egghelp/eggheads community

Antipjen-drone script

2005-07-22T11:59:12-04:00

My code simply detects nicks that match the following standards:

Nick and ident are equal (or atleast the ident exists in the nick)
The first 4 letters of the nick are alpha [A-z]
The last 2 letters of the nick are integers [0-9]
The last letter of the ident is an integer
and the first character of the ident is '~' (unresolved idents)

but it first checks if the nick is all alpha (has no numbers or other symbols) or if it contains one of "-^`_", if it does then it won't check for the above.

Statistics: Posted by Sir_Fz — Fri Jul 22, 2005 11:59 am

Antipjen-drone script

2005-07-22T02:51:55-04:00

If you don't know if it works, try testing it.

I'm sure you can come up with some random nicknames and test it on yourself. And if you need such a script i'm sure you will also have some random nicks from that

Statistics: Posted by metroid — Fri Jul 22, 2005 2:51 am

Antipjen-drone script

2005-07-21T16:29:53-04:00

Code:

varible drone(bantime) "30"setudef flag pjenscansetudef flag dronescansetudef str pjenjoinssetudef str pjendetectedsetudef str pjenkickedsetudef str dronejoinssetudef str dronedetectedsetudef str dronekickedbind join - * ap:checkbind join - * drone:checkproc drone:check {nick uhost hand chan} {  if {![chanel get $chan "dronescan"]} {    return 0  }  if {[matchattr $hand nmof|nmof $chan]} {    return 0  }  if {[string match "*quakenet.org" $uhost]} {    return 0  }  if {[string is alpha $nick] || [string match *\[-^`_\]* $nick]} {    return 0  }  scan $uhost %\[^@\]@%s ident host   if {([string match -nocase "*[set sident [string trimleft $ident ~]]*" $nick]) && ([string is alpha [string range $nick 0 3]]) && ([string is integer [string range $nick end-1 end]]) && ([string is integer [string index $sident end]]) && ([string index $ident 0] == "~")} {    putquick "KICK $chan $nick :You have been detected as a drone. \(ID: [channel get $chan "dronedetected"]\). If you think this is a mistake, please type: /msg $::botnick im not infected!! to be removed from the database."    putquick "MODE $chan +b $uhost"    newchanban $chan $uhost $::botnick "You have been detected as a drone. \(ID: [channel get $chan "dronedetected"]\). If you think this is a mistake, please type: /msg $::botnick im not infected!! to be removed from the database." $::drone(bantime)    utimer $::drone(bantime) putserv "MODE $chan -b $uhost"; putserv "PRIVMSG $nick :You have been unbanned from $chan."    set fp [open drones.db a]    puts $fp $nick $uhost $::time $::date $::botnick    close $fp    putloglev D * "$nick \($uhost\) detected as a drone and added to the database \($::time $::date\) \($::botnick\) ."  }}

Thats what i have just made for a simple drone detection script. Dont know if it will work. Didnt understand the integer stuff so i hope you dont mid Sir_Fz me coping most of your script. Can anyone help me script a more advanced one also a trojan detection script. Im a noob at TCL, but atleast im trying to make a antipjen-drone-proxy script for all users to use. Totally public for all to use, not like aspb. Thanks for all your help so far aswell ;p (^-^)

Statistics: Posted by r0t3n — Thu Jul 21, 2005 4:29 pm

Antipjen-drone script

2005-07-21T15:36:56-04:00

he use string index to see if parts of the nick is normal chars [a-Z] (alpha) or numbers (integer). read up on string here.

Statistics: Posted by greenbear — Thu Jul 21, 2005 3:36 pm

Antipjen-drone script

2005-07-21T15:19:33-04:00

I dont understand what this string is alpha/integer/index is and what it does. Can someone explain? Then maybe i could start making such a script and test it.

Statistics: Posted by r0t3n — Thu Jul 21, 2005 3:18 pm

Antipjen-drone script

2005-07-21T15:15:12-04:00

Well try it out tosser ^^, you writing very intelligent, so i can be np for you

Statistics: Posted by Dizzle — Thu Jul 21, 2005 3:15 pm

Antipjen-drone script

2005-07-21T12:58:27-04:00

Code:

################################################################### #                                                                 # # Coded by: Opposing (Fz@nexushells.net) - #nexushells @ DALnet   # # Version: 1.0                                                    # ##                                                                # # Description: Bankicks nicks who are suspicious of being         # #              infected with w32.aplore@mm Trojan/Virus/Worm.     # #              Translated from the Oz mirc addon.                 # #                                                                 # # Report bugs/suggestions to Fz at nexushells.net                 # ################################################################### # ############################## # Configurations start here: # # __________________________ # ## Set the channels you want this script to work on. ## example: set aplore(chans) "#chan1 #chan2" (in lowercase) set aplore(chans) "" ## Set the kick message. set aplore(kmsg) "w32.aplore@mm Trojan/Virus/Worm Infected." ## Set, in minutes, ban time for this offence. set aplore(btime) "30" # Configurations end here. # ############################ # ###################################################################### # Code starts here, please do not edit anything unless you know TCL: # # __________________________________________________________________ # bind join - * aplore:kick proc aplore:kick {nick uhost hand chan} {  global aplore  set aplorenick 0  if {([string is alpha $nick]) || ([string match *\[-^`_\]* $nick]) || ([lsearch -exact $aplore(chans) [string tolower $chan]] == -1)} { return 0 }  scan $uhost %\[^@\]@%s ident host  if {([string match -nocase "*[set sident [string trimleft $ident ~]]*" $nick]) && ([string is alpha [string range $nick 0 3]]) && ([string is integer [string range $nick end-1 end]]) && ([string is integer [string index $sident end]]) && ([string index $ident 0] == "~")} {   putquick "KICK $chan $nick :$aplore(kmsg)"   putquick "MODE $chan +b *!*@$host"   putlog "\002$nick\002!\002$ident\002 is infected with w32.aplore@mm."  } } putlog "w32.aplore@mm bankick v1.0 by Opposing Loaded..."

Thats Sir_Fz's script. I dont understand what this string is alphaeger/index is and does. But i guess its a good way of detection most trojan/drone users. But i guess i could make a array and do a string match $nick/$ident $array aswell. Then add the nick/host/ident to a database and always make a removeme proc. If i did that. What do you think would be the best host type to add the host with. $nick!$uhost *!*@$host *!*$nick@$host or something.I guess not to use *!*@$host because inocent people will be more likely to be punished so $nick!$uhost or *!$nick/$ident@$host. Im not good at this ip/hostname/host stuff confuses me (^-^).

Statistics: Posted by r0t3n — Thu Jul 21, 2005 12:58 pm

Antipjen-drone script

2005-07-20T22:33:40-04:00

a signature could be used, by nick/username/gecos/ctcp version reply pattern
What do you mean by a signature could be used to detect a trojan/drone user. And could a string and/or reqexp on the ident and/or host to detect if there is any numbers in the ident or any random idents. Also maybe a string match to detect any $decode messages. I dont know if any of this will work. I dont have a clue of using these to detected a random drone/possible trojan infected client. As far as i know, aspb only really kicks people with numbers and/or random ident/nick.

a signature is certain combination of characters that can be matched against, using for example Alchera's (and possibly Sir_Fz's, haven't looked at his code) regexp

however, that would work against naive drones only (by "drone" I mean an IRC client, automatically spawned from an infected host - most likely unsecured windows pc on a cable connection - by a virus or trojan)

I don't follow worm (virus/trojan) development, but AFAIK there are worms which are able of generating nick/username/gecos in a pretty natural (pseudorandom) manner, rendering such regexp matching tools useless - and that's understandable, since from algorithmic point of view, such mechanism is fairly easy to implement (for example using a dictionary, with a simple permutation engine) - so even heuristic score assigning schemes (like mine in spambuster) would be pretty ineffective against that

if IRC anti-drone schemes/systems/tools still work, that's obviously because the majority of worm runners are (still) pretty dumb folks

Statistics: Posted by demond — Wed Jul 20, 2005 10:33 pm

Antipjen-drone script

2005-07-20T20:54:41-04:00

Code:

regexp {^([^@]+)} $uhost _ identif {[regexp -nocase {^[^aeiou_^-`]{5,}$} $nick] || [regexp {.*[0-9]} $ident] && ([string length $ident] > 4)} { *** do stuff}

The above looks for consonant nicks and idents with numbers.

Statistics: Posted by Alchera — Wed Jul 20, 2005 8:54 pm

Antipjen-drone script

2005-07-20T17:52:07-04:00

thats a good script. But only detects clients with w32.aplore@mm trojan thing. I just need to know if a do a scan on the nick and ident if it would detect itd a drone/trojan client. Using regexp and some string match if-statements. To see if their is any numbers in the nick and/or host in certain places if you know what i mean.

Statistics: Posted by r0t3n — Wed Jul 20, 2005 5:52 pm

Antipjen-drone script

2005-07-20T17:44:40-04:00

Sir_Fz's solution. The end post. Works well and is a classic example of the famous KISS principle.

Statistics: Posted by Alchera — Wed Jul 20, 2005 5:44 pm

Antipjen-drone script

2005-07-20T14:00:27-04:00

I know its not 100%. Because also inocent people could be detected as a drone/trojan infected client and be punished. But then there will be a database. So they can mesage the bot saying 'im not infected' or something and get their host removed from the database. Chances are that most drones/trojan infected users will get detected and punished. Also maybe a string match "*$decode*" $text] could also detect $decode messages.

Statistics: Posted by r0t3n — Wed Jul 20, 2005 2:00 pm

Antipjen-drone script

2005-07-20T13:54:36-04:00

dont think its possible too 100% clear youre channel from drones/trojans etc.

Statistics: Posted by Dizzle — Wed Jul 20, 2005 1:54 pm

Antipjen-drone script

2005-07-20T13:46:17-04:00

a signature could be used, by nick/username/gecos/ctcp version reply pattern

What do you mean by a signature could be used to detect a trojan/drone user. And could a string and/or reqexp on the ident and/or host to detect if there is any numbers in the ident or any random idents. Also maybe a string match to detect any $decode messages. I dont know if any of this will work. I dont have a clue of using these to detected a random drone/possible trojan infected client. As far as i know, aspb only really kicks people with numbers and/or random ident/nick.

Statistics: Posted by r0t3n — Wed Jul 20, 2005 1:46 pm

Antipjen-drone script

2005-07-20T09:13:01-04:00

this is pathetic (just like all qnet stuff btw, we all know qnet is lame qnet people please don't jump on me now hehe)

Hey!

Statistics: Posted by metroid — Wed Jul 20, 2005 9:13 am