eggdrop hacking

alekleet · Post by **alekleet** » Tue Jan 15, 2008 3:14 pm

ago two days my eggnet gived op to unknowns users/nicks and they take my channel , i check all my shells and bots userfile and there are no added any user who can give op or take a channel . same guy who take my channel take and lot of channels (like 15-20). i wanna know how i can protect my botnet from that kinds of hackings please can anyone help me. thanks in advance

Post by **nml375** » Tue Jan 15, 2008 3:20 pm

We would need some information on which version of eggdrop you are running, where you retrieved the source or binary, wether it was source or a precompiled package (binary), which scripts you are using, what type of irc-servers you have been using (which irc network if you do not know which server-platform they use).

Also, if you can find anything "odd" or strange in your logs, that information might be helpful aswell.

YooHoo · Post by **YooHoo** » Tue Jan 15, 2008 6:06 pm

also check your userlist for easy to fake and/or new hostmasks (.match * 999).. might be a good idea to check your logfiles to find out what commands were issued and by whom

alekleet · Post by **alekleet** » Tue Jan 15, 2008 7:10 pm

version: eggdrop-1.6.18

scripts:

source scripts/alltools.tcl
source scripts/action.fix.tcl
source scripts/netbots/netbots.tcl
source scripts/netbots/superbitch.tcl
source scripts/bitchxpack1.50.tcl
source scripts/getops.tcl

network: undernet
servers:
lelystad.nl.eu.undernet.org:6667
london.uk.eu.undernet.org:6667
oslo2.no.eu.undernet.org:6667
zagreb.hr.eu.undernet.org:6667
carouge.ch.eu.undernet.org:6669
ede.nl.eu.undernet.org:6667
us.undernet.org:6667
elsene.be.eu.undernet.org:6667
amsterdam.nl.eu.undernet.org:6667
amsterdam2.nl.eu.undernet.org:6668
oslo1.no.eu.undernet.org:6666
diemen.nl.eu.undernet.org:6667

i download from eggheads and it was source.

i cant/dont know how to find logs of chat.... and i check userfile ... there is nothing new ...

that guy take the channels with a trick or he hacked them .... that guy take a channels from three other botnets ...

Alchera · Post by **Alchera** » Tue Jan 15, 2008 7:18 pm

Logs are stored in the ........... wait for it ........ "logs" directory.

Using Nick!*@* for a user's host is risky and if you have used this format then you'd better change that habit.

alekleet · Post by **alekleet** » Tue Jan 15, 2008 7:33 pm

egg@edge:~/eggdrop/logs$ ls
CONTENTS
egg@edge:~/eggdrop/logs$

there are no logs

and i never use host like nick*!*@* stricly *!*@username.users.undernet.org or *!*ident@host.com ....

Alchera · Post by **Alchera** » Tue Jan 15, 2008 9:07 pm

alekleet wrote:egg@edge:~/eggdrop/logs$ ls
CONTENTS
egg@edge:~/eggdrop/logs$

there are no logs and i never use host like nick*!*@* stricly *!*@username.users.undernet.org or *!*ident@host.com ....

You need to recheck your 1.6.18 configuration against the tutorial: Setting up an Eggdrop

Anyone that gets hold of a user's channel/ops pass can simply use services without any need for eggdrop access or eggdrop opping them.

It's impossible for eggdrop to even stop a channel takeover!

Post by **nml375** » Tue Jan 15, 2008 9:07 pm

There is one confirmed remote exploit in 1.6.18 relating to lack of bounds-checking the sender when PRIVMSG (and other) commands are recieved. Sofar, this have required the use of bogus irc-servers, as as rfc-compliant servers do not exceed this bound. Using this exploit would require the aggressor to make your bot connect to a bogus server.

The lack of logfiles is bad news; could you check your config-file wether you have any "logfile" commands in there?

As for your scripts, I can't think of any known backdoors/issues with those.

alekleet · Post by **alekleet** » Wed Jan 16, 2008 6:50 am

so can anyone tell me how to make an eggdrop 100% secured ?

which scripts , servers , version n all .... i wanna have 100% secured eggdrop from hackings

alekleet · Post by **alekleet** » Wed Jan 16, 2008 7:20 am

and ... a guy whats happen the same thing to him tell me to patch my eggdrops what u think for that ?

YooHoo · Post by **YooHoo** » Wed Jan 16, 2008 9:39 am

go read this ---> Bot Protection & Security

rosc2112 · Post by **rosc2112** » Wed Jan 16, 2008 10:28 am

alekleet wrote:so can anyone tell me how to make an eggdrop 100% secured ?
which scripts , servers , version n all .... i wanna have 100% secured eggdrop from hackings

The only security you're assured, is what you educate yourself to manage.

Otherwise, you might as well unplug your computer and put it in the closet.

Post by **nml375** » Wed Jan 16, 2008 12:32 pm

alekleet wrote:and ... a guy whats happen the same thing to him tell me to patch my eggdrops what u think for that ?

Did he tell you which/what patches to apply? The only publically spread patch for 1.6.18-eggies is a fix for the bug I mentioned earlier. Exploiting that bug is quite difficult, as the hacker would have to use a nick!ident@host that exceeds some 320 characters or such and would have to contain the code to be injected. In essence, hacker would have to make your bot join his fake server.

alekleet · Post by **alekleet** » Wed Jan 16, 2008 8:02 pm

that guy again take my channel and i was on the chat on the eggdrops and there is nothing. he gived about 15-20 ops and i didnt see nothing on chat. i dont know hows this possible but i`ll be happy if somebody tell me how to fix this.

Post by **nml375** » Wed Jan 16, 2008 8:22 pm

Unfortunately, with this very limited information, it's literally impossible to tell wether this is a simple matter of incorrect configuration, a bugged script, or any bug within the source (known or not).

When this last takeover occured, did you check the .channel listing? I'm abit puzzled that your bot apparently does nothing when he ops other people (as you have the netbots superbitch.tcl script loaded)