Media Force Problem!!! Help or come with suggestions...

NightLitch · 11 November, 2003, 19:17:37

Hey Guys... Recently my hub have been visit by Media Force users/bot now I wonder following things:

? Is the share always around 17 Gb ???

? How do they get through our IP-Range script when others don't ??

? any way to get them out of my hub..?? exept for Make the hub registred users only???

Hope for some good answers...

)

/NightLitch

SaintSinner · 11 November, 2003, 19:28:58

17 gig sounds about right according to the rumors

they may be using a differnt ip, they are just not locked into 1 ip range, if it was the same ip then your IP-ranger is not too good, do proper test on it, like ban your friends ip range and ask him to connect. i imagine you know the rest of this test.

anyway to get them out...nope no legal contracts, no disclamers, no "pelase dont come into my hub" will work.

P.S. and dont publish your hub on one of the hublists, that is what they use...good luck....them damn ratbasterds...

NightLitch · 11 November, 2003, 19:57:20

So the Gigabytes can't be diff. sometimes ??? more less than 17???

And My ranger does not let users by... that I now.. Have worked alot on it to know that...

then about the ips... can the bounce between ips???

Or could there be a Media Force "goverment" inside our city network(DMZ) ???

How can I prevent this ??? with some script or what.?..

Have checked to The ( HubSecure-Script Created by Sid )

Is that something to recomend ???

pieces from the code:

-- Anti MediaForce Setup
  bBlockMediaForce = 1   -- (0 = False, 1 = True)
  bLogMediaForceAttempt = 1   -- (0 = False, 1 = True)
  aMediaForceVersions = {"1.0.25"}
  aMediaForceShareAmount = {"18552221398"}
  iMediaForceAction = 2   -- (0 = Nothing, 1 = Disconnect, 2 = TempBan, 3 = Ban)
  sMediaForceFoundMessage = " was a searchbot most likly MediaForce and was temporarily banned. ()"

function NewUserConnected(curUser)
	if bBlockMediaForce == 1 then
		-- Anti MediaForce
		local foundMediaForce = 0

		for key,checkWord in aMediaForceVersions do
			if strfind(curUser.iVersion, checkWord, 1, 1) then
				foundMediaForce = 1
			end 
		end
		
		if foundMediaForce == 0 then
			for key,checkWord in aMediaForceShareAmount do
				if strfind(curUser.sMyInfoString, checkWord, 1, 1) then
					foundMediaForce = 1
				end 
			end
		end

		if foundMediaForce ~= 0 then
			SendToAll (sBotName, gsub(gsub(sMediaForceFoundMessage, "", curUser.sName), "", curUser.sIP))
			if bLogMediaForceAttempt == 1 then
				AppendFile("../Logs/MediaforceBot_"..date("%m-%d-%y")..".txt", curUser.sName.." ("..curUser.sIP..") was detected as a Mediaforce Bot.  Version: "..curUser.iVersion.." MyInfo: "..curUser.sMyInfoString)
			end
			
			curUser:SendData(sBotName, sMediaForceFoundMessage)
			
			if iMediaForceAction == 1 then
				curUser:Disconnect()
			elseif iMediaForceAction == 2 then
				curUser:TempBan()
			elseif iMediaForceAction == 3 then
				curUser:Ban()
			else
				-- Do Nothing
			end
		end
	end
end

This is all I could see that has with Media Force to do...

/NightLitch

[NL]Pur · 11 November, 2003, 19:58:34

MediaForce:4.43.96.0-4.43.96.255
MediaForce:4.43.124.192-4.43.124.255
MediaForce:65.247.105.240-65.247.105.255
MediaForce:65.192.0.0-65.192.0.255
MediaForce (Obsidian Holdings):65.223.0.0-65.223.7.255
MediaForce:208.251.137.0-208.251.137.255
MediaForce:65.233.255.0-65.233.255.255
MediaForce:65.243.215.0-65.243.215.63
MediaForce:63.76.173.32-63.76.173.47
MediaForce:4.43.36.1-4.43.36.3

here some ranges they are using.

NightLitch · 11 November, 2003, 20:02:25

I have a huge archive with IP's from them... but none of the ips match our ranges in the ip-script we run... and it is 100% build with Chilla's LOGGER some parts :-)

/NightLitch

SaintSinner · 11 November, 2003, 20:07:26

QuoteOriginally posted by NightLitch
I have a huge archive with IP's from them... but none of the ips match our ranges in the ip-script we run... and it is 100% build with Chilla's LOGGER some parts :-)

/NightLitch

like i said,..
they dont just use the known ip ranges
there is no law stating they have to use these
they are trying to cover their tracks so i can imagine they will prob be using proxy servers and such.

TiMeTrAVelleR · 11 November, 2003, 20:31:21

Try PeerGuardian

TiM?

[NL]Pur · 11 November, 2003, 20:38:46

mediaforce isn't using proxies, if you have used a proxy sometime, you will know there just no fast proxy.

MediaForce: 4.43.36.1-4.43.36.3

this range is blocked 65 times the last 3 days by my visnetic firewall, that's alot, if you trace a mediaforce ip you see the the ip in question doens't resolve anything but the second too last hop show mediaforce.

and yes they could get a normal adsl connection, but what then you just let them also in with there ip ranges they use as company mediaforce ?

NightLitch · 11 November, 2003, 21:04:12

PeerGuardian are not gonna stop them to enter the hub or???

can't I use above code I copied???

Otherwise must I ban all those ranges to be sure??

Or should I let it be?? that is probobly the last question I ask about this...

Cause I see no real solusion for this in the hub... But then again, I could have missed the piont in your words, cause my english sucks somtimes...

/NightLitch

kepp · 11 November, 2003, 21:11:32

What is mediaforce anyway?

SaintSinner · 11 November, 2003, 21:41:46

but who do these co hire to work for them
hackers and ex hackers to write programs and
to bust into hubs and harvest ip ip addresses

if you think like a hacker, what are they always trying
to do, hide themselves. and sure they may be doing
it from their corporate office but i would not be surprised
if they also use another block that is not associated
with them,

if they are still getting into your hub bypassing the script then why not think that they have some type of
software to bypass that check,...there have been
stranger things happen in direct connect.
or do some scripts just stop working for some reason,

SaintSinner · 11 November, 2003, 21:57:59

QuoteOriginally posted by kepp
What is mediaforce anyway?

they are a company that is hired by the RIAA
to go into various hubs the kazaa network, and
other p2p apps to check the shares of users and
then they harvest the ip addresses, and turn them
over to RIAA and then they twist your isp's arm to
get your name and address.

FUKING RAT BASTARDS!!!! X( X( X(

plop · 11 November, 2003, 23:00:39

peerguardian only blocks tcp, for the hub this is no problem as it only uses that.
better is 2 use a real firewall like pur.
visnetic is hard 2 setup but it's definatly worth it.

plop

kepp · 11 November, 2003, 23:21:07

Suggestion: If they enter.
Remove your share...
if that is what they do, check people for what they share.
:)

plop · 11 November, 2003, 23:50:28

QuoteOriginally posted by kepp
Suggestion: If they enter.
Remove your share...
if that is what they do, check people for what they share.
:)

sharing is not illegal, uploading is.
couple steps are needed before they can sew your ass (differs per country).
basicly they 1st need 2 know what you share, with that they need 2 go 2 court (not in all country's) 2 get a court order for your isp 2 monitor what you are uploading.
that last result can be uses 2 get your personal adress 2 deliver you a letter telling you when you have 2 be in court for judgement day.
most isp's are friendly enought 2 send you a warning on the 1st letter from company's like that.
riaa/mediaforce kinda think there god and don't need a court order.
mostly they send a letter asking your isp 2 give them your adress, wich your isp (again in most country's) may not give.
privacy rules.

plop

lazyj189 · 12 November, 2003, 03:06:02

if your having such a problem with mediaforce, why not post the ips of all of them here for others to start banning?

As for peerguardian, it took too much of my resources to run, so I decided that I liked Chilla's logger bot. I'm slowly adding all peerguardian ip ranges to his script, which I have found to be quite successful.

[2003-11-06 12:17] *** User : zSearch[moglo] IP : 24.225.168.19 : Was in the Deny Ranges, NetName: "Patriot Media Communications", Disconnecting...
[2003-11-06 18:43] *** User : zmphcz IP : 64.32.163.210 : Was in the Deny Ranges, NetName: "IRMA", Disconnecting...
[2003-11-07 10:12] *** User : zSearch[moglo] IP : 158.39.124.42 : Was in the Deny Ranges, NetName: "SSIN", Disconnecting...

I wil admit, it could go faster if I could get help from others on doing the input, otherwise to ban so may ips is taking me a lot of time considering I am trying to do it when I am home and not working. I do intend to start a new thread and post the completed list for others to download and have and hopefully make it even bigger and share amongst everyone. If you feel you might want to help input ips, I have the list in a text file and have been deleting line by line as I add them. there's ways to get a hold of me, otherwise I will just continue to plug along by myself.

Roy · 12 November, 2003, 11:13:02

I'm looking at his script now and it says

BIPRange = {} in the IpDenyranges.txt

Can u put ip ranges in it like this?

BIPRange = {64.62.143.64-64.62.143.95,63.236.7.160-63.236.7.175} <-- thats the Sygate plain text way.

If u can do it like that or something similar chances are big for u to not have to do it manually.

have a look at this different blocklists:
Blocklists

and this blocklist converter:
bluetack

there is also possible to combinate those sites by putting ip lists from the first link in the second links converter.

Roy

PtokaX forum

News:

Media Force Problem!!! Help or come with suggestions...

NightLitch

SaintSinner

NightLitch

[NL]Pur

NightLitch

SaintSinner

TiMeTrAVelleR

[NL]Pur

NightLitch

kepp

SaintSinner

SaintSinner

plop

kepp

plop

lazyj189

Roy