This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

Security issue with my botnet

Old posts that have not been replied to for several years.
Locked
G
GQsm
Voice
Posts: 16
Joined: Wed Sep 26, 2001 8:00 pm
Location: Sheffield, England
Contact:

Post by GQsm »

a user on my bots that had +hp global flags somehow gave himself +nm , I'm using eggdrop 1.6.6.

dcc:tcl and dcc:set were usable but only by owners "set must-be-owner 1"

I was the only +nm user before he did it, so no-one else could have given him the flags.

tcl scripts I have are netbots 3.80 and mel eggdrop logger. He said he did the changes days ago and my eggdrop logs are only kept for 1 day so I have no clues from my eggdrop logs.

Can someone tell me how he could have done it or what precautions I need to look into.

Thanks
A worried botnet owner.
p
ppslim
Revered One
Posts: 3914
Joined: Sun Sep 23, 2001 8:00 pm
Location: Liverpool, England

Post by ppslim »

Suegestions would be to ask him how he did it.

What version of mel are you running?
G
GQsm
Voice
Posts: 16
Joined: Wed Sep 26, 2001 8:00 pm
Location: Sheffield, England
Contact:

Post by GQsm »

mEL v1.55:

and i've asked him how, but he wont tell me. He finds it amusing, and useful for trying to blackmail me.
p
ppslim
Revered One
Posts: 3914
Joined: Sun Sep 23, 2001 8:00 pm
Location: Liverpool, England

Post by ppslim »

Blackmail him - remove him from the bot, ban him and add a .+ignore to the bot for his host.

See how long he laughs for then.
G
GQsm
Voice
Posts: 16
Joined: Wed Sep 26, 2001 8:00 pm
Location: Sheffield, England
Contact:

Post by GQsm »

If hes hacked one of my shell accounts then that wouldn't really stop him would it?

What are the possible ways he's done this? then I will look at fixing them all.
p
ppslim
Revered One
Posts: 3914
Joined: Sun Sep 23, 2001 8:00 pm
Location: Liverpool, England

Post by ppslim »

CHMOD all userfiles and channels files 700.

Each time you login to your shell account, check which host last logged in. If one that isn't yours shows up, e-mail the shell admin, and tell them they have been intruded.

Change your passwords, make sure your eggdrop and shell passwords are different.

Load lopfile.tcl component of netbots, and have logs e-mailed to yourself daily. Turns all log flags on.

Enable console mode r in config file, and ".console +r" yourself. Trick him into proving to you he can do it in front of your face. This console trick should provide you with the network dumps required to find out how he did it.
P
Petersen
Owner
Posts: 685
Joined: Thu Sep 27, 2001 8:00 pm
Location: Blackpool, UK

Post by Petersen »

$ last |grep petersen

invaluable tool too see if your shell has been hacked (replace petersen with your username)
Locked