egghelp/eggheads community

Detecting users with normal ips and vhost ips

2007-05-14T01:50:17-04:00

This is the complete tested script. Works efficiently to determine vhosts against normal ip addresses. Also added a DNS function in normal ips to check for vhosts if they are not resolved on the ircd.

Code:

 global unresolved_vhost #setting variables set uhost [lindex [split $host @] 1] set tld [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 1]] set domain [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 2]] set nodomaintld [string map {" " "."} [lrange [split $uhost "."] 0 [expr [llength [split $uhost "."]] - 3]]] set numbers [regexp -all {[0-9]} $uhost] set alphabets [regexp -nocase -all {[a-z]} $uhost] set totalchar [expr $numbers + $alphabets] set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar] if {[info exists vhost_ip]} { unset vhost_ip } #vhosts with no numbers if {[string equal "0" $numbersper] && [string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} $domain] <= 2) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {   set vhost_ip 1 } #vhosts with numbers if {($numbersper >= 1) && ($numbersper <= 8) && ([regexp -all {\-} $domain] <= 2) && ([regexp -all {[0-9]} $domain] <= 2) && ([regexp -all {\-} $nodomaintld] <= 1) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {   set vhost_ip 1 } if {![info exists vhost_ip]} { #ip address in (0.0.0.0 - 255.255.255.255 range) - can be unresolved vhost  if {([string length [string map {"." ""} $uhost]] <= 12) && [string equal "3" [regexp -all {\.} $uhost]] && [string equal [string length [string map {"." ""} $uhost]] [regexp -all {[0-9]} $uhost]] && [string equal "0" [regexp -all -nocase {[a-z]} $uhost]] && [regexp {^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost] && [string equal "0" [regexp -all -nocase {[a-z]} $uhost]] || [string equal "100" $numbersper] && [regexp {^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost]} {   if {[info exists unresolved_vhost]} { unset unresolved_vhost }   #check for unresolved vhost   dnslookup $uhost ip_address_output $uhost    if {[info exists unresolved_vhost]} {     unset unresolved_vhost     #do stuff    } #ip address in domain format } elseif {([string length [string map {"." ""} $uhost]] >= 18) && ($numbersper >= 20) && [string equal "0" [regexp -all {\-} $domain]] && [string equal "0" [regexp -all {[0-9]} $domain]] && ([regexp -all {\-} $nodomaintld] >= 1) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 8)} {    #do stuff       }}proc ip_address_output {ip host status addr} { global unresolved_vhost set uhost [expr {([string match -nocase *$ip* $addr])?$host:$ip}] set tld [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 1]] set domain [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 2]] set nodomaintld [string map {" " "."} [lrange [split $uhost "."] 0 [expr [llength [split $uhost "."]] - 3]]] set numbers [regexp -all {[0-9]} $uhost] set alphabets [regexp -nocase -all {[a-z]} $uhost] set totalchar [expr $numbers + $alphabets] set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar] if {[info exists $status] && [string equal "0" $numbersper] && [string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} $domain] <= 2) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {  set unresolved_vhost 1 } else {    return   }}

Statistics: Posted by awyeah — Mon May 14, 2007 1:50 am

Detecting users with normal ips and vhost ips

2007-05-13T04:23:38-04:00

After doing a survey I found:
Vhosts have percentage of alphabets like 92% and numbers like 8%, while regular hosts have about percentage of numbers like 40% or more.

Here is the current solution I derived for determining vhosts against normal ip addresses: (not valid if vhosts are not resolved on the ircd)

Code:

set tld [expr [llength [lindex [split $uhost @] 1]] - 1]set domain [expr [llength [lindex [split $uhost @] 1]] - 2]set tlduhost [lrange [split $uhost "."] 0 [expr $tld - 1]]set notlduhost [string map {" " ""} $tlduhost]set numbers [regexp -all {[0-9]} $uhost]set alphabets [regexp -nocase -all {[a-z]} $uhost]set totalchar [expr $numbers + $alphabets]set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar]#vhosts with no numbersif {[string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $uhost "."] $tld]]} {#do stuff}#vhosts with numbersif {($numbersper <= 8) && ([regexp -all {\-} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all {[0-9]} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all {\-} [lrange [split $uhost "."] 0 [expr $domain - 1]]] <= 1) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $uhost "."] $tld]]} {#do stuff}#ip address in (0.0.0.0 - 255.255.255.255 range)if {([string length $uhost] <= 15) && [string equal "3" [regexp -all {\.} $uhost]] && [string equal [string length [string map {"." ""} $uhost]] [regexp -all {[0-9]} $uhost]] || [regexp {^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost]} {#do stuff}#ip address in domain formatif {([string length [string map {"." ""} $uhost]] >= 18) && ($numbersper >= 30) && [string equal "0" [regexp -all {\-} [lindex [split $uhost "."] $domain]]] && [string equal "0" [regexp -all {[0-9]} [lindex [split $uhost "."] $domain]]] && ([regexp -all {\-} [lrange [split $uhost "."] 0 [expr $domain - 1]]] >= 1) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 8)} {#do stuff}

Edit: I haven't really tested these logics yet for accuracy

Statistics: Posted by awyeah — Sun May 13, 2007 4:23 am

Detecting users with normal ips and vhost ips

2007-05-11T13:15:42-04:00

Since we're not dealing with HostServ based vhosts, this means that there's really no difference between vhosts and other hosts. I think you're rather looking for a DNS-pollution scanner.
A few good links on the subject:
http://www.dnsspam.nl/, http://www.nl.ircnet.org/hostname-rules.html.
Also might wish to inspect dnsspam.tcl which uses spamcalc to determine the grade of pollution of the hostname.

Statistics: Posted by nml375 — Fri May 11, 2007 1:15 pm

Detecting users with normal ips and vhost ips

2007-05-11T10:20:10-04:00

Code:

[regexp {^[^0-9]} $host]

Means that the first character in $host is not a number.

Code:

[regexp {[a-zA-Z]} $host]

Means that $host contains an alphabet.
So it can simply be replaced with

Code:

[regexp {[^0-9]} $host]

If there's no numbers, then they're definitely alphabets (with '.' and perhaps '-').

Statistics: Posted by Sir_Fz — Fri May 11, 2007 10:20 am

Detecting users with normal ips and vhost ips

2007-05-11T08:45:15-04:00

Code:

[regexp {^[^0-9]} $host] && [regexp {[a-zA-Z]} $host] && [regexp {\.(com|net|org|info|biz|tk)$} $host]#this would be for hosts with alphabets and no numbers#my next situation would be for determining with numbers as well, maybe take the percentage of numbers in the vhost along with the length of the alphabets present in the host, and comparing it with a certain number which i will observe by looking at most vhosts of certain shell companies :)

This should be the current simplest logic. I'll find a more suitable solution, by looking at vhosts carefully and try to detect the most best setting for matching vhosts over regular ip addresses. I'll follow up the code and include it within this post for other users to see and utilize.

The problem with gathering shell box ranges for various shell providers, would be a very trivial task and tidious, since they are just too many.. and HostServ is not used on DALnet, which is the network I use.

I appreciate everyone for their help and contribution. Thanks.

Statistics: Posted by awyeah — Fri May 11, 2007 8:45 am

Detecting users with normal ips and vhost ips

2007-05-11T07:53:35-04:00

This basically works that, vhosts only contains alphabets with small and upper cases and no numbers. Since virtual hosts normally contain alphabets and no numbers. If so numbers are present only 1 minmum to 3 maximum.
Code:
regexp {^[^0-9]*[a-zA-Z]$} $host]
Anyway, thanks for all the suggestions.. I'll give them a go

Actually, this matches any number of non-numeric characters, followed by one alphabetic character.

Yes we can check if virtual hosts resolve to an ip, but also we would need to check if they reverse-dns also resolves? right?

Unless they use HostServ vhosts (which are not ip-based at all), a reverse-dns of the ip would most likely return the same hostname as seen on irc, with the rare exception when an ircd would use it's own dns-server with "bogus" entries for *.in-addr.arpa.

In the case of "normal" vhosts, I guess your best bet would be to gather network-ranges that are confirmed vhosts, do a dns-lookup on the suspected hostname, and see if the resulting ip matches any known vhost net.

Statistics: Posted by nml375 — Fri May 11, 2007 7:53 am

Detecting users with normal ips and vhost ips

2007-05-11T04:43:18-04:00

Here are some examples of virtual hosts:

Code:

64.18.135.148 ==> search.on.g0ogle.be64.18.135.149 ==> get.me.bill.gatesweb.info64.18.135.150 ==> halloween.gh0strider.be64.18.135.151 ==> got.girls4uboys.com64.18.135.152 ==> trust.godhost.us64.18.135.153 ==> idiots.gothacked.biz64.18.135.154 ==> are.you.h0m0.net64.18.135.155 ==> come.here.to.have-my.info64.18.135.156 ==> mess.with.me.if.you.want.hellentry.com64.18.135.157 ==> whats.his-real.name64.18.135.158 ==> w.hore.be64.18.135.159 ==> amd.vs.intel.st64.18.135.160 ==> dont.even.dare.to.ban.my.ip-address.be64.18.135.161 ==> smart.ircnoob.com64.18.135.162 ==> you.are.lag.in64.18.135.163 ==> this.is.leet.la64.18.135.164 ==> only.me.no-u.be64.18.135.165 ==> shoutcast.is.nullsoft.be64.18.135.166 ==> lets.talk.about.ourmeetings.net64.18.135.167 ==> you.must.be.outofmind.be64.18.135.168 ==> its.time.to.ping-timeout.be64.18.135.169 ==> group.of.rappers.cc64.18.135.170 ==> your.secrets.are.recorded.be64.18.135.171 ==> dont.worry.you.are.secure.la64.18.135.172 ==> you.are.just.another.sh1tbox.com64.18.135.173 ==> be.my.shad0w.be64.18.135.174 ==> her.nightie.is.made.of.silk.com64.18.135.175 ==> she.is.one.of.the.top-escort.nl64.18.135.176 ==> are.you.virgine.ws

Yes we can check if virtual hosts resolve to an ip, but also we would need to check if they reverse-dns also resolves? right?

Statistics: Posted by awyeah — Fri May 11, 2007 4:43 am

Detecting users with normal ips and vhost ips

2007-05-11T03:01:08-04:00

This basically works that, vhosts only contains alphabets with small and upper cases and no numbers. Since virtual hosts normally contain alphabets and no numbers. If so numbers are present only 1 minmum to 3 maximum.

Code:

regexp {^[^0-9]*[a-zA-Z]$} $host]

Anyway, thanks for all the suggestions.. I'll give them a go

Statistics: Posted by awyeah — Fri May 11, 2007 3:01 am

Detecting users with normal ips and vhost ips

2007-05-10T22:03:23-04:00

vhost are usually resolved so why dont you check if the ip is really a resolving ip?

Code:

if {[regexp {\@(\d+\.\d+\.\d+\.\d+)$} $uhost tmp host]} {# is not a resolving ip; where host is the original uhost.}

Statistics: Posted by honeybee — Thu May 10, 2007 10:03 pm

Detecting users with normal ips and vhost ips

2007-05-10T08:58:40-04:00

It would be helpful to know what characteristics these vhosts have (that is, how are they different from real hosts)?
As for simplifying the code in your first post, considder using this:

Code:

if {[lindex [split $uhost "@"] 1]] && [regexp {\.(com|net|org)$} $uhost]} {return 0}

(list of tld's trunkated to make it easier to read).

Also, I am not sure what you try to accomplish with the first regular expression, although using ![regexp ....] is abit easier than [string equal "0" [regexp...]]

Statistics: Posted by nml375 — Thu May 10, 2007 8:58 am

Detecting users with normal ips and vhost ips

2007-05-10T03:52:17-04:00

That is also a good logic, but im concerned when hosts are not always in the format of numbers. They are also in the format like:

Code:

chaos@179.13.95.219.kmr01-home.tm.net.mykarrde@bzq-88-153-115-56.red.bezeqint.net~plamen@87-126-143-181.btc-net.bgnet@dsl-201-219-71-82.users.telpin.com.arrichardw@M263P003.adsl.highway.telekom.atNem@dslb-084-056-241-131.pools.arcor-ip.net~jjkola@cable-roi-fff8dd00-151.dhcp.inet.fi

When they include numbers both together with alphabets. Anything suggested for situations like this?

Statistics: Posted by awyeah — Thu May 10, 2007 3:52 am

Detecting users with normal ips and vhost ips

2007-05-10T03:47:16-04:00

If a host ends with a number then it's an IP else it's a hostname:

Code:

if {[string is integer [string index $host end]]} {# IP} {# Vhost}

Statistics: Posted by Sir_Fz — Thu May 10, 2007 3:47 am

Detecting users with normal ips and vhost ips

2007-05-09T22:58:01-04:00

What would be a good way of determining normal ip users, against people using vhosts??

Currently came up with this:

Code:

set host [lindex [split $uhost @] 1]set tld [expr [llength [lindex [split $uhost @] 1]] - 1]if {[string equal "0" [regexp {^[^0-9]*[a-zA-Z]$} $host]] && [regexp {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $host "."] $tld]]} { return 0 }

All suggestions would be appreciated.

Statistics: Posted by awyeah — Wed May 09, 2007 10:58 pm