#garfield Logs
Aug 20 2018
#garfield Calendar
12:22 AM zhanx: rue_, this bot net ever gonna end you think?
12:43 AM rue_: I'm working on a solution
12:44 AM rue_: and I'm learning
12:44 AM rue_: I'm sure its not too distantly related to the ssh attacks
12:45 AM rue_: and there seems to be a single source behind that
12:45 AM rue_: i need to prove that
12:45 AM zhanx: good luck
01:53 AM rue_bed: its easy
01:54 AM rue_bed: you give them a cookie, and if they ALL stop asking for cookies, you know that there is only one cookiemonster
10:44 AM * furrywolf starts nosing around people's kitchens looking for breakfast
07:14 PM rue__: so it gets more interseting, turns out the ssh attacks and the irc bots ARE directly related
07:41 PM Tom_L: what are they doing with ssh?
08:11 PM zhanx: ok rue motor driver is in
08:12 PM zhanx: just one last problem my filament loves to jump off hobbed bolt
08:13 PM rue__: it shouldn't be abel to get out from under it
08:13 PM rue__: can ya show me the hobbing?
08:13 PM rue__: it should be about 80% the depth of the filament
08:14 PM rue__: atleast 60%
08:16 PM zhanx: don't think its over 40%
08:17 PM rue__: ah
08:17 PM rue__: otherwise the feeder has no filament guide eh?
08:17 PM rue__: we might be abel to print one
08:18 PM zhanx: correct
08:18 PM rue__: <rue__> so you know all these dead nicks I get all wound up about?
08:18 PM rue__: <rue__> it turns out their exploited computers on the internet, waiting for botnet commands
08:18 PM rue__: <rue__> when a computer gets hacked, they come install an irc interfaced bot on the computer
08:18 PM rue__: <rue__> it joins a network, sometimes freenode, sometimes undernet
08:18 PM rue__: <rue__> all those dead nicks are bots, waiting for commands
08:18 PM rue__: * [I2b2hive] End of WHOIS list.
08:18 PM rue__: <rue__> Aug 20 17:52:10 t0002 sshd[32655]: Failed password for invalid user rogerio from 111.231.241.171 port 50462 ssh2
08:18 PM rue__: <rue__> * [rogerio] (rogerio@gateway/shell/marcovecchiocorp/x-jyydszmquffeelum): rogerio
08:18 PM rue__: <rue__> * [rogerio] orwell.freenode.net :Amsterdam, NL, EU
08:18 PM rue__: <rue__> * [rogerio] is using a secure connection
08:18 PM rue__: <rue__> * [rogerio] is logged in as rogerio
08:18 PM rue__: <rue__> * [rogerio] End of WHOIS list.
08:18 PM rue__: <rue__> I'm just gonna throw out there, thats no co-inncodince
08:18 PM zhanx: saw that
08:18 PM rue__: oh, sorry
08:19 PM rue__: its kinda comming togethor, the main question is WHY
08:19 PM rue__: IRC is an awesome way to control a botnet tho
08:19 PM rue__: it makes sense
08:19 PM rue__: the exploited machines just join the private channel(s) you use
08:19 PM zhanx: and its not banned in most places
08:21 PM rue__: I want to know what the bot commands are now!
08:21 PM rue__: 80% of the dead nicks in irc must be bots
08:21 PM zhanx: so you think i need to hob the bolt a bit more then?
08:21 PM rue__: yes
08:22 PM zhanx: if it can upload i got an ok shot
08:23 PM zhanx: too bad I cant do it tonight
08:24 PM zhanx: but the new driver is in and everything is working minus the feed now
08:24 PM rue__: yea, dial down the current till the motors just stay warm
08:25 PM zhanx: what voltage did you use?
08:25 PM zhanx: or did you just eye ball it
08:26 PM rue__: no, I just dial the motors till they stay warm
08:26 PM rue__: not cold, not hot, warm
08:29 PM zhanx: ok the email sent
08:45 PM zhanx: so much quiter
08:45 PM rue__: whois netman
08:46 PM Tom_L: where?
08:46 PM rue__: so, most of these ssh attempts are under IRC nicks
08:47 PM rue__: this starts to explain
08:47 PM rue__: its a search for logins left by other attacks
08:48 PM rue__: yeaaa LOTS of these ssh attempts match nicks logged into irc
08:48 PM rue__: furthermore, they aren't logged into any channels
08:49 PM rue__: [techno] (techno@techno.free-user.techno-music-at.bncfor.me): An Advanced BNC - https://bncfor.me
08:49 PM rue__: waaaait.. BNC... Bot Net Controller!?
08:50 PM furrywolf: BNC is irc bouncer software. basically a proxy. also, freenode doesn't let you see what channels people are in. hasn't for a while.
08:51 PM rue__: I could see toms channels just fine
08:51 PM rue__: maybe its only channels I'm in to
08:52 PM rue__: is this the only channel your in?
08:52 PM furrywolf: only the channels you're also in
08:52 PM rue__: ah
08:52 PM furrywolf: I'm in 10 or 11.
08:52 PM rue__: do you see a user called techno?
08:52 PM Tom_L: when did they start doing that?
08:53 PM Tom_L: they used to
08:53 PM rue__: but that means if I join every channel, I'll know
08:53 PM furrywolf: no. it doesn't look suspicious to me in any way, though. he/she connected over ssl and everything.
08:53 PM furrywolf: although the user with the nick techno does not seem to own the nick, which is suspicious.
08:55 PM rue__: find the user, check the other users in the channel against the ssh attacks
08:56 PM furrywolf: I would assume the bots are just using a list of common usernames, and due to their being common, many of them are used on here too.
08:56 PM rue__: na, its worse than that, the users ARE the bots
08:57 PM furrywolf: what evidence do you have of this?
08:57 PM zhanx: ok printing the test square
08:59 PM rue__: the odds of extremely specific user names (from ssh attacks) turning up on irc as connected users
09:01 PM rue__: I have a client in about 100 channels, and I cant find techno yet
09:02 PM rue__: client wont let me bulk join channels
09:03 PM furrywolf: looking at my logs, it looks a lot like a list of commonly exploitable usernames, with a few extras thrown in.
09:04 PM rue__: no this connects too well
09:05 PM rue__: go ahead, take your ssh attack log and whois the specific ones that make no sense to be looking for as ssh logins
09:05 PM furrywolf: https://pastebin.com/mt37Nz5J
09:06 PM rue__: are those from ssh attacks?
09:07 PM furrywolf: those are invalid usernames sorted out of my auth.log
09:07 PM rue__: ok, try a few of the non-service names in whois
09:07 PM furrywolf: trie 7 so far, none are online
09:08 PM rue__: usuario
09:08 PM rue__: contador
09:08 PM rue__: netman
09:08 PM rue__: student4
09:08 PM furrywolf: susan: No such nick/channel
09:08 PM furrywolf: stephen: No such nick/channel
09:08 PM furrywolf: yoshitaka: No such nick/channel
09:08 PM furrywolf: zabbix: No such nick/channel
09:08 PM furrywolf: xiaojie: No such nick/channel
09:08 PM rue__: bernard
09:08 PM furrywolf: yann: No such nick/channel
09:08 PM furrywolf: ventas: No such nick/channel
09:08 PM furrywolf: usuario: No such nick/channel
09:08 PM furrywolf: samir: No such nick/channel
09:08 PM furrywolf: david: No such nick/channel
09:08 PM furrywolf: glassfish: No such nick/channel
09:08 PM rue__: hmm
09:08 PM Tom_L: student4 isn't in his list
09:08 PM furrywolf: still not a one I've tried...
09:09 PM Tom_L: her?
09:12 PM rue__: ok, I'll have to get a machien exploited and take apart their software
09:12 PM Tom_L: how you gonna do that?
09:13 PM rue__: honeypot machine
09:13 PM rue__: its running in the livingroom right now
09:13 PM rue__: but its running a script that captures the user/password attempts
09:14 PM Tom_L: attempts to do what?
09:14 PM rue__: the http exploit stuff is insane
09:14 PM Tom_L: hack your pc or irc?
09:14 PM rue__: they are hitting the ssh port, trying logins
09:14 PM rue__: this is insane
09:14 PM Tom_L: it's working though
09:15 PM furrywolf: I wrote a little script to whois all of them. I limited it to one every three seconds, since freenode rate limits whoises.
09:15 PM rue__: the ssh attempts are part of a multilayer thing thats alter step is to install a program that gets on irc with a bot
09:15 PM furrywolf: at one every three seconds, it will take a bit, but you can get some actual numbers.
09:16 PM furrywolf: I also got a list of usernames from the last month of logs (how long I keep them), so it's doing a bigger list.
09:16 PM rue__: this isn't the only network, apparently one of the ones that was taken apart used undernet
09:17 PM rue__: whois ralf
09:17 PM furrywolf: so far it's found only four, and they're all common nicks that I would perfectly happily attribute to coincidence.
09:17 PM rue__: hmmm
09:17 PM rue__: how does this all work...
09:18 PM furrywolf: how it works is that if you have a list of a thousand common usernames, and a list of many thousands of irc nicknames, chances are there's some overlap. :P
09:18 PM furrywolf: 82722 users online on freenode right now.
09:18 PM rue__: prolly 80000 of them bots
09:19 PM zhanx: rue__, what was the fix if i am flatting the print
09:19 PM rue__: zhanx, first layer should be half-flattneed, adjust the zero offset
09:19 PM rue__: if the rest of the layers are squished, your z steps are wrong
09:19 PM rue__: you have to tell me *for sure* what thread pitch your using
09:19 PM furrywolf: I don't see any common characteristics to the nicks it's finding.
09:20 PM furrywolf: some are well-established users
09:21 PM furrywolf: gateway/web/irccloud.com is showing up possibly unusually often, but not enough to be suspicious yet.
09:21 PM rue__: but furrywolf think on it
09:22 PM rue__: why would the ssh attacks try a single login/password for zachary
09:22 PM furrywolf: I have thought on it, and I've decided it's just coincidence. you have two large lists. :)
09:22 PM rue__: how many systems are gonna have that login?
09:22 PM rue__: seiously
09:22 PM furrywolf: it's probably using information stolen from another system, to see if the same user is on both
09:23 PM rue__: yes and no, its crazy inneffective to the point it dosn't make sense
09:23 PM furrywolf: also, did you notice one of the bots uses the first 8 letters of your domain name as a username?
09:23 PM rue__: that I didn't catch!
09:23 PM zhanx: rue__, whats the command to check what my z step is set to
09:24 PM rue__: I have to work this out every time you ask
09:24 PM furrywolf: I'll let this run until it finishes and/or freenode kills it.
09:24 PM rue__: write it down!!!!!!
09:24 PM furrywolf: it's up to "api" so far.
09:25 PM furrywolf: but, so far, I see nothing at all suspicious.
09:25 PM rue__: zhanx, M92
09:25 PM rue__: wait, to quety
09:25 PM rue__: Get the current steps-per-unit settings with M503.
09:26 PM Tom_L: <rue_> 1133.86 steps/mm
09:26 PM Tom_L: <rue_> is yer \ havn't checked email yet\ z steps set to 1133.86 ?
09:26 PM Tom_L: <zhanx> i wonder if i got 5/16 -20 rod
09:26 PM Tom_L: <zhanx> they are
09:26 PM Tom_L: <rue_> need to know 18 or 20
09:26 PM Tom_L: <rue_> ok
09:26 PM Tom_L: <zhanx> no i am wondering due to the fact we checked this before
09:26 PM Tom_L: <rue_> 1259.84 steps/mm
09:26 PM Tom_L: <zhanx> that will make it up higher right?
09:26 PM Tom_L: maybe that's it.....
09:26 PM zhanx: cho: M92 X44.44 Y44.44 Z1259.84 E420.00
09:26 PM rue__: (pitch_in_mm/motor_steps_per_rev*microsteps) = mm/step
09:27 PM rue__: zhanx, dont print as a test, tell it to move up 10mm and see if it did
09:27 PM zhanx: that is set right, but it was a setting in slic3r i had to change also i think. I forgot to check it
09:27 PM rue__: tell it to move up 25.4 if all you have are those silly imperial measures
09:27 PM rue__: unless in the advanced part of slic3r you put the M92 command, then no
09:28 PM rue__: which I do
09:28 PM rue__: http://marlinfw.org/docs/gcode/M092.html
09:28 PM rue__: ^^ your gonna write that down, right?
09:28 PM rue__: I wantto see postits on the printer!
09:29 PM furrywolf: up to "Bill" so far... another common username, and a completely non-suspicious user.
09:29 PM zhanx: ok its super close to right
09:35 PM zhanx: rue I am 2 mm over what i should be
09:35 PM rue__: over what distance?
09:36 PM zhanx: 25.4
09:36 PM zhanx: it measures at 27.5 ish
09:37 PM rue__: ok, now tel it to go to zero and see what ya got
09:37 PM rue__: 2.1?
09:38 PM rue__: what pitch is your rod for sure?
09:38 PM zhanx: yep a quarter slides under it
09:39 PM rue__: so...?
09:40 PM rue__: your adjusting?
09:40 PM rue__: the z steps are either right or their WAY out, cant be just close
09:40 PM zhanx: 5/16-18 found the nut box
09:40 PM rue__: PRECISIONGLUSER
09:40 PM zhanx: way out
09:40 PM rue__: nope
09:40 PM rue__: 18tpi
09:41 PM rue__: so, 200 steps/rev cause its a 1.8 degree mtoor
09:41 PM rue__: we have the microstepping set to 8?
09:41 PM rue__: or 16?
09:41 PM rue__: you wrote that bit down right?
09:41 PM zhanx: 8
09:41 PM zhanx: just 2 jumpers
09:42 PM zhanx: yep
09:42 PM rue__: 1600 steps/rev
09:43 PM rue__: zippo:/files/graphics/pictures/2018/temp# units 1inch/18 mm
09:43 PM rue__: * 1.4111111
09:43 PM rue__: so 1142.86steps/mm
09:44 PM Tom_L: that's not what you said last time
09:44 PM rue__: what I said last time was prolly for 20tpi
09:44 PM Tom_L: <rue_> 1259.84 steps/mm
09:45 PM rue__: <Tom_L> <rue_> 1133.86 steps/mm
09:45 PM rue__: wtf
09:45 PM rue__: 200 steps/rev * 8
09:45 PM Tom_L: that was in my logs
09:45 PM rue__: 1/18" is 1.41111mm
09:46 PM rue__: oooh
09:46 PM rue__: not enough decimal plaves
09:46 PM rue__: zippo:/files/graphics/pictures/2018/temp# calc 1600/1.41111
09:46 PM rue__: 1600/1.41111 -->> 1133.86
09:46 PM rue__: so it should be 1133.86 _for_SURE_
09:46 PM rue__: zhanx, ?
09:46 PM rue__: I used 1.4mm
09:47 PM rue__: to get that wrong number, sorry
09:47 PM zhanx_: ok back
09:47 PM rue__: <rue__> so it should be 1133.86 _for_SURE_
09:47 PM rue__: as long as your sure its 18tpi
09:47 PM Tom_L: <rue__> so it should be 1133.86 _for_SURE_
09:48 PM Tom_L: should be easy to find next time :D
09:49 PM zhanx_: yep
09:51 PM furrywolf: up to the "e"s... still not seeing anything suspicious.
09:53 PM rue__: how about fernanda, thats a pretty common name right?
09:54 PM rue__: like 50% of the people in the usa have that name
09:54 PM rue__: right...
09:54 PM zhanx_: rue__, in slic3r to extrude less filament its the Extrusion multiplier
09:55 PM zhanx_: right?
09:55 PM rue__: its funny, I was able to come up with 22 bot names and 20 channel names with _no_ collisions on my first try
09:55 PM rue__: zhanx_, typically 0.8 or so
09:55 PM zhanx_: ok its still at 1
09:55 PM rue__: no, 1 is WAY tooo much
09:55 PM zhanx_: knew i was forget something
09:58 PM furrywolf: You have: 200 * 8 / rev * 18 rev/inch
09:58 PM furrywolf: You want: /mm
09:58 PM furrywolf: * 1133.8583
09:58 PM furrywolf: just checking. :)
09:58 PM rue_shop4: good point
09:58 PM zhanx_: i do
09:58 PM * furrywolf loves "units"
09:59 PM rue_shop4: yes, I think its awesome how they did the path solution stuff
10:01 PM zhanx_: ok gonna print this test cube out you sent me
10:02 PM zhanx_: then print the ramps holder
10:06 PM rue_shop4: ok
10:06 PM rue_shop4: I think
10:07 PM rue_shop4: did you print the big square test?
10:07 PM rue_shop4: did I send you a cube?
10:07 PM rue_shop4: dosn't sound right
10:07 PM zhanx_: no loaded the wrong file
10:07 PM zhanx_: big test square was fine
10:07 PM rue_shop4: I just put them all in /tmp, cause its basically a slice-per-print anyhow
10:08 PM rue_shop4: ok
10:08 PM rue_shop4: I really cant think right now, I appologize
10:09 PM zhanx_: its ok, i am cooling down my extruder motor then changing the driver on that also
10:10 PM Tom_L: what is it about steppers that taking them apart ruins the magnets?
10:11 PM rue_shop4: ? not likley
10:11 PM rue_shop4: zhanx_, dial the current down till they are just warm
10:12 PM rue_shop4: anymore torque than that and someting isnt' working right
10:12 PM Tom_L: https://control.com/thread/1026210607
10:12 PM zhanx_: rue yep forgot to on the extruder is all
10:17 PM furrywolf: one of the usernames turned out to be a freenode staffer... I hope that doesn't get me klined. they can see when you whois them.
10:17 PM * katsmeow mous
10:17 PM katsmeow: what if you who them?
10:17 PM Tom_L: who who
10:18 PM katsmeow: this is all you get from a /who
10:18 PM katsmeow: -
10:18 PM katsmeow: [10:18:pm] #garfield furrywolf H ~furrywolf@172.58.41.10 :0 Furry Wolf
10:18 PM katsmeow: [10:18:pm] furrywolf End of /WHO list.
10:18 PM katsmeow: -
10:18 PM furrywolf: getting rue as much information as I can. :)
10:18 PM furrywolf: although I think he's wrong. I see nothing suspicious in my results.
10:19 PM katsmeow: what are you looking for?
10:20 PM furrywolf: rue thinks there's a correlation between the bots that randomly try to find ssh logins and freenode nicks... I'm not seeing it.
10:20 PM katsmeow: o
10:20 PM furrywolf: it's just two big lists that happen to have some overlap... the bots try common names, and sure enough, there's a lot of common names on freenode...
10:23 PM zhanx_: rue now that the motors are tuned better its quite and not shaking things lose
10:23 PM zhanx_: bonus!
10:24 PM * katsmeow grits her fangs and bites her tongue
10:24 PM zhanx_: katsmeow, i blew a motor driver a few weeks back doing it wrong and now its better
10:25 PM katsmeow: oh
10:27 PM katsmeow: come to think of it, i bet if you gave him a wood heater too, he'd still be cold as shirt this winter too
10:29 PM furrywolf: ?
10:29 PM rue_shop4: hmmm
10:29 PM rue_shop4: you have my email dont ya?
10:29 PM * katsmeow points the line to zhanx_
10:30 PM katsmeow: me? yeas,. but you seldom read it
10:30 PM zhanx_: or response back also kat
10:30 PM rue_shop4: I check it every day, but I dont always have a reply
10:32 PM zhanx_: my internet is playing games again
10:32 PM * katsmeow sic's rue's bot detector onto it
10:34 PM rue_shop4: whoa, clicked out while assembling this circuit board, and was just watching myself do it
10:34 PM rue_shop4: I'v done that writing, but never building a circuit board
10:35 PM * Tom_L replaces a blown fuse in rue_shop4
10:43 PM * katsmeow ponders dipping the CFL into Tanglefoot
10:44 PM zhanx: and back
10:44 PM katsmeow: yeas
10:44 PM zhanx: at least the internet doesnt kill the print
10:48 PM furrywolf: I should have made this faster, but I know whoises are rate limited, and get you pointed out to staff if you exceed that rate.
10:49 PM katsmeow: but what valuable bit of data does the whois give you?
10:49 PM katsmeow: i asked before and no one told me
10:51 PM furrywolf: dunno, that's what rue wanted. :P
10:51 PM furrywolf: I'm quite convinced his theory is false at this point.
11:03 PM rue_shop4: the unipolar stepper driver is comming along nicely, so far the current limiting and everything works
11:03 PM rue_shop4: yet to run a motor,
11:04 PM rue_shop4: I should be able to do microstepping with it too
11:05 PM rue_shop4: if ceramic caps are so unstable, how did any early radio stay tuned
11:06 PM katsmeow: tvs didn;t
11:06 PM katsmeow: AFC was invented
11:06 PM katsmeow: worked best on FM
11:08 PM zhanx: rue_shop4, 1 hour into print, all motors warm to cool not hot
11:08 PM furrywolf: hopefully this will be done soon, so I can get to bed.
11:08 PM zhanx: the z axis are cool
11:08 PM furrywolf: it's in the 'v's.
11:12 PM rue_shop4: furrywolf, hmmm
11:12 PM rue_shop4: how many hits?
11:12 PM furrywolf: maybe 10%
11:13 PM furrywolf: I've been on IRC a long time, including as an oper and a server admin, and I do not believe there is anything suspicious about these users.
11:15 PM rue__: xxl
11:15 PM rue__: hmm
11:15 PM rue__: dont' mean their all on freenode
11:15 PM furrywolf: I think it means there's nothing to your theory. :)
11:16 PM rue__: Iwas right about the ssh and irc bots being related tho
11:16 PM zhanx: vs me
11:16 PM rue__: anyhow, zhanx you printing ok now?
11:16 PM zhanx: I think his theory is sound
11:16 PM zhanx: yep
11:17 PM rue__: ok, hows the print look for quality?
11:17 PM zhanx: table is slightly off (less than 2mm overall) but its going great
11:17 PM rue__: 2mm!, ....
11:17 PM rue__: scanner glass, right?
11:17 PM zhanx: yep
11:18 PM zhanx: seems that was not as flat as i thought it was
11:18 PM rue__: is it flat?
11:18 PM rue__: hmm
11:18 PM rue__: use mirror next time
11:18 PM rue__: it has to be flat
11:18 PM zhanx: k
11:18 PM zhanx: gonna tweek the bed what i can tomorrow
11:18 PM rue__: hadoop
11:18 PM zhanx: then the 1st I can get that
11:19 PM zhanx: if i can get it -+ .5mm i will be happy
11:19 PM rue__: geez, the attacks are comming in like crazy now
11:19 PM rue__: I think someone heard me
11:20 PM furrywolf: well, there's more found than I expected... 458 nicks online, 1963 not online. about 20%. but, it's all common stuff, and looks very non-suspicious.
11:20 PM furrywolf: http://fw.bushytails.net/tmp/ruebotwhois/found.txt usernames that whois found
11:21 PM rue__: so wait, of the ssh list, 20% turn up on freenode?
11:21 PM furrywolf: http://fw.bushytails.net/tmp/ruebotwhois/notfound.txt and ones not found
11:21 PM rue__: wait wait... Amit!... was in an ssh list!??!?!?!?!!
11:21 PM furrywolf: http://fw.bushytails.net/tmp/ruebotwhois/botcheck.log.txt complete log of the irc session, which includes other information from the whois results.
11:22 PM furrywolf: http://fw.bushytails.net/tmp/ruebotwhois/command.txt the one line of bash I used to do this.
11:22 PM furrywolf: http://fw.bushytails.net/tmp/ruebotwhois/auth.log.txt relevant lines from my auth.logs that also has ips
11:24 PM * rue__ thinks
11:25 PM rue__: ... /nick rue_mohr
11:25 PM rue__: sdfsdf
11:25 PM rue__ is now known as rue_mohr
11:25 PM * rue_mohr puts a screw in to keep his head on this time
11:25 PM furrywolf: the things you can do with one line of bash... like open an irc connection and do a whois on every username from failed ssh logins. :)
11:26 PM katsmeow: you know freenode itself is now doing such probes?
11:26 PM furrywolf: the found nicks really don't look suspicious to me. hell, five of them are freenode opers. :P
11:27 PM katsmeow: -
11:27 PM katsmeow: [10:16:pm] -freenode-connect- Due to the persistent ongoing spam, all new connections are being set +R (block messages from unidentified users) and will be scanned for vulnerabilities. This will not harm your computer, and vulnerable hosts will be notified.
11:27 PM katsmeow: -
11:27 PM rue_mohr: they should kick nicks that dont say anything in a week or so
11:27 PM rue_mohr: to any channel
11:27 PM rue_mohr: even c-log says stuff
11:28 PM katsmeow: what does c-log say?
11:28 PM katsmeow: "stuff" ?
11:28 PM furrywolf: rue_mohr�:� it's funny that 20% of them are online, which is higher than I would have expected, but I don't think it indicates any actual relationship... the ssh bots are trying common usernames, and unsurprisingly, with ~90k people online, there's a lot of common usernames online.
11:28 PM rue_mohr: furrywolf, some of those names are just tooo specific to make me belive there is no relation
11:29 PM katsmeow: you do a /list to get channels, join and do a /who # to get nicks and their addy,
11:29 PM katsmeow: what else did you want?
11:30 PM furrywolf: 18.9%
11:30 PM rue_mohr: wait, you were able to do that with netcat?!!
11:31 PM furrywolf: katsmeow�:� that's not what he's doing. he's theorizing that the ssh try-common-logins bots are logging in with freenode nicks rather than random usernames, or that there's some connection between the ssh bots and freenode users.
11:31 PM * zhanx_ goes and looks at the script
11:31 PM rue_mohr: not so much
11:31 PM furrywolf: netcat is by far the easiest way to do things like that from bash. heh.
11:31 PM zhanx_: furrywolf, that is nice
11:31 PM rue_mohr: I think that their related, quite possibly that those are the nicks fo the bot controllers, and there is some fighting over the networks
11:32 PM furrywolf: it's not like IRC is a complex protocol... and it can be done non-interactively. my script just blindly sends commands and records the result.
11:32 PM rue_mohr: one user tries to take on another users bot by having exploited the user/password they set up the exploited machinew ith
11:32 PM furrywolf: that seems like a hollywood movie plot, not reality.
11:32 PM * katsmeow was an ircop once, and has written irc bots
11:32 PM rue_mohr: the exploited amchines join irc using a generated name, sit on a control channel waiting for commands
11:33 PM rue_mohr: furrywolf, yea, this is crazy
11:33 PM furrywolf: as a general rule, if you're proposing something crazy, you're crazy too. :P
11:33 PM rue_mohr: I'm the one in the movie trying to tell everyone there are people in the walls that talk thru the lightbulbs
11:33 PM rue_mohr: but too many things are comming togethor
11:33 PM katsmeow: did you sort nicks based on how many channels they are in? if some are always only in one channel, maybe that's a control channel
11:33 PM zhanx_: lasers on the windows
11:33 PM zhanx_: IR ones
11:34 PM furrywolf: katsmeow�:� I wrote services for another network a very long time ago... but some things you never forget. heh.
11:34 PM furrywolf: katsmeow�:� you can't see what channels a nick is in.
11:34 PM rue_mohr: I'm going to let our password capturing script run a few more days, then give the hackers a login and let them install their stuff, then start taking it apart
11:34 PM katsmeow: you can join all the channels that aren;t set +S tho
11:34 PM zhanx_: they turned that off a while ago
11:34 PM furrywolf: you'd need to do a brute-force walk of all channels. and there is protection for this in the ircd. you'd need to do it over a period of days probably.
11:35 PM rue_mohr: but if I could put a client in every channel I could sus-out any user who was in atleast one channel
11:35 PM rue_mohr: the botnet-control channels would be invite-only I'd imagine
11:35 PM furrywolf: and probably secret
11:35 PM rue_mohr: oh
11:35 PM rue_mohr: hmm
11:35 PM furrywolf: but, looking at the list of found nicks... again, they do NOT look suspicious to me.
11:35 PM rue_mohr: I should be able to tell you by next wed
11:35 PM furrywolf: they look exactly like I'd think a random sampling of nicks would look like.
11:36 PM katsmeow: furry, do the bots ever talk?
11:36 PM furrywolf: they aren't bots. they're just random users who happen to have nicks that are the same as the usernames the ssh attack bots are looking for.
11:36 PM rue_mohr: kat, I think the dead-meat that irc channels fills up with is actually a bunch of the exploited machines
11:36 PM furrywolf: as I said, FIVE of them are freenode opers! you go accuse them of being bots. :P
11:36 PM rue_mohr: why they turn up in legitimate channels is a good question
11:36 PM furrywolf: and, yes, some of the nicks that came back are in channels I'm in.
11:37 PM rue_mohr: we already know the spammers do/have worked for freenode
11:37 PM rue_mohr: rucas was a coder
11:37 PM rue_mohr: this could partly be a developer/managment spatt
11:37 PM rue_mohr: like what happened in #avr
11:38 PM furrywolf: I think you're turning coincidence into a pattern.
11:38 PM katsmeow: k, i was just thinking the format "whois nick nick" could tell you if they never spoke, and so be bots
11:39 PM furrywolf: most clients on freenode don't speak on any given connection period
11:39 PM furrywolf: that wouldn't tell you anything.
11:39 PM katsmeow: [11:39:pm] rue_shop4 has been idle 26mins 41secs, signed on Wed Aug 08 18:08:51 2018 <<-- if the signon was 26 minutes and 41 sec ago, they never spoke
11:39 PM furrywolf: yes, as I said, it won't tell you anything. :)
11:40 PM katsmeow: ok, but apparently all your data so far isn;t telling you what rue wants to hear
11:40 PM zhanx_: yep. I leave irc on 24/7
11:40 PM rue_mohr: another odd thing is that the honeypot machine on an IP right next to mine, is not seeing the same ssh attempts as my border machine
11:40 PM katsmeow: so i was thinkout around the edges of the box
11:40 PM zhanx_: and my connection drops etc
11:40 PM furrywolf: rue wants to hear things that may not be true. :)
11:40 PM katsmeow: Major Newspaper Endorses Republican House Candidate Who Says She Was Abducted by Aliens
11:41 PM furrywolf: rue_mohr�:� you shouldn't ignore what I'm saying... as someone who has been on IRC a while, the users it found _look normal_.
11:41 PM rue_mohr: if a user is idle for 20160 mins, its not a real person
11:41 PM katsmeow: regarding dogs vs guns : > So, it seems you're 67.9 times more likely to be bit, than shot.
11:41 PM rue_mohr: furrywolf, mid next week I can tell you a lot more
11:41 PM furrywolf: ... I once forgot an irc client open in a buried xterm for three months...
11:42 PM zhanx_: furrywolf, I left a laptop at my brothers house for a year
11:42 PM rue_mohr: NICE bash script by the way
11:42 PM zhanx_: it was on irc the whole time
11:42 PM rue_mohr: I'v never looked into the irc protocol
11:42 PM furrywolf: rue_mohr�:� RFC1459
11:42 PM rue_mohr: so, I have to lower my bench a foot to fit the new drillpress
11:43 PM rue_mohr: and cut that ring for the mecha to straighten it up
11:43 PM furrywolf: I've used IRC way too much, at the protocol level, ircd code level, etc....
11:43 PM rue_mohr: and get the rails for the solar cells on
11:43 PM rue_mohr: and work out the duct heaters
11:43 PM rue_mohr: and I got the cnc to build
11:44 PM rue_mohr: I'm still workin on the freq gen for my workbench,
11:44 PM rue_mohr: and that pwm controlled unipolar stepper driver for _unreal_ in robotics
11:45 PM furrywolf: there was a time when, for development purposes, I gave my home ip c/n lines, and could telnet in as a TS3 server. if you don't know what it means, translate that as "not only able to manually connect as a client and type the client protocol by hand, but also the more-complex server protocol, complete with non-RFC additions, like correct timestamps on every line."
11:45 PM katsmeow: furry, i worked on dual-path irc, but no one wanted it, so i deleted it all
11:45 PM rue_mohr: the bot attack is really something I didn't need right now...
11:45 PM katsmeow: furry, i worked on Ai on irc, some epople thought it was human, but no one wanted it, so i deleted it all
11:45 PM furrywolf: katsmeow�:� have you considered not deleting everything? :P
11:46 PM katsmeow: yeas
11:47 PM furrywolf: in any case, I need to get to sleep. completely exhausted.
11:47 PM rue_mohr: katsmeow, I tore apart 'my best' robot when i was 10 cause it was more important to clean up my room, by the time I'd finished pondering that (years later) I decided that I dont give a rats-ass about that other people think :)
11:47 PM rue_mohr: furrywolf, thanks!
11:47 PM rue_mohr: I'll ponder!
11:47 PM katsmeow: i still delete stuff, posted pics her yeaterday, only Tom looked, so i deleted them too
11:47 PM furrywolf: rue_mohr�:� again, as I said, those nicks _look normal_. they don't look like bots. they look like a normal random sampling of normal irc users.
11:48 PM rue_mohr: I'm burning to know what I learn when I see what their doing
11:48 PM rue_mohr: esp for irc-network/channel/username
11:48 PM furrywolf: obviously, that doesn't mean any specific nick isn't a bot... but, overall, it's not a pattern. they're just random nicks.
11:48 PM furrywolf: bbl
11:48 PM katsmeow: happy sleeps
11:49 PM rue_mohr: ah, I could join whatever they ahve the exploited machines joining and pretend to be a bot
11:49 PM rue_mohr: oooooo
11:55 PM rue_mohr: why would two machines on the internet, get completely different sets of attacks
11:56 PM rue_mohr: then again, this is a progressive attack
11:56 PM rue_mohr: they only check you out for about 6 hours before trying to get in
11:57 PM zhanx_: 10 minutes left on the print rue
11:58 PM rue_mohr: does it look good?
11:58 PM rue_mohr: you have the temp set somewhere under where you can smell the sugar?
11:58 PM zhanx_: yep 200 ended up being the sweet spot
11:59 PM zhanx_: pun intended
11:59 PM rue_mohr: 359677 1533847805 :seconds idle, signon time
11:59 PM rue_mohr: 1408508 1533409623 :seconds idle, signon time