This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

eggdrop hacking

General support and discussion of Eggdrop bots.
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

Post by alekleet »

<`alias> some ppl say that's it's an eggdrop bug
<`alias> others like wget say's psybnc bug
<`alias> others mirc bug
<ALEKx> awww :DD
<ALEKx> so how we can protect from all those bugs ? :D
<`alias> i don't know :))
<ALEKx> if he dont know the ip of the eggdrops and if they are silence he can use the bug ?
<`alias> not a clue ... i don't think so


how i can protect my eggdrops from bugs i dont use psybnc.
Z
Zircon
Op
Posts: 191
Joined: Mon Aug 21, 2006 4:22 am
Location: Montreal

Post by Zircon »

Hi there

I see that you use Undernet. In this network, there is a something called ChanFix. It s an automated service to reop opless unregistered channels, and also reverse the situation in case of a takeover. I think that you always lose the OP, coz the other person was OP there long time before you...So even if you succeed becoming OP, the ChanFix will operate, deop you and op The other person. Check this : http://help.undernet.org/faq.php?what=chanfix and specially this : http://help.undernet.org/faq.php?what=chanfix#04
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Simply pointing the finger at this or that application, without displaying what the suspicion is based upon or what "proof" there is, is a very bad thing.

How can you protect your eggdrop from known bugs in the source?
Applying proper patches and/or upgrade whenever a new stable version becomes available.

How can you protect your eggdrop from unknown bugs in the source?
You can't since they're not known. If you encounter one of these, you can help sorting it out with proper bugreports and investigative work.

How can you protect your eggdrop from known bugs in scripts?
Simply, don't use the script, find something that works instead.

How can you protect your eggdrop from unknown bugs in scripts?
Unload any and all scripts if you encounter bugs, see if it persists. If not, load scripts one by one until the bug reappears and you figure out which script is to blame. Then send a bugreport to the author.
NML_375
Z
Zircon
Op
Posts: 191
Joined: Mon Aug 21, 2006 4:22 am
Location: Montreal

Post by Zircon »

It s a possible reason...is it the real reason ? i dont know, i m not god. Like you said, we have no log to prove something or the other. And it s not a bad thing to point possible reasons. In my post, i said "i think". And not "i m sure"
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

Zircon: wasn't referring to your post :)
Right now, with the limited information provided, we're only guessing at what's causing this. alekleet is claiming his eggdrop was the one to op the hacker, which would rule out ChanFix (assuming there is no ircop involved).
NML_375
Z
Zircon
Op
Posts: 191
Joined: Mon Aug 21, 2006 4:22 am
Location: Montreal

Post by Zircon »

nml375 : oh sorry then.
Coz i just saw this post from alekleet :
that guy again take my channel and i was on the chat on the eggdrops and there is nothing. he gived about 15-20 ops and i didnt see nothing on chat. i dont know hows this possible but i`ll be happy if somebody tell me how to fix this.
That s why i thought about this possible reason.
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

If that network had DALnet's ChanServ "why" function one would know in a second how this channel "hacking" is being achieved.

To my mind this has nothing to do with eggdrop and all to do with a "stolen" pass.
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
User avatar
rosc2112
Revered One
Posts: 1454
Joined: Sun Feb 19, 2006 8:36 pm
Location: Northeast Pennsylvania

Post by rosc2112 »

There's a whole lot of eggdrops on Undernet, but only 1 person appears to be getting hacked - user error most likely. A user who should not be running an eggdrop, if they cannot figure out how to secure it.
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

Post by alekleet »

first. not 1 guy , there are lot of guys but jus i`m registered here.


i`m the biggest score on my channel and noone can reop it with chanfix and if somebody do that we will see and i`ll dont come to eggdrop forum for help.

<WGeTz> keep the channel close (+k)
<WGeTz> Coz they have a eggdrop bug:)
<WGeTz> And they make take over:P
<aLLEK> he can take it with +d +x n +silence ?
<WGeTz> hehe
<WGeTz> yes:)
<WGeTz> He can.
<aLLEK> lewl :D
<WGeTz> Your choose if u keep the channel open.I close my channels:)
<aLLEK> how ? if he dont know hostname and he cant chat ... ?
<WGeTz> With a mirc bruteforget passwd, i don't know exactly.
<WGeTz> Try it, if u know this is the best :)
<WGeTz> Anyway, the best deal is too keep the chanenl close...
<WGeTz> Or change the eggdrop setups
<aLLEK> i installed new eggdrops :D
<aLLEK> i make them all +x +d +silence
<aLLEK> i set telnet protect
<WGeTz> I see...
<WGeTz> Use a oldest version
<WGeTz> Don't use this new egg vers.
<aLLEK> ok
<aLLEK> thanks
<WGeTz> The bug is on the new vers.
<WGeTz> use old
<WGeTz> Listen to me:)
<WGeTz> I know the guys
<WGeTz> ...
<aLLEK> ok thanks
n
nml375
Revered One
Posts: 2860
Joined: Fri Aug 04, 2006 2:09 pm

Post by nml375 »

A comment or two:
* Bruteforcing passwords are not related to bugs. It's just a matter of trying password after password until a match is found.

I'm not familiar with undernet, but as I've understood it, "/silence +*!*@*" would block any private messages to your bot - yet this does not protect your bot from this bug? You also said there was nothing seen in the channel prior to the takeover occured?
If both are true, this means he had no means of contacting the bot through the irc network, and thus must've telnet:d to your bot, either portscanning the host or already knowing which ports your bot listens to.

One thing that does come to mind now is some old bug in the botnet-code where an untrusted source could succeed with linking into the botnet under certain conditions.

I believe the bug was something like reported on this link: http://marc.info/?l=bugtraq&m=107634593827102&w=2
I believe this bug was sorted out many versions ago.
NML_375
User avatar
rosc2112
Revered One
Posts: 1454
Joined: Sun Feb 19, 2006 8:36 pm
Location: Northeast Pennsylvania

Post by rosc2112 »

If this is not utter bullcrap, I suggest someone who knows how to use a packet sniffer set up a tarpit bot, with the cooperation of alekleet to use his channel, set up a bot that can be traced with wireshark so you can log the traffic. Let the bot get hacked, but collect data in the process.

And no, I'm not volunteering, because I'm not convinced this is anything other than user error.

So, Al, produce some proof with wireshark logs.
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

rosc2112 wrote:because I'm not convinced this is anything other than user error.

So, Al, produce some proof with wireshark logs.
I concur.
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
Z
Zircon
Op
Posts: 191
Joined: Mon Aug 21, 2006 4:22 am
Location: Montreal

Post by Zircon »

Hello alekleet

I highly doubt it s an aggdrop bug/hack. We absolutely need the log of your channel, so we can have facts and not only figure what may did happen....So you have to turn on the log. In your .config file :
# This creates a logfile named lamest.log containing joins, parts,
# netsplits, kicks, bans, mode changes, and public chat on the
# channel #lamest.
logfile mjpk #lamest "logs/lamest.log"
Just replace lamest by the name of your channel.
User avatar
rosc2112
Revered One
Posts: 1454
Joined: Sun Feb 19, 2006 8:36 pm
Location: Northeast Pennsylvania

Post by rosc2112 »

If its an internal bug in eggdrop, or even a script hack, you won't likely find anything useful in eggdrop's logs. A Packet sniffer will show everything going on.
a
alekleet
Voice
Posts: 14
Joined: Tue Jan 15, 2008 3:08 pm

Post by alekleet »

where i can find packet sniffer ? can anyone from here help me ?
Post Reply