Fingerprints
You will always need to be vigilant and watch out for abuse. Crimes such as stealing credit cards, ddos botnets, and phishing scams do happen on IRC, and it's our job to prevent our network from being overrun with criminals.
Don't get discouraged if you can't stop all crime. Even stopping half of them will go a long way towards deterring criminals.
The first tool at your disposal is to check the available metadata on users that connect to your server. For example, for users that connect to IRC, you can run this command:
/whois username username
That will decloak the user's hostmask and reveal their IP address. You can then perform a host and whois lookup (see police for more details):
$ host 192.168.0.1 $ whois 192.168.0.1
In addition to this metadata, you can also check the fingerprints that botnow collects on users:
$ doas su botnow $ sqlite3 /var/www/botnow/botnow.db
To select all the rows of data from the bnc table:
sqlite> select * from bnc;
To select all the rows of data from the shell accounts table:
sqlite> select * from shell;
And to select all the rows of data from the irc client table:
sqlite> select * from irc;
For example, you might see this data for a bnc row:
|1026844251|||criminal|criminal@example.com|$2b$11$99a4jtzu7BnmeXOcESf5E.I2aGeyhY0mka8AeMBVK3x.VaCevCu2h||394
This tells you that for IRC id 1026844251, username criminal had an email address of criminal@example.com with password hash of $2b$11$99a4jtzu7BnmeXOcESf5E.I2aGeyhY0mka8AeMBVK3x.VaCevCu2h and a captcha of 394.
To find out more metadata about this user's IRC client, you can issue:
sqlite> select * from irc where id = 1026844251; 1026844251|criminal!~criminal@192.168.0.1|criminal|||||mIRC v7.64|Sun Feb 06 00:22:30 2022|1644081761||||||20220205
This tells us that for the user with id = 1026844251, the hostmask is criminal!~criminal@192.168.0.1, the CTCP Version reply is mIRC v7.64, the CTCP Time reply is Sun Feb 06 00:22:30 2022, and the registration date is 2022/02/05 (Feb 5th, 2022).
We can quickly compile a dossier of the user as follows:
Username: criminal Email Address: criminal@example.com criminal!~criminal@192.168.0.1 mIRC v7.64 Sun Feb 06 00:22:30 2022 Registration Date: 2022/02/05
Matching IPs
To see all connections all users have made to znc:
$ doas less /home/znc/home/znc/.znc/moddata/adminlog/znc.log
You can search existing connections to znc using grep.
$ doas grep -iRE '\[$USERNAME\] connected to ZNC' /home/znc/home/znc/.znc/moddata/adminlog/znc.log
You will want to replace $USERNAME with the actual username.
This will show all connections of USERNAME to znc. We can use sed to output all unique IPs to a file:
$ doas sed -n 's/.*\[$USERNAME\] connected to ZNC from \(.*\)/\1/p' /home/znc/home/znc/.znc/moddata/adminlog/znc.log | sort -V | uniq > ~/$USERNAME
You can also search by IP addresses and using regular expressions:
$ doas grep -iRE '(192.168.0.1|192.168.0.2)' /home/znc/home/znc/.znc/moddata/adminlog/znc.log
This can help you find multiple IP addresses.
One helpful technique is as follows:
Connected networks and channels
You can see what networks the user USERNAME is connected to by typing (inside IRC while connected to znc as admin):
/msg *controlpanel listnetworks USERNAME
You can also connect to his network and /whois USERNAME to find all the channels he is a part of.
Detecting patterns
I've noticed a pattern. Let's say we have a scammer called criminal. What this scammer does is he names his networks by letters like D E F. Anytime I find a suspicious person from an his subnet's IP address, I just run /msg *controlpanel listnetworks username. If I see something similar to:
13:34 <*controlpanel> | E | Yes | irc.example.com | Guest55013!criminal@example.com | 2 |
It's probably criminal, only he would name his network E. Sometimes a trick I use is to scan /home/znc/home/znc/.znc/moddata/adminlog/znc.log for a single capital letter.
If it's a user from his subnet + single letter network names + in suspicious channels + he likes to customize his realname, that's usually a good sign it is criminal.
I have some ideas for how to automate but I think it will be an arms race. Once he figures out how i detect him, he might change his signature.