BotHunting 101 :P This is a VERY basic review of simple bothunting. It won't find a well hidden bot, but it well help somewhat. :) Okey, first, trace the server you are on, just to get a userlist to go off of. Here's my general guidelines for detirmining a bot: 1: If the client version shows mirc 4.0 or above, there should be NO reply to a clientinfo finger. 2: If the client version shows below mirc 4.0, the clientinfo botcheck reply should be this: [nick CLIENTINFO reply]: ACCEPT ACTION CLIENTINFO DCC ECHO FINGER PING RESUME SOUND TIME USERINFO VERSION 3: If the client version shows pirch, the clientinfo and version should both be dumb pirch advertisements. 4: If the client version shows any ircII client, the clientinfo finger should show this: *** CTCP CLIENTINFO reply from PrimeMonk: FINGER shows real name, login name and idle time of user No reply does not make it a bot, but if it says its a bitchx, ircii client and it replies like this: *** CTCP CLIENTINFO reply from PrimeMonk: finger is not a valid function, its a bot. NOTE: IRCii Roof 2.9 Does this as well. This is a bug in Roof 2.9, so if it resonds like that but its version reply was 2.9, it may not be a bot. **** Thanks to MhZ for this one **** 5: A combot will reply to a version with *** CTCP VERSION reply from KiRbPuFf: ComBot Version 2.09 6: VIRC should not reply to the clientinfo but will to the version with an ad for virc. Now, here's a few odd samples from a check on blackened2 one day: ZayElhawa is maw3ood@Mercury.mcs.com * Composed in UAE, London, and Egypt ZayElhawa on @#ba7rain ZayElhawa using irc2.blackened.com Darkening in Vain zayelhawa End of /WHOIS list. [ZayElhawa VERSION reply]: you suck, v1.0 A version reply of that is a common Eggdrop script. BobDobbs is ~jbh6n@watt.seas.Virginia.EDU * Fuck 'em if they can't take a joke. BobDobbs using irc2.blackened.com Darkening in Vain bobdobbs End of /WHOIS list. - [BobDobbs VERSION reply]: Running ircII 2.8.2 Linux with BuRRiTo mods by TaCo This client claims to be an ircII client standard, but does NO clientinfo reply at all. Another one to just kind of watch, but probably a bot. *** G|nger is aileigh@beernutz.pcons.com (I'm not here...I'm a figment of your +imagination!) *** on channels: @#Anaheim *** on irc via server irc-e.primenet.com (Primenet Mae-East IRC server) *** G|nger has been idle 13 minutes *** CTCP ERRMSG reply from G|nger: CLIENTINFO: \hello! is not a valid function *** CTCP VERSION reply from G|nger: EcLiPsE v1.3 by Dream Childe *** CTCP CLIENTINFO reply from G|nger: FINGER shows real name, login name and +idle time of user *** CTCP FINGER reply from G|nger: Jeffrey pc@duggy.extern.ucsd.edu, idle 8 +seconds *** CTCP FINGER reply from G|nger: Jeffrey pc@duggy.extern.ucsd.edu, idle 8 +seconds Finger idle time did not change... Okey, further tests on one's that you are not sure about........ 1: Dcc chat it and see if it does the dumb "I don't accept dcc chats from strangers." notice. 2: Msg it hello or help and see if it responds. 3: Join/Hang out on the channel its on and watch it. Or type "seen boink" and "!seen boink" in the channels and see if it says "I haven't seen boink" or "I don't know who boink is" 4: Msg it with ident boinkita nick. If it relies with some form of "No password set" or "access denied" its a bot. 5: To see if its a joh bot, join it's channel with two clients. Quit one client with "irc.blackened.com irc.primenet.com" A johBot will change its nick when it thinks it sees a split via quit. 6: Ctcp finger the client, some admit to being a bot from that. 7: Ctcp finger the client twice, five seconds apart. If the idle time is >5 and the same in both fingers, its fake and a bot. If it is 0 seconds both times, it is PROBABLY but not 100% a bot. 8: Run BotScan on the domain. (if you need it let me know) 9: Divbot test. Ping the server/user. If they come back with a BOLD pong return, version them. If they return Phoenix, most likely a divbot. ***Thanks to stats for this one!!!*** 11: I made another alias called eggtest eggtest sent a msg $0 ^APING^A^APING^A^APING^A. If the nick responds with multiple REAL (not notice) ping replies, it's an older eggdrop. ***Thanks to Megalith for this one!!!*** 12: ComBot test: Do a /ctcp nick source. A combot will reply with Combot v. ***Thanks to moonwolf for this one!!!*** 13: Do a /ctcp nick egg\drop. If it returns with an error where the \ in egg\drop has been stripped out, its a bot. 14: one more tip: try to look for clues, for example, if the "client" has an away msg that says [BX-Msg ON] but returns a ScrollZ version reply, then it's a bot, i caught a couple of bots that way. ***Thanks to Goodfella for this one!!!*** 15: If the version says ircii SunOS, Linux , etc... try to telnet to the site and see if it's really that os. [warning] some wiseguys might change the clientinfo of their scripts to anything, so this does not always mean it's a bot. ***Thanks to Goodfella for this one!!!*** 16: Some bots that have bitch.tcl installed when you /ctcp botnick clientinfo, some of them will return two replies, then it's a bot. ***Thanks to Goodfella for this one!!!*** 17: You can finger a bot that emulates bitchx.tcl, and if it returns a reply, then it's a bot, bcz bitchx client don't return finger replies (at least up to the bitchx70 version) ***Thanks to Goodfella for this one!!!*** 18: If an eggdrop is running bitchx.tcl, you can do a /ctcp clientinfo finger, and an eggdrop will respond with: *** CTCP Clientinfo Reply from DensitY!rave15@shell.wildcherry.com : FINGER shows real name, login and idle time of user. A real bitchx client says "Login name" instead of just login. ***** Thanks to goodfella for this one ****** 19: Another eggdrop bitchx.tcl bug. For some reason it reponds to the following with 2 extra \\. /ctcp density echo \{test}\ *** CTCP Echo Reply from DensitYe!rave15@shell.wildcherry.com : \\\{test\}\\ ***** Thanks to goodfella for this one ***** That's about it. Let me know if you have any questions. I'll TRY to answer them :) Any additions are greatly appreciated too. Thanks to GoodFella to reviewing it before this rev went out. Ray Powers Monkster rayp@primenet.com .