egghelp/eggheads community

Botnet documentation

2003-04-06T10:40:25-04:00

Code:

passreq <72303e8f308a@Lamestb2t>

Its used for sending the botnet password over securely to the other bot. Its basically random data to the linking bot, but not random to the bot that is being linked to.

You use it to compute a md5sum of the password and that data. This way the md5sum you send back is not the same the next time you link because the challenge data will have changed.

This is kinda like the APOP method for POP3.

Statistics: Posted by guppy — Sun Apr 06, 2003 10:40 am

Botnet documentation

2003-04-05T16:34:01-04:00

I'm wondering what the 3 follow packets structures are:

Code:

passreq <72303e8f308a@Lamestb2t>

whats the 72303e8f308a mean?

Code:

el

Code:

idle Lamestb2t 8 71

Statistics: Posted by Guest — Sat Apr 05, 2003 4:34 pm

..

2002-08-13T11:27:20-04:00

special 10x man
..
but can you send me all commandz that you know to my mail .. ?
(* MAIL: h4cf0r@abv.bg *)

Statistics: Posted by Guest — Tue Aug 13, 2002 11:27 am

Botnet documentation

2002-08-13T11:25:07-04:00

Used to state when a new bot has joined the botnet.

Command is in the format of
j

= the botnick of the bot sending the message

= the botnick of the bot that has just linked in

= can't remember
= The base64 encoded socket number (note, this is not normal BASE64, and I have yet o to convert the above Tcl to miIRC, so I can convert the socket numbers)
= A vanity host, that is displayed in a .dccstat

Statistics: Posted by ppslim — Tue Aug 13, 2002 11:25 am

..

2002-08-13T11:15:44-04:00

ok tell me for what is "j" ?!

Statistics: Posted by Guest — Tue Aug 13, 2002 11:15 am

Botnet documentation

2002-08-13T11:13:23-04:00

As stated in the PM reply, there is no documentation.

If you had bothered to read the first question in this thread (the page you are reading now), you will see the same question, and the answer too it.

Simply ask a specific question, and people may look into it. Asking broad questions takes too much time, thus people are reluctant to answer.

Look at the script above, and you will see how eggdrop requests information from another bot. If not, simply changing the above code to display more output should tell you what is sent when, and why.

Statistics: Posted by ppslim — Tue Aug 13, 2002 11:13 am

..

2002-08-13T10:02:39-04:00

Yeap thats good..
but can you mail me a text file with all commandz for the botnet linking ?

Statistics: Posted by Guest — Tue Aug 13, 2002 10:02 am

Botnet documentation

2002-08-13T09:42:59-04:00

Here is my current mirc script. I use this to link to eggdrop, so I can debug a Tcl script I am currently making (well, I have been saying that for the past 8 months).

It will link the bot to the botnet, handing the correct information to get the link in place. It will respond to compulsuory commands (pings) to keep the link established.

My Tcl script also relies on 3 other Tcl based bots, which I can't start on, until the first is complete, so there is also a quick hack, to fake the other 3 bots presence.

Code:

alias F2 {  sockopen egg123 $$?="Host" $$?="port"}alias cF2 {  aline 8 @ $+ %eggsocktempsock Added user  #sockwrite -n %eggsocktempsock j services loging A *A looking@what.you.are.doing.log  #sockwrite -n %eggsocktempsock j services security A *B bouncer@the.door.wants.to.knock.you.out  #sockwrite -n %eggsocktempsock j services linkbrige A *C bridge@link.abc.def.=blowfish.+Ji7d0dvs7bh9j34s5ffn  #sockwrite -n %eggsocktempsock j services talkbrige A *D bridge@link.def.abc.=blowfish.+gdh6d7ghdfs0ddd3fnj9  sockwrite -n %eggsocktempsock n logging services !D8Ji  sockwrite -n %eggsocktempsock n chatserv services !D8Ji  sockwrite -n %eggsocktempsock j chatserv chatuser A @Z chat@services.chat.space.1}alias cF3 {  sockwrite -n %eggsocktempsock n testing services ! $+ $$?="h"}alias sF2 {  set %eggtempd $$?="data"  sockwrite -n %eggsocktempsock %eggtempd  aline 6 @ $+ %eggsocktempsock %eggtempd  unset %eggtempd}alias eggdropinput {  return 0}on 1:input:@egg*:{  if ($left($1,1) == .) {    if ($eggdropinput($left($1-,-1)) == 1) {      halt    }  }  aline 6 @ $+ %eggsocktempsock CHAT: $1-  sockwrite -n %eggsocktempsock c chatuser@chatserv A $1-}on 1:sockopen:egg*:{  window -e @ $+ $sockname  aline 4 @ $+ $sockname Opened eggdrop socket $sockname  set %eggsocktempsock $sockname  sockmark $sockname debug}on 1:sockread:egg*:{  sockread %eggsocktemp  var %in 1  while ($sockbr != 0) {    if (%in > 1) {      sockread %eggsocktemp    }    if (%eggsocktemp == $null) return    if ($right(%eggsocktemp,9) == nickname.) {      sockwrite -n $sockname services      aline 5 @ $+ $sockname : Sending handle: Services    }    set %thiseggsock $sockname    if ($sock($sockname).mark == debug) {      aline -p @ $+ $sockname $sockname $+ : %eggsocktemp    }    if ($eggdropcommand($sockname, %eggsocktemp) != $null) {      aline -p 5 @ $+ $sockname : $ifmatch    }    inc %in  }}on 1:sockclose:egg*:{  aline 4 @ $+ $sockname Eggdrop closed the connection $sockname}alias eggver {  if ($1 == 1.0.0.0) { return D0JA }}alias eggdropcommand {  tokenize 32 $2-  if ($1 == tb) {    sockwrite -n $sockname tb services    sockwrite -n $sockname n chatserv services - $+ $eggver(1.0.0.0)    sockwrite -n $sockname j chatserv chatuser A @J chatuser@chatserv.services.egg.net    sockwrite -n $sockname i chatserv J S9    return Connected to $2  }  if ($1 == *bye) {    return Disconnection from botnet  }  if ($1 == version) {    sockwrite -n $sockname version 2000199 9 ServDrop v2.0.1 beta   }  if ($1 == passreq) {    sockwrite -n $sockname aabbccdd    return Password sent  }  if ($1 == *hello!) {    sockwrite -n $sockname  *hello!  }  if ($1 == pi) {    sockwrite -n $sockname po    return Ping, Pong  }  if ($1 == c) {    return 8< $+ $2 $+ > $4-  }  if ($1 == el) {    sockwrite -n $sockname el  }  if ($1 == pt) {    return *** ( $+ $2 $+ ) $3 has left the partyline ( $+ $5- $+ )  }  if ($1 == po) {    return Pong, Ping :P  }  return $null}

You will need to add a bot record on the eggdrop, for a bot called services, and give ti a password of aabbccdd.

Once done, and this script is loaded in mIRC, you can hit the F2 key (you may need to change the scritp aropund a bit if your keys are allready mapped). You enter the hostname of the bot, and the port in use for linking. mIRC will link to the bot. A debug window will open with all the information you require once linked.

Statistics: Posted by ppslim — Tue Aug 13, 2002 9:42 am

Yeah Cool..I need help 2 :}

2002-08-13T09:29:35-04:00

I`m working on a project like the project of Sady...
But with [censored]`n mIRC
...
I make some shitz ..
I see some commandz with sniffer when a link my botz :}}}}}
..but I can`t make my bot to link to eggdrop
becouse :
handshake
...
but I don`t know how is encrypting this [censored] Some-Crypted-[censored] or with what KEY is it crypting it..
if some one can help me..
mail me at h4cf0r@abv.bg
:}
I had make all shitz over 3 days..
today is my 4 day and my computer is not working for not more then 24 hours..nevermind..but if some one can help
pleeeeeeeeeeaseeeeeeee help!
hey
if some one want to help me..contact me...you will need to know just little bit of mirc scripting..
if you don`t know any mirc scripting..you can be a betta tester..
please...
thanks in advance!!!

Statistics: Posted by Guest — Tue Aug 13, 2002 9:29 am

this might work

2002-07-16T01:35:23-04:00

I just saw this tonight and figured what the heck ... I think this works :)

Ack, I discovered a bug when I linked a testbot into Eggdrop .. int_to_base64 1061103 was returning DDvE instead of EDDv. The fix was simple, change:

Code:

foreach {key value} [array get buf_base64] {append output $value}

to:

Code:

foreach {key} [lsort -integer [array names buf_base64]] {append output $buf_base64($key)}

Working code:

Code:

set base64to [list \0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \0 0 0 0 0 0 0 0 52 53 54 55 56 57 58 59 60 61 0 0 \0 0 0 0 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 \15 16 17 18 19 20 21 22 23 24 25 62 0 63 0 0 0 26 27 28 \29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 \49 50 51 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]set tobase64 [list \A B C D E F G H I J K L M \N O P Q R S T U V W X Y Z \a b c d e f g h i j k l m \n o p q r s t u v w x y z \0 1 2 3 4 5 6 7 8 9 \[ \]]proc base64_to_int {str} {set x 0for {set i 0} {$i < [string length $str]} {incr i} {set x [expr $x << 6]set x [expr $x + [lindex $::base64to [scan [string index $str $i] "%c"]]]}return $x}proc int_to_base64 {val} {set i 11if {!$val} {return [lindex $::tobase64 0]}while {$val} {incr i -1set buf_base64($i) [lindex $::tobase64 [expr $val & 0x3f]]set val [expr $val >> 6]}foreach {key} [lsort -integer [array names buf_base64]] {append output $buf_base64($key)}return $output}

Working example:

Code:

% set base64 [int_to_base64 1061103]EDDv% puts [base64_to_int $base64]1061103

someone might be able to come up with a better version than this though. I wrote it in about 10 minutes w/ several minutes spent actually debugging it.

Statistics: Posted by guppy — Tue Jul 16, 2002 1:35 am

Botnet documentation

2002-04-18T13:06:00-04:00

I would ask that some1 can produce some Tcl, or other code (or just the math) that converts eggdrop's non-standard version of BASE64, rather than me spending 3 1/2 hours to convert version numbers.

I have a basic guide to get a connection made, and working. Sending messages, and what not. How to make commands go to the correct destination.

The IDX of a connection is sent in BASE64 format, and this is where I need this conversion.

Can you help guppy?

Looking in the code, I can see how C does it, but I aint got a bloody clue how to do it in another language. If I can see it done on paper, I can replicate it in any language I like.

Statistics: Posted by ppslim — Thu Apr 18, 2002 1:06 pm

Botnet documentation

2002-04-16T18:26:00-04:00

I may make a doc before the next release if I get time.

Wcc

Statistics: Posted by Wcc — Tue Apr 16, 2002 6:26 pm

Botnet documentation

2002-04-16T14:22:00-04:00

I'm also interested in that. Some months ago I asked for an RFC, but the response was the same.

So I have my own list with some commands that can be useful.

Statistics: Posted by Guest — Tue Apr 16, 2002 2:22 pm

Botnet documentation

2002-02-21T18:53:00-04:00

If you make a doc, I'd love to see it And/or if you need some help with the botnet protocol .. I can help via e-mail and perhaps work on a document together.

Jeff

Statistics: Posted by guppy — Thu Feb 21, 2002 6:53 pm

Botnet documentation

2002-02-21T17:15:00-04:00

afaik, nobody has ever documented the botnet protocol eggdrop uses. its easy to work out though. enable console debug in conf, and set your console +th to see what their traffic is, then experiment to see how they transfer info about everything.

Statistics: Posted by Petersen — Thu Feb 21, 2002 5:15 pm