What do you mean by a signature could be used to detect a trojan/drone user. And could a string and/or reqexp on the ident and/or host to detect if there is any numbers in the ident or any random idents. Also maybe a string match to detect any $decode messages. I dont know if any of this will work. I dont have a clue of using these to detected a random drone/possible trojan infected client. As far as i know, aspb only really kicks people with numbers and/or random ident/nick.demond wrote:a signature could be used, by nick/username/gecos/ctcp version reply pattern
Code: Select all
regexp {^([^@]+)} $uhost _ ident
if {[regexp -nocase {^[^aeiou_^-`]{5,}$} $nick] || [regexp {.*[0-9]} $ident] && ([string length $ident] > 4)} {
*** do stuff
}
a signature is certain combination of characters that can be matched against, using for example Alchera's (and possibly Sir_Fz's, haven't looked at his code) regexpTosser^^ wrote:What do you mean by a signature could be used to detect a trojan/drone user. And could a string and/or reqexp on the ident and/or host to detect if there is any numbers in the ident or any random idents. Also maybe a string match to detect any $decode messages. I dont know if any of this will work. I dont have a clue of using these to detected a random drone/possible trojan infected client. As far as i know, aspb only really kicks people with numbers and/or random ident/nick.demond wrote:a signature could be used, by nick/username/gecos/ctcp version reply pattern
Code: Select all
###################################################################
# #
# Coded by: Opposing (Fz@nexushells.net) - #nexushells @ DALnet #
# Version: 1.0 #
## #
# Description: Bankicks nicks who are suspicious of being #
# infected with w32.aplore@mm Trojan/Virus/Worm. #
# Translated from the Oz mirc addon. #
# #
# Report bugs/suggestions to Fz at nexushells.net #
###################################################################
#
##############################
# Configurations start here: #
# __________________________ #
## Set the channels you want this script to work on.
## example: set aplore(chans) "#chan1 #chan2" (in lowercase)
set aplore(chans) ""
## Set the kick message.
set aplore(kmsg) "w32.aplore@mm Trojan/Virus/Worm Infected."
## Set, in minutes, ban time for this offence.
set aplore(btime) "30"
# Configurations end here. #
############################
#
######################################################################
# Code starts here, please do not edit anything unless you know TCL: #
# __________________________________________________________________ #
bind join - * aplore:kick
proc aplore:kick {nick uhost hand chan} {
global aplore
set aplorenick 0
if {([string is alpha $nick]) || ([string match *\[-^`_\]* $nick]) || ([lsearch -exact $aplore(chans) [string tolower $chan]] == -1)} { return 0 }
scan $uhost %\[^@\]@%s ident host
if {([string match -nocase "*[set sident [string trimleft $ident ~]]*" $nick]) && ([string is alpha [string range $nick 0 3]]) && ([string is integer [string range $nick end-1 end]]) && ([string is integer [string index $sident end]]) && ([string index $ident 0] == "~")} {
putquick "KICK $chan $nick :$aplore(kmsg)"
putquick "MODE $chan +b *!*@$host"
putlog "\002$nick\002!\002$ident\002 is infected with w32.aplore@mm."
}
}
putlog "w32.aplore@mm bankick v1.0 by Opposing Loaded..."