Strange IRC/Norton Bug - peering after DCC SEND Exploit

[VampYre]

Strange startkeylogger IRC/Norton Bug - DCC SEND BUG

I'm not quite sure what the problem is with this, but I'm told its a problem with norton personal firewall.

When you type "startkeylogger" in a populated IRC channel you will notice that many of the clients in the channel quit, with the quit message: "Read error: Connection reset by peer".


If you are caught doing ANY EXPLOIT in #videopimp or any of its affliate channels, Expect to be banned....for 180 days... (NO MERCY FOR EXPLOITERS!)

This is your only warning...


It's made it to SlashDot


Update...More Info...


What's going on is, there's a problem with the way some Norton firewall products listen for and respond to a certain bit of malware called Spybot. So apparently whenever Norton sees the string 'startkeylogger' in an IRC session (whether private message or in a channel), it disconnects you from IRC. You can rejoin IRC almost immedaitely, but the problem will happen anytime that string is seen. And a lot of immature people think it's great fun to send that string and watch people be disconnected.
As of 7:30 PM pacific time on February 23, 2006, we don't see any response or solution to this from Norton/Symantec. We encourage those of you who run their product to complain to them about it!
The temporary solution, for those of your running Norton firewall products:
Norton -> Intrusion detection -> configure tab -> advanced tab --> uncheck Spybot keylogger item
This does open you to the Spybot attack. While we consider the risk kinda low, we invite you to read everything at the link above and make your own decision in the matter. And let us know if you hear of any other solutions - especially a fix from Norton!


If you are getting this from people DCC SEND ". . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " 0 0 0
It's yet another exploit. From what we know it's caused by a problem in a few routers

netgear wgt624v2
linksys wrt54g
linksys 5port switch
netgear WGR614 V6

hopefully linksys/netgear will fix the firmware.

the workaround is to connect via a different port than 6667

like 6666, most servers have them open. try /stats P to find an alternative port

so if you see people peering after DCC SENd blah blah stuff
tell them to connect via 6666

the dcc send one affects a few routers... linksys/netgear it seems
they have an nat handler installed for port 6667


IF YOU ARE CAUGHT DOING OR ATTEMPTING TO DO ANY OF THESE COMMANDS IN AN OPEN CHANNEL OR VIA PM/NOTICE/CTCP/ECT EXPECT TO ENJOY A 180 DAY BAN!

[VampYre]

Listing all the morons who do it...name and shame time...and this guy got caught by an ircOP


* Freelance (~zoufhri@modemcable161.99-201-24.mc.videotron.ca) has quit IRC (Killed (stevoo (piss off)))
symsucks (parlance@S0106000c41aaaa4c.rd.shawcable.net) <-- constant abuser...
(mra@adsl-70-240-90-175.dsl.hstntx.swbell.net) <-- constant thats gonna get a kill on irc)
startkeyl (~ggj@c-71-196-99-79.hsd1.fl.comcast.net)
Manifest ( Manifest@adsl-220-100-59.mcn.bellsouth.net
foamy (~foamy@CPE000c4176bf9d-CM000f9fac95b8.cpe.net.cable.rogers.com)
edge05 (edge05@S0106000d8836a6e8.vc.shawcable.net)
myrdd1n (efnet@znc.myrdd1n.net)
jimbod (jim@cpc4-sout1-0-0-cust729.sot3.cable.ntl.com)
daaas (esss@xdsl-81-173-140-173.netcologne.de)
Wllngr (asd@Ve8ec.v.pppool.de)
Prodigy^ (prew@cpc1-norw1-5-0-cust1.pete.cable.ntl.com)
P-DoT (pdot@my.botnet.0wns-j00.com) -- (abuse@acmeshells.com)

DCCSENDRO (~t3rm@12-218-154-144.client.mchsi.com)
latras (latras@CPE-65-27-0-49.kc.res.rr.com)
nathanGL (~nglass@tornado.fscinternet.com)
anet (~bofh@ip68-5-30-208.oc.oc.cox.net)
meshuga (~keith@h46074df9.area7.spcsdns.net)

[VampYre]

Anyone who is running Norton Internet Security and on IRC, please do this temp fix.

The temporary solution, for those of your running Norton firewall products:
Norton -> Intrusion detection -> configure tab -> advanced tab --> uncheck Spybot keylogger item

[VampYre]

I keep seeing people do this, expect to be banned for doing it, we might not catch you right away, but when we do, you will be reported to ircOPs and taken care of from their side (want to be banned from EFnet??).