Drones/dcc expolit...

EEggy · Post by **EEggy** » Thu Dec 25, 2003 1:36 pm

Hi,
i am using version script to check the version onjoin, so bot can ban the drones, since they usually reply for the versions, but script doesn't version on every user, it skips the users, so after adding the +rv console flags, i found that's server, it saYS "target change too fast..."
so is there anyway how to ban the drones, since version thing didn't work? any otherway? please advise.

2nd: usually we see some users join the channel and we see -> DCC Send from nick rejected (invalid parameters), dcc expolit stuff, how do we ban them, i mean using the script so bot can ban them? when they join the channel.

thanks

Post by **caesar** » Thu Dec 25, 2003 4:01 pm

1. That means he version's too many people in a short time. Make an *join flood* protection for it or something. If more than x people have joined in y seconds stop checking for version for z seconds.

As for the second, try this:

Code: Select all

bind CTCP - DCC handle:exploit 
proc handle:exploit {nick uh hand dest key arg} { 
  if {[regexp {(SEND|RESUME).*"(?:[^" ]*\s){32}.*$} $arg]} { 
    # Trying to exploit us - Kick or ban here 
    return 1 
  } 
  # non exploit, continue as normal 
  return 0 
}

thanks to ppslim for the code

You should do use sometimes the Search feature of the forum, will help you a lot.

EEggy · Post by **EEggy** » Thu Dec 25, 2003 6:39 pm

thanks caesar, i have tried these codes but no luck..

Code: Select all

bind CTCP - DCC handle:exploit 

proc handle:exploit {nick uh hand dest key arg} { 
   if {[regexp {(SEND|RESUME).*"(?:[^" ]*\s){32}.*$} $arg]} { 
      scan $uh {%*[^@]@%s} host
      newban *!*@$host Exploit "dcc exploit..." 3d 
   } 
  
}

thanks

Post by **caesar** » Thu Dec 25, 2003 7:23 pm

No luck as in.. ? Be more specific please. Also, don't remove the returns, leave them there.

EEggy · Post by **EEggy** » Thu Dec 25, 2003 10:03 pm

sorry, i mean didn't work, i don't see any error, but no results

and first part, since server says "target change too fast..", is there anyway i can check certain nicks, like nicks with numbers, \, brackets like [ or ]

like kimmy|, sophie\, sophie], sophie[, brandi\, tommyy``

nicks with "\" are 99.999999% are drones, if you do ctcp nick finger or version, you get the reply with spam

and nicks with one digit numbers are also drone 99.99999% like ->kelly2

thanks

Post by **caesar** » Fri Dec 26, 2003 11:04 am

1.
Well, If I recall corecttly there was an post like yours about the drones and weird nicks long time ago and someone had posted some code that was working like a charm.

Do a lil forum Search.

2. Since there are two ways to exploit this I guess they are using the other method to send that fake DCC SEND. One is captured by the CTCP and the other by an raw PRIVMSG bind (if I'm not wrong).

EEggy · Post by **EEggy** » Fri Dec 26, 2003 10:47 pm

Thank you caesar, i have searched the forum, but couldn't find the script, that will be great if you can point one.

thank you

Post by **caesar** » Sat Dec 27, 2003 4:47 am

Try this:

Code: Select all

bind raw - PRIVMSG raw:exploit

proc raw:exploit {from keyword args} {
  set args [string trim $args "{}"]
  if {[regexp {(SEND|RESUME).*"(?:[^" ]*\s){32}.*$} $args]} { 
    set banmask *!*@[lindex [split $from @] 1]
    set chan [lindex [split $args] 0]
    newchanban $chan $banmask Exploit "DCC Exploit" 3d
  }
}

EEggy · Post by **EEggy** » Sat Dec 27, 2003 10:48 am

Thanks caesar it worked.

may be some regexp expert can help me this.

i need a regexp for the following

if nick has just one digit at the end, like gina5, tina9, tom4..
if nick has these brackets at the end like gina[, tina]..
if nick has ` at the end, like gina`, tina`..
if nick has the slashes at the end like gina\, tina\
if nick has ^ at the end like gina^, tina^

if i get the rexexp for the above then i can check the version for just these, because mostly drones used the above nick format

Thank you

Post by **caesar** » Sat Dec 27, 2003 11:01 am

Check this post. Maybe it will help you or something..

EEggy · Post by **EEggy** » Sun Dec 28, 2003 3:00 am

Thanks caesar.

I've found the following finger script from this forum to find the drones, and they usually reply with "hi", "ctc", "salut", "greetings"...etc
it 's doing FINGER part fine, and i see the reply as well...but its not kicking/baning.

Code: Select all

bind join - "#testing *" send:finger 
proc send:finger {n uh hand chan} { 
set l [string length $n] 
set n1 [string tolower $n] 
if {($l > 3) ||  ([string match "*baby*" $n1]) || ([string match "*lady*" $n1]) || ([string match "*girl*" $n1])} { 
puthelp "PRIVMSG $n :\001FINGER\001" 
} 
} 

bind ctcr - FINGER check:finger 
proc check:finger {nick uh hand dest key arg} { 
if {![isbotnick $dest]} { retrun } 
set arg1 [string tolower $arg] 
if {([string match "*greetings*" $arg1]) || ([string match "*hi*" $arg1])} { 
foreach chan [channels] { 
putserv "MODE $chan +b [maskhost "${nick}!${uh}"]" 
putserv "KICK $chan $nick :Auto Banned: Recognised CTCP Finger Reply" 
} 
} 
}

here is the finger reply.
*** baby (~elise75@ts46-02-qdr609.porch.wa.charter.com) has joined #testing
<TBOT> [14:45] [baby!~elise75@ts46-02-qdr609.porch.wa.charter.com] greetings

thanks

Post by **caesar** » Sun Dec 28, 2003 4:19 am

And why just don't you do a finger to the entire channel from time to time and ban the ones that respond with what you want? This way will be a lot easier.. I think.

EEggy · Post by **EEggy** » Sun Dec 28, 2003 12:23 pm

yeah thanks caesar, but the problem is, why the above script didn't work, may be "ctcr" bind has something wrong?
may be when it does finger, the reply is in like msg? that's why..another bind needed..? drones reply with the msg like as follow..
here is the finger reply.
*** baby (~elise75@ts46-02-qdr609.porch.wa.charter.com) has joined #testing
<TBOT> [14:45] [baby!~elise75@ts46-02-qdr609.porch.wa.charter.com] greetings

and "ctcr: bind is looking the reply format like
[test FINGER reply]: test?? (test@test.com) Idle 662 seconds

thanks

laynuks · Post by **laynuks** » Sun Feb 01, 2004 4:34 am

caesar wrote:Try this:

Code: Select all

bind raw - PRIVMSG raw:exploit

proc raw:exploit {from keyword args} {
  set args [string trim $args "{}"]
  if {[regexp {(SEND|RESUME).*"(?:[^" ]*\s){32}.*$} $args]} { 
    set banmask *!*@[lindex [split $from @] 1]
    set chan [lindex [split $args] 0]
    newchanban $chan $banmask Exploit "DCC Exploit" 3d
  }
}

Hi caesar how can change the line "newchanban $chan $banmask Exploit "DCC Exploit" 3d
" with the undernet @X command " /msg x ban #channel $nick " coz some dcc exploiter do not hit the ops but only users that are not ops coz they know some eggdrop has tcl script that will ban them from the channel.

Post by **caesar** » Sun Feb 01, 2004 11:38 am

EEggy : try this code:

Code: Select all

bind join - "#testing *" send:finger 

proc send:finger {nick uhost hand chan} { 
  if {([string length $nick] > 3) || ([string match -nocase "*baby*" $nick]) || ([string match -nocase "*lady*" $nick]) || ([string match -nocase "*girl*" $nick])} { 
    puthelp "PRIVMSG $nick :\001FINGER\001" 
  } 
} 

bind ctcr - FINGER check:finger 

proc check:finger {nick uhost hand dest key text} { 
  if {![isbotnick $dest]} {
    retrun
  }
  if {([string match -nocase "*greetings*" $text]) || ([string match -nocase "*hi*" $text])} { 
    foreach chan [channels] {
      putserv "MODE $chan +b [maskhost $uhost]" 
      putserv "KICK $chan $nick :Auto Banned: Recognised CTCP Finger Reply" 
    } 
  } 
}

laynuks : and what's the point to add them thru X when the person behind the atack may do a whois on all users of the channel and see your logged in eggy and won't try to exploit him next time? better transmit the ban to another master bot in the channel to do that ban thing and it will be hidden for the atacker.