Antipjen-drone script

[r0t3n]

Ok. Im using aspb.tcl by am and arou but there is always problems with the database. It connects then 1 minute or so its not connected then it dont reconnected again. So, im asking for someone to help me make a antipjen-drone script to release so other peeps can use it. Not like tcl scripters who dont make their scripts public. If anyone could help me i will be really greatful. So will other eggdrop and maybe botservice providers.

Please help with this. Thanks in advance!!

[Sir_Fz]

It's time for this question: What the hell is a pjen-drone?

[r0t3n]

Well its someone who is infect with a trojan/virus kinda thing. And the aspb database never works for me. So can you guys here help me make a antipjen-drone script. Please. Thanks in advance!!

[demond]

this is pathetic (just like all qnet stuff btw, we all know qnet is lame qnet people please don't jump on me now hehe)

there is no sure way for detecting a host which has been infected by a virus or trojan; a signature could be used, by nick/username/gecos/ctcp version reply pattern, but a clever virus/trojan author/user can always beat these detection schemes in a hartbeat, with simple modification

so I'd guess that aspb/pjen/whatever thing catches lame virus/trojan hosts only, the ones that actually have constant signature

[awyeah]

Try giving this script a go maybe it can help you, for catching drones:
http://www.egghelp.org/cgi-bin/tcl_arch ... ad&id=1152

[metroid]

this is pathetic (just like all qnet stuff btw, we all know qnet is lame qnet people please don't jump on me now hehe)

Hey!

[r0t3n]

a signature could be used, by nick/username/gecos/ctcp version reply pattern

What do you mean by a signature could be used to detect a trojan/drone user. And could a string and/or reqexp on the ident and/or host to detect if there is any numbers in the ident or any random idents. Also maybe a string match to detect any $decode messages. I dont know if any of this will work. I dont have a clue of using these to detected a random drone/possible trojan infected client. As far as i know, aspb only really kicks people with numbers and/or random ident/nick.

[Dizzle]

dont think its possible too 100% clear youre channel from drones/trojans etc.

[r0t3n]

I know its not 100%. Because also inocent people could be detected as a drone/trojan infected client and be punished. But then there will be a database. So they can mesage the bot saying 'im not infected' or something and get their host removed from the database. Chances are that most drones/trojan infected users will get detected and punished. Also maybe a string match "*$decode*" $text] could also detect $decode messages.

[Alchera]

Sir_Fz's solution. The end post. Works well and is a classic example of the famous KISS principle.

[r0t3n]

thats a good script. But only detects clients with w32.aplore@mm trojan thing. I just need to know if a do a scan on the nick and ident if it would detect itd a drone/trojan client. Using regexp and some string match if-statements. To see if their is any numbers in the nick and/or host in certain places if you know what i mean.

[Alchera]

Code: Select all

regexp {^([^@]+)} $uhost _ ident

if {[regexp -nocase {^[^aeiou_^-`]{5,}$} $nick] || [regexp {.*[0-9]} $ident] && ([string length $ident] > 4)} {
 *** do stuff
}

The above looks for consonant nicks and idents with numbers.

[demond]

a signature could be used, by nick/username/gecos/ctcp version reply pattern

What do you mean by a signature could be used to detect a trojan/drone user. And could a string and/or reqexp on the ident and/or host to detect if there is any numbers in the ident or any random idents. Also maybe a string match to detect any $decode messages. I dont know if any of this will work. I dont have a clue of using these to detected a random drone/possible trojan infected client. As far as i know, aspb only really kicks people with numbers and/or random ident/nick.

a signature is certain combination of characters that can be matched against, using for example Alchera's (and possibly Sir_Fz's, haven't looked at his code) regexp

however, that would work against naive drones only (by "drone" I mean an IRC client, automatically spawned from an infected host - most likely unsecured windows pc on a cable connection - by a virus or trojan)

I don't follow worm (virus/trojan) development, but AFAIK there are worms which are able of generating nick/username/gecos in a pretty natural (pseudorandom) manner, rendering such regexp matching tools useless - and that's understandable, since from algorithmic point of view, such mechanism is fairly easy to implement (for example using a dictionary, with a simple permutation engine) - so even heuristic score assigning schemes (like mine in spambuster) would be pretty ineffective against that

if IRC anti-drone schemes/systems/tools still work, that's obviously because the majority of worm runners are (still) pretty dumb folks

[r0t3n]

Code: Select all

################################################################### 
#                                                                 # 
# Coded by: Opposing (Fz@nexushells.net) - #nexushells @ DALnet   # 
# Version: 1.0                                                    # 
##                                                                # 
# Description: Bankicks nicks who are suspicious of being         # 
#              infected with w32.aplore@mm Trojan/Virus/Worm.     # 
#              Translated from the Oz mirc addon.                 # 
#                                                                 # 
# Report bugs/suggestions to Fz at nexushells.net                 # 
################################################################### 
# 
############################## 
# Configurations start here: # 
# __________________________ # 

## Set the channels you want this script to work on. 
## example: set aplore(chans) "#chan1 #chan2" (in lowercase) 
set aplore(chans) "" 

## Set the kick message. 
set aplore(kmsg) "w32.aplore@mm Trojan/Virus/Worm Infected." 

## Set, in minutes, ban time for this offence. 
set aplore(btime) "30" 

# Configurations end here. # 
############################ 
# 
###################################################################### 
# Code starts here, please do not edit anything unless you know TCL: # 
# __________________________________________________________________ # 

bind join - * aplore:kick 

proc aplore:kick {nick uhost hand chan} { 
 global aplore 
 set aplorenick 0 
 if {([string is alpha $nick]) || ([string match *\[-^`_\]* $nick]) || ([lsearch -exact $aplore(chans) [string tolower $chan]] == -1)} { return 0 } 
 scan $uhost %\[^@\]@%s ident host 
 if {([string match -nocase "*[set sident [string trimleft $ident ~]]*" $nick]) && ([string is alpha [string range $nick 0 3]]) && ([string is integer [string range $nick end-1 end]]) && ([string is integer [string index $sident end]]) && ([string index $ident 0] == "~")} { 
  putquick "KICK $chan $nick :$aplore(kmsg)" 
  putquick "MODE $chan +b *!*@$host" 
  putlog "\002$nick\002!\002$ident\002 is infected with w32.aplore@mm." 
 } 
} 

putlog "w32.aplore@mm bankick v1.0 by Opposing Loaded..."

Thats Sir_Fz's script. I dont understand what this string is alphaeger/index is and does. But i guess its a good way of detection most trojan/drone users. But i guess i could make a array and do a string match $nick/$ident $array aswell. Then add the nick/host/ident to a database and always make a removeme proc. If i did that. What do you think would be the best host type to add the host with. $nick!$uhost *!*@$host *!*$nick@$host or something.I guess not to use *!*@$host because inocent people will be more likely to be punished so $nick!$uhost or *!$nick/$ident@$host. Im not good at this ip/hostname/host stuff confuses me (^-^).

[Dizzle]

Well try it out tosser ^^, you writing very intelligent, so i can be np for you