This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

eggdrop hacking

General support and discussion of Eggdrop bots.
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

eggdrop hacking

Post by alekleet »

ago two days my eggnet gived op to unknowns users/nicks and they take my channel , i check all my shells and bots userfile and there are no added any user who can give op or take a channel . same guy who take my channel take and lot of channels (like 15-20). i wanna know how i can protect my botnet from that kinds of hackings please can anyone help me. thanks in advance
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

We would need some information on which version of eggdrop you are running, where you retrieved the source or binary, wether it was source or a precompiled package (binary), which scripts you are using, what type of irc-servers you have been using (which irc network if you do not know which server-platform they use).

Also, if you can find anything "odd" or strange in your logs, that information might be helpful aswell.
NML_375
User avatar
YooHoo
Owner
Posts: 939
Joined: Thu Feb 13, 2003 10:07 pm
Location: Redwood Coast

Post by YooHoo »

also check your userlist for easy to fake and/or new hostmasks (.match * 999).. might be a good idea to check your logfiles to find out what commands were issued and by whom
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

Post by alekleet »

version: eggdrop-1.6.18

scripts:

source scripts/alltools.tcl
source scripts/action.fix.tcl
source scripts/netbots/netbots.tcl
source scripts/netbots/superbitch.tcl
source scripts/bitchxpack1.50.tcl
source scripts/getops.tcl

network: undernet
servers:
lelystad.nl.eu.undernet.org:6667
london.uk.eu.undernet.org:6667
oslo2.no.eu.undernet.org:6667
zagreb.hr.eu.undernet.org:6667
carouge.ch.eu.undernet.org:6669
ede.nl.eu.undernet.org:6667
us.undernet.org:6667
elsene.be.eu.undernet.org:6667
amsterdam.nl.eu.undernet.org:6667
amsterdam2.nl.eu.undernet.org:6668
oslo1.no.eu.undernet.org:6666
diemen.nl.eu.undernet.org:6667

i download from eggheads and it was source.


i cant/dont know how to find logs of chat.... and i check userfile ... there is nothing new ...

that guy take the channels with a trick or he hacked them .... that guy take a channels from three other botnets ...
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

Logs are stored in the ........... wait for it ........ "logs" directory.

Using Nick!*@* for a user's host is risky and if you have used this format then you'd better change that habit. ;)
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

Post by alekleet »

egg@edge:~/eggdrop/logs$ ls
CONTENTS
egg@edge:~/eggdrop/logs$


there are no logs :( and i never use host like nick*!*@* stricly *!*@username.users.undernet.org or *!*ident@host.com ....
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

alekleet wrote:egg@edge:~/eggdrop/logs$ ls
CONTENTS
egg@edge:~/eggdrop/logs$


there are no logs :( and i never use host like nick*!*@* stricly *!*@username.users.undernet.org or *!*ident@host.com ....
You need to recheck your 1.6.18 configuration against the tutorial: Setting up an Eggdrop

Anyone that gets hold of a user's channel/ops pass can simply use services without any need for eggdrop access or eggdrop opping them.

It's impossible for eggdrop to even stop a channel takeover!
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

There is one confirmed remote exploit in 1.6.18 relating to lack of bounds-checking the sender when PRIVMSG (and other) commands are recieved. Sofar, this have required the use of bogus irc-servers, as as rfc-compliant servers do not exceed this bound. Using this exploit would require the aggressor to make your bot connect to a bogus server.

The lack of logfiles is bad news; could you check your config-file wether you have any "logfile" commands in there?

As for your scripts, I can't think of any known backdoors/issues with those.
NML_375
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

Post by alekleet »

so can anyone tell me how to make an eggdrop 100% secured ?

which scripts , servers , version n all .... i wanna have 100% secured eggdrop from hackings
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

Post by alekleet »

and ... a guy whats happen the same thing to him tell me to patch my eggdrops what u think for that ?
User avatar
YooHoo
Owner
Posts: 939
Joined: Thu Feb 13, 2003 10:07 pm
Location: Redwood Coast

Post by YooHoo »

go read this ---> Bot Protection & Security
User avatar
rosc2112
Revered One
Posts: 1454
Joined: Sun Feb 19, 2006 8:36 pm
Location: Northeast Pennsylvania

Post by rosc2112 »

alekleet wrote:so can anyone tell me how to make an eggdrop 100% secured ?
which scripts , servers , version n all .... i wanna have 100% secured eggdrop from hackings
The only security you're assured, is what you educate yourself to manage.

Otherwise, you might as well unplug your computer and put it in the closet.
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

alekleet wrote:and ... a guy whats happen the same thing to him tell me to patch my eggdrops what u think for that ?
Did he tell you which/what patches to apply? The only publically spread patch for 1.6.18-eggies is a fix for the bug I mentioned earlier. Exploiting that bug is quite difficult, as the hacker would have to use a nick!ident@host that exceeds some 320 characters or such and would have to contain the code to be injected. In essence, hacker would have to make your bot join his fake server.
NML_375
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

Post by alekleet »

that guy again take my channel and i was on the chat on the eggdrops and there is nothing. he gived about 15-20 ops and i didnt see nothing on chat. i dont know hows this possible but i`ll be happy if somebody tell me how to fix this.
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Unfortunately, with this very limited information, it's literally impossible to tell wether this is a simple matter of incorrect configuration, a bugged script, or any bug within the source (known or not).

When this last takeover occured, did you check the .channel listing? I'm abit puzzled that your bot apparently does nothing when he ops other people (as you have the netbots superbitch.tcl script loaded)
NML_375
Post Reply