eggdrop hacking

alekleet · Post by **alekleet** » Thu Jan 17, 2008 4:04 pm

<`alias> some ppl say that's it's an eggdrop bug
<`alias> others like wget say's psybnc bug
<`alias> others mirc bug
<ALEKx> awww :DD
<ALEKx> so how we can protect from all those bugs ?

<`alias> i don't know

)
<ALEKx> if he dont know the ip of the eggdrops and if they are silence he can use the bug ?
<`alias> not a clue ... i don't think so

how i can protect my eggdrops from bugs i dont use psybnc.

Zircon · Post by **Zircon** » Thu Jan 17, 2008 4:23 pm

Hi there

I see that you use Undernet. In this network, there is a something called ChanFix. It s an automated service to reop opless unregistered channels, and also reverse the situation in case of a takeover. I think that you always lose the OP, coz the other person was OP there long time before you...So even if you succeed becoming OP, the ChanFix will operate, deop you and op The other person. Check this : http://help.undernet.org/faq.php?what=chanfix and specially this : http://help.undernet.org/faq.php?what=chanfix#04

Post by **nml375** » Thu Jan 17, 2008 5:03 pm

Simply pointing the finger at this or that application, without displaying what the suspicion is based upon or what "proof" there is, is a very bad thing.

How can you protect your eggdrop from known bugs in the source?
Applying proper patches and/or upgrade whenever a new stable version becomes available.

How can you protect your eggdrop from unknown bugs in the source?
You can't since they're not known. If you encounter one of these, you can help sorting it out with proper bugreports and investigative work.

How can you protect your eggdrop from known bugs in scripts?
Simply, don't use the script, find something that works instead.

How can you protect your eggdrop from unknown bugs in scripts?
Unload any and all scripts if you encounter bugs, see if it persists. If not, load scripts one by one until the bug reappears and you figure out which script is to blame. Then send a bugreport to the author.

Zircon · Post by **Zircon** » Thu Jan 17, 2008 5:13 pm

It s a possible reason...is it the real reason ? i dont know, i m not god. Like you said, we have no log to prove something or the other. And it s not a bad thing to point possible reasons. In my post, i said "i think". And not "i m sure"

Post by **nml375** » Thu Jan 17, 2008 5:31 pm

Zircon: wasn't referring to your post

Right now, with the limited information provided, we're only guessing at what's causing this. alekleet is claiming his eggdrop was the one to op the hacker, which would rule out ChanFix (assuming there is no ircop involved).

Zircon · Post by **Zircon** » Thu Jan 17, 2008 5:41 pm

nml375 : oh sorry then.
Coz i just saw this post from alekleet :

that guy again take my channel and i was on the chat on the eggdrops and there is nothing. he gived about 15-20 ops and i didnt see nothing on chat. i dont know hows this possible but i`ll be happy if somebody tell me how to fix this.

That s why i thought about this possible reason.

Alchera · Post by **Alchera** » Thu Jan 17, 2008 6:14 pm

If that network had DALnet's ChanServ "why" function one would know in a second how this channel "hacking" is being achieved.

To my mind this has nothing to do with eggdrop and all to do with a "stolen" pass.

rosc2112 · Post by **rosc2112** » Fri Jan 18, 2008 7:19 am

There's a whole lot of eggdrops on Undernet, but only 1 person appears to be getting hacked - user error most likely. A user who should not be running an eggdrop, if they cannot figure out how to secure it.

alekleet · Post by **alekleet** » Fri Jan 18, 2008 8:48 pm

first. not 1 guy , there are lot of guys but jus i`m registered here.

i`m the biggest score on my channel and noone can reop it with chanfix and if somebody do that we will see and i`ll dont come to eggdrop forum for help.

<WGeTz> keep the channel close (+k)
<WGeTz> Coz they have a eggdrop bug:)
<WGeTz> And they make take over:P
<aLLEK> he can take it with +d +x n +silence ?
<WGeTz> hehe
<WGeTz> yes:)
<WGeTz> He can.
<aLLEK> lewl

<WGeTz> Your choose if u keep the channel open.I close my channels:)
<aLLEK> how ? if he dont know hostname and he cant chat ... ?
<WGeTz> With a mirc bruteforget passwd, i don't know exactly.
<WGeTz> Try it, if u know this is the best

<WGeTz> Anyway, the best deal is too keep the chanenl close...
<WGeTz> Or change the eggdrop setups
<aLLEK> i installed new eggdrops

<aLLEK> i make them all +x +d +silence
<aLLEK> i set telnet protect
<WGeTz> I see...
<WGeTz> Use a oldest version
<WGeTz> Don't use this new egg vers.
<aLLEK> ok
<aLLEK> thanks
<WGeTz> The bug is on the new vers.
<WGeTz> use old
<WGeTz> Listen to me:)
<WGeTz> I know the guys
<WGeTz> ...
<aLLEK> ok thanks

Post by **nml375** » Fri Jan 18, 2008 9:05 pm

A comment or two:
* Bruteforcing passwords are not related to bugs. It's just a matter of trying password after password until a match is found.

I'm not familiar with undernet, but as I've understood it, "/silence +*!*@*" would block any private messages to your bot - yet this does not protect your bot from this bug? You also said there was nothing seen in the channel prior to the takeover occured?
If both are true, this means he had no means of contacting the bot through the irc network, and thus must've telnet:d to your bot, either portscanning the host or already knowing which ports your bot listens to.

One thing that does come to mind now is some old bug in the botnet-code where an untrusted source could succeed with linking into the botnet under certain conditions.

I believe the bug was something like reported on this link: http://marc.info/?l=bugtraq&m=107634593827102&w=2
I believe this bug was sorted out many versions ago.

rosc2112 · Post by **rosc2112** » Sat Jan 19, 2008 12:43 am

If this is not utter bullcrap, I suggest someone who knows how to use a packet sniffer set up a tarpit bot, with the cooperation of alekleet to use his channel, set up a bot that can be traced with wireshark so you can log the traffic. Let the bot get hacked, but collect data in the process.

And no, I'm not volunteering, because I'm not convinced this is anything other than user error.

So, Al, produce some proof with wireshark logs.

Alchera · Post by **Alchera** » Sat Jan 19, 2008 7:40 pm

rosc2112 wrote:because I'm not convinced this is anything other than user error.

So, Al, produce some proof with wireshark logs.

I concur.

Zircon · Post by **Zircon** » Sat Jan 19, 2008 8:52 pm

Hello alekleet

I highly doubt it s an aggdrop bug/hack. We absolutely need the log of your channel, so we can have facts and not only figure what may did happen....So you have to turn on the log. In your .config file :

# This creates a logfile named lamest.log containing joins, parts,
# netsplits, kicks, bans, mode changes, and public chat on the
# channel #lamest.
logfile mjpk #lamest "logs/lamest.log"

Just replace lamest by the name of your channel.

rosc2112 · Post by **rosc2112** » Sat Jan 19, 2008 11:18 pm

If its an internal bug in eggdrop, or even a script hack, you won't likely find anything useful in eggdrop's logs. A Packet sniffer will show everything going on.

alekleet · Post by **alekleet** » Mon Jan 21, 2008 7:47 pm

where i can find packet sniffer ? can anyone from here help me ?