0a%3c %0a%3c This tells you that for IRC id 1026844251, username criminal had an email address of criminal@example.com with password hash of $2b$11$99a4jtzu7BnmeXOcESf5E.I2aGeyhY0mka8AeMBVK3x.VaCevCu2h and a captcha of 394.%0a%3c %0a---%0a> %0a> This tells you that for IRC id 1026844251, username criminal had a password hash of $2b$11$99a4jtzu7BnmeXOcESf5E.I2aGeyhY0mka8AeMBVK3x.VaCevCu2h and a captcha of 394.%0a> %0a66,114c58,59%0a%3c We can quickly compile a dossier of the user as follows:%0a%3c %0a%3c Username: criminal%0a%3c Email Address: criminal@example.com%0a%3c criminal!~criminal@192.168.0.1%0a%3c mIRC v7.64%0a%3c Sun Feb 06 00:22:30 2022%0a%3c Registration Date: 2022/02/05%0a%3c %0a%3c !! Matching IPs%0a%3c %0a%3c To see all connections all users have made to znc:%0a%3c %0a%3c [@%0a%3c $ doas less /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a%3c @]%0a%3c %0a%3c You can search existing connections to znc using grep:%0a%3c %0a%3c [@%0a%3c $ doas grep -iRE 'USERNAME.*to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a%3c @]%0a%3c %0a%3c This will show all connections of USERNAME to znc. If you output this%0a%3c to a file, you can then track down all IP addresses:%0a%3c %0a%3c [@%0a%3c $ doas grep -iRE 'USERNAME.*to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log > ~/USERNAME%0a%3c @]%0a%3c %0a%3c You can also search by IP addresses and using regular expressions:%0a%3c %0a%3c [@%0a%3c $ doas grep -iRE '(192.168.0.1|192.168.0.2)' /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a%3c @]%0a%3c %0a%3c This can help you find multiple IP addresses.%0a%3c %0a%3c One helpful technique is as follows:%0a%3c %0a%3c !! Connected networks and channels%0a%3c %0a%3c You can see what networks the user USERNAME is connected to by typing (inside IRC while connected to znc as admin):%0a%3c %0a%3c [@%0a%3c /msg *controlpanel listnetworks USERNAME%0a%3c @]%0a%3c %0a%3c You can also connect to his network and /whois USERNAME to find all the channels he is a part of.%0a---%0a> %0a> And to select all the rows of data from the irc client table:%0a
32
2023-01-22
jrmu
host:1644528176=38.87.162.8
33
2023-01-22
jrmu
author:1644526865=jrmu
34
2023-01-22
jrmu
diff:1644526865:1644522974:=43,58d42%0a%3c For example, you might see this data for a bnc row:%0a%3c %0a%3c |1026844251|||criminal|criminal@example.com|$2b$11$99a4jtzu7BnmeXOcESf5E.I2aGeyhY0mka8AeMBVK3x.VaCevCu2h||394%0a%3c %0a%3c This tells you that for IRC id 1026844251, username criminal had a password hash of $2b$11$99a4jtzu7BnmeXOcESf5E.I2aGeyhY0mka8AeMBVK3x.VaCevCu2h and a captcha of 394.%0a%3c %0a%3c To find out more metadata about this user's IRC client, you can issue:%0a%3c %0a%3c [@%0a%3c sqlite> select * from irc where id = 1026844251;%0a%3c 1026844251|criminal!~criminal@192.168.0.1|criminal|||||mIRC v7.64|Sun Feb 06 00:22:30 2022|1644081761||||||20220205%0a%3c @]%0a%3c %0a%3c This tells us that for the user with id = 1026844251, the hostmask is criminal!~criminal@192.168.0.1, the CTCP Version reply is mIRC v7.64, the CTCP Time reply is Sun Feb 06 00:22:30 2022, and the registration date is 2022/02/05 (Feb 5th, 2022).%0a%3c %0a%3c %0a63c47%0a%3c I've noticed a pattern. Let's say we have a scammer called '''criminal'''.%0a---%0a> I've noticed a pattern. Let's call this scammer sanggau.%0a69,71c53,55%0a%3c 13:34 %3c*controlpanel> | E | Yes | irc.example.com | Guest55013!criminal@example.com | 2 |%0a%3c %0a%3c It's probably '''criminal''', only he would name his network E. Sometimes a trick%0a---%0a> 13:34 %3c*controlpanel> | F | Yes | Jakarta.ID.IX.ForumCerdas.Net | Guest55013!sanggau@example.com | 2 |%0a> %0a> It's probably sanggau, only he would name his network F. Sometimes a trick%0a77c61%0a%3c it is '''criminal'''.%0a---%0a> it is sanggau.%0a
35
2023-01-22
jrmu
host:1644526865=38.87.162.8
36
2023-01-22
jrmu
author:1644522974=jrmu
37
2023-01-22
jrmu
diff:1644522974:1644521735:=19d18%0a%3c [@%0a22,45d20%0a%3c @]%0a%3c %0a%3c In addition to this metadata, you can also check the fingerprints that botnow collects on users:%0a%3c %0a%3c [@%0a%3c $ doas su botnow%0a%3c $ sqlite3 /var/www/botnow/botnow.db%0a%3c @]%0a%3c %0a%3c To select all the rows of data from the bnc table:%0a%3c %0a%3c [@%0a%3c sqlite> select * from bnc ;%0a%3c @]%0a%3c %0a%3c To select all the rows of data from the shell accounts table:%0a%3c %0a%3c [@%0a%3c sqlite> select * from shell ;%0a%3c @]%0a%3c %0a%3c And to select all the rows of data from the irc client table:%0a%3c %0a%3c !! Detecting patterns%0a
38
2023-01-22
jrmu
host:1644522974=38.87.162.8
39
2023-01-22
jrmu
author:1644521735=jrmu
40
2023-01-22
jrmu
diff:1644521735:1644443390:=1,21d0%0a%3c You will always need to be vigilant and watch out for abuse.%0a%3c Crimes such as stealing credit cards, ddos botnets, and phishing%0a%3c scams do happen on IRC, and it's our job to prevent our network%0a%3c from being overrun with criminals.%0a%3c %0a%3c Don't get discouraged if you can't stop all crime. Even stopping%0a%3c half of them will go a long way towards deterring criminals.%0a%3c %0a%3c The first tool at your disposal is to check the available metadata%0a%3c on users that connect to your server. For example, for users that%0a%3c connect to IRC, you can run this command:%0a%3c %0a%3c /whois username username%0a%3c %0a%3c That will decloak the user's hostmask and reveal his IP address.%0a%3c You can then perform a host and whois lookup (see [[police/intro|police]]%0a%3c for more details):%0a%3c %0a%3c $ host 192.168.0.1%0a%3c $ whois 192.168.0.1%0a%3c %0a
41
2023-01-22
jrmu
host:1644521735=38.87.162.8
42
2023-01-22
jrmu
author:1644443390=jrmu
43
2023-01-22
jrmu
diff:1644443390:1644443390:=1,18d0%0a%3c I've noticed a pattern. Let's call this scammer sanggau.%0a%3c What this scammer does is he names his networks by letters like D E F.%0a%3c Anytime I find a suspicious person from an his subnet's IP address,%0a%3c I just run /msg *controlpanel listnetworks username. If I see something%0a%3c similar to:%0a%3c %0a%3c 13:34 %3c*controlpanel> | F | Yes | Jakarta.ID.IX.ForumCerdas.Net | Guest55013!sanggau@example.com | 2 |%0a%3c %0a%3c It's probably sanggau, only he would name his network F. Sometimes a trick%0a%3c I use is to scan /home/znc/home/znc/.znc/moddata/adminlog/znc.log%0a%3c for a single capital letter.%0a%3c %0a%3c If it's a user from his subnet + single letter network names + in suspicious%0a%3c channels + he likes to customize his realname, that's usually a good sign%0a%3c it is sanggau.%0a%3c %0a%3c I have some ideas for how to automate but I think it will be an arms race.%0a%3c Once he figures out how i detect him, he might change his signature.%0a
44
2023-01-22
jrmu
host:1644443390=38.87.162.8
IRCNow