Detecting users with normal ips and vhost ips

awyeah · Post by **awyeah** » Wed May 09, 2007 10:58 pm

What would be a good way of determining normal ip users, against people using vhosts??

Currently came up with this:

set host [lindex [split $uhost @] 1]
set tld [expr [llength [lindex [split $uhost @] 1]] - 1]
if {[string equal "0" [regexp {^[^0-9]*[a-zA-Z]$} $host]] && [regexp {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $host "."] $tld]]} { return 0 }

All suggestions would be appreciated.

Post by **Sir_Fz** » Thu May 10, 2007 3:47 am

If a host ends with a number then it's an IP else it's a hostname:

Code: Select all

if {[string is integer [string index $host end]]} {
# IP
} {
# Vhost
}

awyeah · Post by **awyeah** » Thu May 10, 2007 3:52 am

That is also a good logic, but im concerned when hosts are not always in the format of numbers. They are also in the format like:

Code: Select all

chaos@179.13.95.219.kmr01-home.tm.net.my
karrde@bzq-88-153-115-56.red.bezeqint.net
~plamen@87-126-143-181.btc-net.bg
net@dsl-201-219-71-82.users.telpin.com.ar
richardw@M263P003.adsl.highway.telekom.at
Nem@dslb-084-056-241-131.pools.arcor-ip.net
~jjkola@cable-roi-fff8dd00-151.dhcp.inet.fi

When they include numbers both together with alphabets. Anything suggested for situations like this?

Post by **nml375** » Thu May 10, 2007 8:58 am

It would be helpful to know what characteristics these vhosts have (that is, how are they different from real hosts)?
As for simplifying the code in your first post, considder using this:

Code: Select all

if {[lindex [split $uhost "@"] 1]] && [regexp {\.(com|net|org)$} $uhost]} {return 0}

(list of tld's trunkated to make it easier to read).

Also, I am not sure what you try to accomplish with the first regular expression, although using ![regexp ....] is abit easier than [string equal "0" [regexp...]]

honeybee · Post by **honeybee** » Thu May 10, 2007 10:03 pm

vhost are usually resolved so why dont you check if the ip is really a resolving ip?

Code: Select all

if {[regexp {\@(\d+\.\d+\.\d+\.\d+)$} $uhost tmp host]} {
# is not a resolving ip; where host is the original uhost.
}

awyeah · Post by **awyeah** » Fri May 11, 2007 3:01 am

This basically works that, vhosts only contains alphabets with small and upper cases and no numbers. Since virtual hosts normally contain alphabets and no numbers. If so numbers are present only 1 minmum to 3 maximum.

Code: Select all

regexp {^[^0-9]*[a-zA-Z]$} $host]

Anyway, thanks for all the suggestions.. I'll give them a go

awyeah · Post by **awyeah** » Fri May 11, 2007 4:43 am

Here are some examples of virtual hosts:

Code: Select all

64.18.135.148 ==> search.on.g0ogle.be
64.18.135.149 ==> get.me.bill.gatesweb.info
64.18.135.150 ==> halloween.gh0strider.be
64.18.135.151 ==> got.girls4uboys.com
64.18.135.152 ==> trust.godhost.us
64.18.135.153 ==> idiots.gothacked.biz
64.18.135.154 ==> are.you.h0m0.net
64.18.135.155 ==> come.here.to.have-my.info
64.18.135.156 ==> mess.with.me.if.you.want.hellentry.com
64.18.135.157 ==> whats.his-real.name
64.18.135.158 ==> w.hore.be
64.18.135.159 ==> amd.vs.intel.st
64.18.135.160 ==> dont.even.dare.to.ban.my.ip-address.be
64.18.135.161 ==> smart.ircnoob.com
64.18.135.162 ==> you.are.lag.in
64.18.135.163 ==> this.is.leet.la
64.18.135.164 ==> only.me.no-u.be
64.18.135.165 ==> shoutcast.is.nullsoft.be
64.18.135.166 ==> lets.talk.about.ourmeetings.net
64.18.135.167 ==> you.must.be.outofmind.be
64.18.135.168 ==> its.time.to.ping-timeout.be
64.18.135.169 ==> group.of.rappers.cc
64.18.135.170 ==> your.secrets.are.recorded.be
64.18.135.171 ==> dont.worry.you.are.secure.la
64.18.135.172 ==> you.are.just.another.sh1tbox.com
64.18.135.173 ==> be.my.shad0w.be
64.18.135.174 ==> her.nightie.is.made.of.silk.com
64.18.135.175 ==> she.is.one.of.the.top-escort.nl
64.18.135.176 ==> are.you.virgine.ws

Yes we can check if virtual hosts resolve to an ip, but also we would need to check if they reverse-dns also resolves? right?

Post by **nml375** » Fri May 11, 2007 7:53 am

awyeah wrote:This basically works that, vhosts only contains alphabets with small and upper cases and no numbers. Since virtual hosts normally contain alphabets and no numbers. If so numbers are present only 1 minmum to 3 maximum.
Code: Select all
regexp {^[^0-9]*[a-zA-Z]$} $host]
Anyway, thanks for all the suggestions.. I'll give them a go

Actually, this matches any number of non-numeric characters, followed by one alphabetic character.

awyeah wrote:Yes we can check if virtual hosts resolve to an ip, but also we would need to check if they reverse-dns also resolves? right?

Unless they use HostServ vhosts (which are not ip-based at all), a reverse-dns of the ip would most likely return the same hostname as seen on irc, with the rare exception when an ircd would use it's own dns-server with "bogus" entries for *.in-addr.arpa.

In the case of "normal" vhosts, I guess your best bet would be to gather network-ranges that are confirmed vhosts, do a dns-lookup on the suspected hostname, and see if the resulting ip matches any known vhost net.

awyeah · Post by **awyeah** » Fri May 11, 2007 8:45 am

Code: Select all

[regexp {^[^0-9]} $host] && [regexp {[a-zA-Z]} $host] && [regexp {\.(com|net|org|info|biz|tk)$} $host]

#this would be for hosts with alphabets and no numbers
#my next situation would be for determining with numbers as well, maybe take the percentage of numbers in the vhost along with the length of the alphabets present in the host, and comparing it with a certain number which i will observe by looking at most vhosts of certain shell companies :)

This should be the current simplest logic. I'll find a more suitable solution, by looking at vhosts carefully and try to detect the most best setting for matching vhosts over regular ip addresses. I'll follow up the code and include it within this post for other users to see and utilize.

The problem with gathering shell box ranges for various shell providers, would be a very trivial task and tidious, since they are just too many.. and HostServ is not used on DALnet, which is the network I use.

I appreciate everyone for their help and contribution. Thanks.

Post by **Sir_Fz** » Fri May 11, 2007 10:20 am

Code: Select all

[regexp {^[^0-9]} $host]

Means that the first character in $host is not a number.

Code: Select all

[regexp {[a-zA-Z]} $host]

Means that $host contains an alphabet.
So it can simply be replaced with

Code: Select all

[regexp {[^0-9]} $host]

If there's no numbers, then they're definitely alphabets (with '.' and perhaps '-').

Post by **nml375** » Fri May 11, 2007 1:15 pm

Since we're not dealing with HostServ based vhosts, this means that there's really no difference between vhosts and other hosts. I think you're rather looking for a DNS-pollution scanner.
A few good links on the subject:
http://www.dnsspam.nl/, http://www.nl.ircnet.org/hostname-rules.html.
Also might wish to inspect dnsspam.tcl which uses spamcalc to determine the grade of pollution of the hostname.

awyeah · Post by **awyeah** » Sun May 13, 2007 4:23 am

After doing a survey I found:
Vhosts have percentage of alphabets like 92% and numbers like 8%, while regular hosts have about percentage of numbers like 40% or more.

Here is the current solution I derived for determining vhosts against normal ip addresses: (not valid if vhosts are not resolved on the ircd)

Code: Select all

set tld [expr [llength [lindex [split $uhost @] 1]] - 1]
set domain [expr [llength [lindex [split $uhost @] 1]] - 2]
set tlduhost [lrange [split $uhost "."] 0 [expr $tld - 1]]
set notlduhost [string map {" " ""} $tlduhost]
set numbers [regexp -all {[0-9]} $uhost]
set alphabets [regexp -nocase -all {[a-z]} $uhost]
set totalchar [expr $numbers + $alphabets]
set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar]

#vhosts with no numbers
if {[string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $uhost "."] $tld]]} {
#do stuff
}

#vhosts with numbers
if {($numbersper <= 8) && ([regexp -all {\-} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all {[0-9]} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all {\-} [lrange [split $uhost "."] 0 [expr $domain - 1]]] <= 1) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $uhost "."] $tld]]} {
#do stuff
}

#ip address in (0.0.0.0 - 255.255.255.255 range)
if {([string length $uhost] <= 15) && [string equal "3" [regexp -all {\.} $uhost]] && [string equal [string length [string map {"." ""} $uhost]] [regexp -all {[0-9]} $uhost]] || [regexp {^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost]} {
#do stuff
}

#ip address in domain format
if {([string length [string map {"." ""} $uhost]] >= 18) && ($numbersper >= 30) && [string equal "0" [regexp -all {\-} [lindex [split $uhost "."] $domain]]] && [string equal "0" [regexp -all {[0-9]} [lindex [split $uhost "."] $domain]]] && ([regexp -all {\-} [lrange [split $uhost "."] 0 [expr $domain - 1]]] >= 1) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 8)} {
#do stuff
}

Edit: I haven't really tested these logics yet for accuracy

awyeah · Post by **awyeah** » Mon May 14, 2007 1:50 am

This is the complete tested script. Works efficiently to determine vhosts against normal ip addresses. Also added a DNS function in normal ips to check for vhosts if they are not resolved on the ircd.

Code: Select all

 global unresolved_vhost
 #setting variables
 set uhost [lindex [split $host @] 1]
 set tld [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 1]]
 set domain [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 2]]
 set nodomaintld [string map {" " "."} [lrange [split $uhost "."] 0 [expr [llength [split $uhost "."]] - 3]]]
 set numbers [regexp -all {[0-9]} $uhost]
 set alphabets [regexp -nocase -all {[a-z]} $uhost]
 set totalchar [expr $numbers + $alphabets]
 set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar]
 if {[info exists vhost_ip]} { unset vhost_ip }
 #vhosts with no numbers
 if {[string equal "0" $numbersper] && [string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} $domain] <= 2) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {
   set vhost_ip 1
 }
 #vhosts with numbers
 if {($numbersper >= 1) && ($numbersper <= 8) && ([regexp -all {\-} $domain] <= 2) && ([regexp -all {[0-9]} $domain] <= 2) && ([regexp -all {\-} $nodomaintld] <= 1) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {
   set vhost_ip 1
 }
 if {![info exists vhost_ip]} {
 #ip address in (0.0.0.0 - 255.255.255.255 range) - can be unresolved vhost
  if {([string length [string map {"." ""} $uhost]] <= 12) && [string equal "3" [regexp -all {\.} $uhost]] && [string equal [string length [string map {"." ""} $uhost]] [regexp -all {[0-9]} $uhost]] && [string equal "0" [regexp -all -nocase {[a-z]} $uhost]] && [regexp {^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost] && [string equal "0" [regexp -all -nocase {[a-z]} $uhost]] || [string equal "100" $numbersper] && [regexp {^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost]} {
   if {[info exists unresolved_vhost]} { unset unresolved_vhost }
   #check for unresolved vhost
   dnslookup $uhost ip_address_output $uhost
    if {[info exists unresolved_vhost]} {
     unset unresolved_vhost
     #do stuff
    }
 #ip address in domain format
 } elseif {([string length [string map {"." ""} $uhost]] >= 18) && ($numbersper >= 20) && [string equal "0" [regexp -all {\-} $domain]] && [string equal "0" [regexp -all {[0-9]} $domain]] && ([regexp -all {\-} $nodomaintld] >= 1) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 8)} {
    #do stuff    
   }
}

proc ip_address_output {ip host status addr} {
 global unresolved_vhost
 set uhost [expr {([string match -nocase *$ip* $addr])?$host:$ip}]
 set tld [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 1]]
 set domain [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 2]]
 set nodomaintld [string map {" " "."} [lrange [split $uhost "."] 0 [expr [llength [split $uhost "."]] - 3]]]
 set numbers [regexp -all {[0-9]} $uhost]
 set alphabets [regexp -nocase -all {[a-z]} $uhost]
 set totalchar [expr $numbers + $alphabets]
 set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar]
 if {[info exists $status] && [string equal "0" $numbersper] && [string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} $domain] <= 2) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {
  set unresolved_vhost 1
 } else {
    return
   }
}