Proxy Banning Script

De Kus · Post by **De Kus** » Fri Dec 17, 2004 11:46 pm

demond wrote:they are spawned by trojans/viruses from infected windows boxes

ohh, dont remember me on this... there are people they believe so much in their current virus scanners that they even ignore major signs like beeing unable to open the task manager and register editor and advances from people having the same sympthoms and just used another scanner to kill it...
Before this trend doesn't stop you will not be able to stop these proxys really effienctly, but known server are usually worth, so if you can ban him 10-20 servers, they might give up, because he runs out of alternitives (but if you really piseed someone off he might trade for more servers from more diffrent ISPs or run a proxy probe scanner over a large IP range of his own ^^).
If I look in my apache logs I see many proxy probs everyday, if I would have such a proxy, I would be found everyday again...

If they have a common way to spam you might find a trick to identify them within 1-2 lines and ban them before more happens. At this point I really love the flood control of the advanced ChanServ which effiently kicks all spammers without the latency every eggdrop has ^^.

awyeah · Post by **awyeah** » Sun Dec 19, 2004 8:43 pm

Basically, user's matching sequence is a little wide range, with:

Code: Select all

[string match {*[0-9]} $u]

Since you want to ban non-resolving ip's I suggest you can use this kind of format. I am not that good in regexp, but here goes:

Code: Select all

  regexp ".+@(.+)" $host matches newhost
  if [regexp {[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$} $newhost] {

demond · Post by **demond** » Sun Dec 19, 2004 8:49 pm

awyeah wrote:Basically, user's matching sequence is a little wide range, with:
Code: Select all
[string match {*[0-9]} $u]
Since you want to ban non-resolving ip's I suggest you can use this kind of format. I am not that good in regexp, but here goes:
Code: Select all
  regexp ".+@(.+)" $host matches newhost
  if [regexp {[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$} $newhost] {

you know resolving hosts that end with a digit?

s0ulw4r · Post by **s0ulw4r** » Sun Dec 19, 2004 10:03 pm

Code: Select all

# open proxy checker for eggdrop
# (c) James Seward 2003/4
# version 1.0

# http://www.jamesoff.net/projects/eggdrop
# james@jamesoff.net

# Released under the GPL

## INSTRUCTIONS
###############################################################################

# This script will check the hosts of people joining channels against one or
# RBLs. Choose your RBLs wisely, some of them list DIALUP SPACE and that would
# be a bad thing to be matching your IRC users against :P
#
# Enable the 'proxycheck' flag for channels you want the script active on
# --> .chanset #somechannel +proxycheck
#
# Users who are +o, +v, or +f in your bot (local or global) won't be checked.
#
# Turn on console level d on the partyline to see some debug from the script
# --> .console +d (to enable)
# --> .console -d (to disable)

## CONFIG
###############################################################################

# space-separated list of RBLs to look in
set proxycheck_rbls { "cbl.abuseat.org" "opm.blitzed.org" "dnsbl.ahbl.org" }

# time in minutes to ban for
set proxycheck_bantime 15

# stop editing here unless you're TCL-proof



## CODE
###############################################################################

#add our channel flag
setudef flag proxycheck

#bind our events
bind join - *!*@* proxycheck_join

#swing your pants

# catch joins
proc proxycheck_join { nick host handle channel } {
  #check we're active
  if {![channel get $channel proxycheck]} {
    return 0
  }

  #don't apply to friends, voices, ops
  if {[matchattr $handle fov|fov $channel]} {
    return 0
  }

  #get the actual host
  regexp ".+@(.+)" $host matches newhost
  if [regexp {[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$} $newhost] {
    #it's a numeric host, skip the lookup
    proxycheck_check2 $newhost $newhost 1 $nick $newhost $channel
  } else {
    putloglev d * "proxycheck: doing dns lookup on $newhost to get IP"
    dnslookup $newhost proxycheck_check2 $nick $newhost $channel
  }
}

# first callback (runs RBL checks)
proc proxycheck_check2 { ip host status nick orighost channel } {
  global proxycheck_rbls

  if {$status} {
    putloglev d * "proxycheck: $host resolves to $ip"

    # reverse the IP
    regexp {([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3})} $ip matches a b c d
    set newip "$d.$c.$b.$a"

    # look it up in the rbls
    foreach rbl $proxycheck_rbls {
      putloglev d * "proxycheck: looking up $newip.$rbl"
      dnslookup "$newip.$rbl" proxycheck_check3 $nick $host $channel $rbl
    }
  } else {
    putlog "proxycheck: Couldn't resolve $host. (No further action taken.)"
  }
}

# second callback (catches RBL results)
proc proxycheck_check3 { ip host status nick orighost channel rbl } {
  global proxycheck_bantime

  if {$status} {
    putlog "proxycheck: got host $host = ip $ip from RBL $rbl ... banning"
    newchanban $channel "*@$orighost" "proxychk" "proxycheck: $rbl" $proxycheck_bantime
  }
  #if we didn't get a host, they're not in RBL
}

putlog "proxycheck 1.0 by JamesOff loaded"

s0ulw4r · Post by **s0ulw4r** » Mon Dec 20, 2004 3:40 am

Code: Select all

# rblcheck.tcl v0.8.1 - by FireEgl@EFNet - June 2004

## Description:
# When a user joins a channel this script will dnslookup their hostname to get their IP (if needed),
# it will then query a list of RBLs that track IPs that are known open proxy hosts,
# and if a match is found, the bot will set a channel ban on the users hostname/ip.

# Use .chanset #Channel +rblcheck to enable it on a channel.

## Note:
# This script isn't finished yet, it hasn't been well tested, and there could still be bugs.

namespace eval ::rblcheck {
	# A note will be sent to these people when a match has been found and a ban set:
	variable notes $::owner

	## RBL settings:
	# priority = The order in which the RBLs are queried.  (Lower priority = Checked first)
	#            Note: You can have more than one RBL in the same priority and it'll be checked in parallel with the others in that same priority.
	# rbl = The base hostname used for queries.
	# desc = The description given to hosts in the RBL.
	# mainurl = The main URL to the RBL.
	# checkurl = The URL used to check an IP to see if it's in the RBL's database. (%s will automatically be replaced with the IP)
	# codes = A list of glob's that indicate a match.
	# Note: This list is sorted kinda backwards, for testing purposes. (I want to weed out the stupid RBLs)
	variable rbls {
		{priority 1 rbl OP.RBL.Kropka.Net desc {Open Proxy} mainurl {http://RBL.Kropka.Net/} checkurl {http://RBL.Kropka.Net/check.php?akcja=sprawdz&form_adres=%s} codes {127.*}}
		{priority 1 rbl Proxies.Mail-Abuse.Org desc {Open Proxy} mainurl {http://Mail-Abuse.Org/ops/} checkurl {http://www3.Mail-Abuse.Org/cgi-bin/nph-ops?query=%s} codes {127.*}}
		{priority 1 rbl RBL.Triumf.CA desc {Open Proxy} mainurl {http://Andrew.Triumf.CA/relaytest.html} checkurl {http://DNSStuff.com/tools/lookup.ch?name=%s&type=TXT} codes {127.0.0.4}}
		{priority 1 rbl RBL.Rangers.EU.Org desc {Worm/Virus Host} mainurl {http://RBL.Rangers.EU.Org/} checkurl {http://www.DNSStuff.Com/tools/ip4r.ch?ip=%s} codes {127.0.0.9}}
		{priority 1 rbl Probes.DNSBL.Net.AU desc {Probe (Server currently probing other networks)} mainurl {http://DNSBL.Net.AU/probes/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.0.0.2}}
		{priority 1 rbl Zombie.DNSBL.SORBS.Net desc {Host hijacked from their original owners} mainurl {http://DNSBL.SORBS.Net/} checkurl {http://DNSBL.SORBS.Net/cgi-bin/lookup?IP=%s} codes {127.*}}
		{priority 1 rbl SPAM.DNSRBL.Net desc {Open Proxy (if 127.0.0.9)} mainurl {http://www.DNSRBL.Com/} checkurl {http://www.DNSRBL.Com/lookupserver.jsp?server=%s&Submit=Submit} codes {{127.0.0.[6-9]}}}
		{priority 1 rbl DNS.DNSRBL.Net desc {Open Proxy (if 127.0.0.9)} mainurl {http://www.DNSRBL.Com/} checkurl {http://www.DNSRBL.Com/lookupserver.jsp?server=%s&Submit=Submit} codes {{127.0.0.[6-9]}}}
		{priority 1 rbl Fraud.RHS.MailPolice.Com desc {Fraud "phishing" Host} mainurl {http://RHS.MailPolice.Com/} checkurl {http://RHS.MailPolice.Com/lookup/index.php?domain=%s} codes {127.0.0.2}}
		{priority 1 rbl Porn.RHS.MailPolice.Com desc {Porn Host} mainurl {http://RHS.MailPolice.Com/} checkurl {http://RHS.MailPolice.Com/lookup/index.php?domain=%s} codes {127.0.0.2}}
		{priority 2 rbl No-More-Funn.Moensted.DK desc {Open Proxy} mainurl {http://Moensted.DK/spam/no-more-funn/} checkurl {http://Moensted.DK/spam/no-more-funn/?addr=%s} codes {127.0.0.10}}
		{priority 3 rbl IRCBL.AHBL.Org desc {Abusive Host / Open Proxy (if 127.0.0.3)} mainurl {http://www.AHBL.Org/} checkurl {http://AHBL.Org/tools/lookup.php?ip=%s} codes {127.0.0.3 {127.0.0.1[4-9]} 127.0.0.10}}
		{priority 4 rbl CBL.AbuseAt.Org desc {Open Proxy} mainurl {http://CBL.AbuseAt.Org/} checkurl {http://CBL.AbuseAt.Org/lookup.cgi?ip=%s} codes {127.0.0.2}}
		{priority 5 rbl OPM.Blitzed.Org desc {Open Proxy} mainurl {http://OPM.Blitzed.Org/} checkurl {http://OPM.Blitzed.Org/%s} codes {127.1.0.*}}
		{priority 6 rbl XBL.Spamhaus.Org desc {Open Proxy or Worm/Virus/Trojan Host} mainurl {http://www.Spamhaus.Org/XBL/} checkurl {http://www.Spamhaus.Org/query/bl?ip=%s} codes {127.0.0.*}}
	}

		# These produce false-positives, as their RBL lists usually contain VERY old (as long as a year ago) data.
		# This basically means they list dynamic IPs which were once open proxies (but probably aren't currently).  (Stupid and useless for any purpose IMO)
		# But if you're REALLY paranoid about banning people with open proxies, then add them back to the list above.
		#{priority 5 rbl OSPS.DNSBL.Net.AU desc {Open Proxy} mainurl {http://DNSBL.Net.AU/osps/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.0.0.2}}
		#{priority 5 rbl OHPS.DNSBL.Net.AU desc {Open Proxy} mainurl {http://DNSBL.Net.AU/osps/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.0.0.2}}
		#{priority 5 rbl OWPS.DNSBL.Net.AU desc {Open Proxy} mainurl {http://DNSBL.Net.AU/osps/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.0.0.2}}
		#{priority 6 rbl List.DSBL.Org desc {Open Proxy} mainurl {http://DSBL.Org/} checkurl {http://DSBL.Org/listing?%s} removeurl {http://dsbl.org/removal?ip=%s} codes {127.0.0.2}}
		#{priority 6 rbl Misc.DNSBL.SORBS.Net desc {Open Proxy} mainurl {http://DNSBL.SORBS.Net/} checkurl {http://DNSBL.US.SORBS.Net/cgi-bin/lookup?IP=%s} codes {127.0.0.4}}
		#{priority 6 rbl Socks.DNSBL.SORBS.Net desc {Open Proxy} mainurl {http://DNSBL.SORBS.Net/} checkurl {http://DNSBL.US.SORBS.Net/cgi-bin/lookup?IP=%s} codes {127.0.0.3}}
		#{priority 6 rbl HTTP.DNSBL.SORBS.Net desc {Open Proxy} mainurl {http://DNSBL.SORBS.Net/} checkurl {http://DNSBL.US.SORBS.Net/cgi-bin/lookup?IP=%s} codes {127.0.0.2}}
		#{priority 6 rbl DNSBL.NJABL.Org desc {Open Proxy} mainurl {http://NJABL.Org/} checkurl {http://NJABL.Org/cgi-bin/lookup.cgi?query=%s} codes {127.0.0.9}}
		#{priority 7 rbl DSBL.DNSBL.Net.AU desc {Host listed on the Distributed Server Boycott List} mainurl {http://DNSBL.Net.AU/probes/} checkurl {http://DNSBL.Net.AU/lookup/?%s} codes {127.*}}

	# BTW, you can find more RBLs from this URL: http://www.moensted.dk/spam/

	# This sorts the rbls list by priority:
	set rbls [lsort -integer -index 1 $rbls]
	variable IPs
	array unset IPs *
	array set IPs {}
}

proc ::rblcheck::Join {nick uhost handle channel} {
	if {![channel get $channel rblcheck] || $handle != {*} || ![string match {~*} $uhost] || [matchban "$nick!$uhost" $channel] || [matchexempt "$nick!$uhost" $channel] || [matchinvite "$nick!$uhost" $channel]} {
		return 0
	} elseif [regexp {^([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])$} [set newhost [lindex [split $uhost @] end]]] {
		# It's already an IP address.
		::rblcheck::CheckIP $newhost $newhost 1 $nick $uhost $newhost $channel
	} else {
		putloglev d $channel "RBLCheck: Doing DNS lookup on $newhost to get IP..."
		after idle [list dnslookup $newhost ::rblcheck::CheckIP $nick $uhost $newhost $channel]
	}
}

# Runs RBL check(s) on the IP:
proc ::rblcheck::CheckIP {ip host status nick uhost orighost channel} {
	if {$status} {
		set channel [string tolower $channel]
		variable IPs
		if {![info exists IPs($ip)]} {
			foreach {a b c d} [split $ip .] {break}
			set IPs($ip) [list reverseip "$d.$c.$b.$a" priority 0 nick $nick ip $ip host $host uhost $uhost orighost $orighost channels [list $channel]]
			after idle [list ::rblcheck::CheckRBLs $ip]
		} else {
			# There's background lookups already for this IP, so we just update some of the info:
			array set ipinfo $IPs($ip)
			if {[lsearch -exact $ipinfo(channels) $channel] == -1} { lappend ipinfo(channels) $channel }
			array set ipinfo [list nick $nick uhost $uhost]
			set IPs($ip) [array get ipinfo]
		}
	} else {
		putloglev o $channel "RBLCheck: Couldn't resolve $host.  (No further action taken.)"
	}
}

proc ::rblcheck::CheckRBLs {ip} { variable IPs
	array set ipinfo $IPs($ip)
	# Check to see if there's any background dnslookups still running, return if there are..
	if {![llength [array names ipinfo rbl,*]]} {
		putloglev d * "RBLCheck: No matches for $ip in priority $ipinfo(priority)."
		variable rbls
		set highestpriority [lindex [lindex $rbls end] 1]
		# Do dnslookups on the next priority level:
		set trying 0
		while {!$trying && [incr ipinfo(priority)] <= $highestpriority} {
			putloglev d * "RBLCheck: Trying priority $ipinfo(priority).."
			foreach r $rbls {
				array set rblinfo $r
				if {$rblinfo(priority) == $ipinfo(priority)} {
					putloglev d * "RBLCheck: ($ipinfo(priority)) Looking up $ipinfo(reverseip).$rblinfo(rbl)"
					set ipinfo(rbl,$rblinfo(rbl)) [concat [array get rblinfo] [list status -1]]
					set IPs($ip) [array get ipinfo]
					after idle [list dnslookup "$ipinfo(reverseip).$rblinfo(rbl)" ::rblcheck::CheckResult $ip $rblinfo(rbl)]
					set trying 1
				}
			}
		}
		# If there's no more RBLs left to query, do cleanup and exit:
		if {!$trying} { unset IPs($ip) }
	}
}

# Callback for RBL check(s):
proc ::rblcheck::CheckResult {ip host status origip rbl} { variable IPs
	if {[info exists IPs($origip)]} {
		array set ipinfo $IPs($origip)
		array set rblinfo $ipinfo(rbl,$rbl)
		if {$status == 1} {
			# status is 1, so maybe one of the code(s) matches the resolved IP:
			foreach code $rblinfo(codes) {
				if {[string match $code $ip]} {
					# A match was found!
					foreach channel $ipinfo(channels) {
						putloglev d $channel "RBLCheck ($rblinfo(rbl)): $host => $ip - See: [format $rblinfo(checkurl) $ipinfo(ip)]"
						if {![matchban "$ipinfo(nick)!$ipinfo(uhost)" $channel] && ![isvoice $ipinfo(nick)] && ![isop $ipinfo(nick)] && ![ishalfop $ipinfo(nick)]} {
							if {[botisop $channel] || [botishalfop $channel]} {
								putkick $channel $ipinfo(nick) "Your IP, according to $rblinfo(rbl), is listed as an $rblinfo(desc). See: [format $rblinfo(checkurl) $ipinfo(ip)]"
								puthelp "NOTICE $ipinfo(nick) :Your IP address was listed by $rblinfo(rbl) as being an $rblinfo(desc).  See for yourself at [format $rblinfo(checkurl) $ipinfo(ip)] and see $rblinfo(mainurl) for more information.   Please note, that if you fix your ident you won't be banned again by this bot.  (People with idents are exempt from the RBL check)"
							} else {
								puthelp "NOTICE $channel :$ipinfo(nick)!$ipinfo(uhost)'s IP ($ipinfo(ip)), according to $rblinfo(rbl), is (or was) a known $rblinfo(desc).  See: [format $rblinfo(checkurl) $ipinfo(ip)] and see $rblinfo(mainurl) for more information."
							}
							if {[set bantime [expr { [channel get $channel ban-time] - 1 }]] <= 0 && [set bantime [expr { ${::global-ban-time} - 1 }]] <= 0} { set bantime 99 }
							# Note, the ban needs to be set, even if the bot isn't currently opped.
							newchanban $channel "*!~*@$ipinfo(orighost)" RBLCheck "$rblinfo(rbl) => $ip - See: [format $rblinfo(checkurl) $ipinfo(ip)]" $bantime
						}
					}
					variable notes
					if {$notes != {}} { foreach n [split $notes {, }] { if {[validuser $n]} { catch { sendnote RBLCheck $n "RBLCheck: Banned $ipinfo(nick)!$ipinfo(uhost) from [join $ipinfo(channels) {, }] - $rblinfo(rbl) says IP is an $rblinfo(desc) - $host => $ip - See [format $rblinfo(checkurl) $ipinfo(ip)] and $rblinfo(mainurl)" } } } }
					# A match was found, so there's no need to continue checking any more, so do cleanup and exit:
					unset IPs($origip)
					return 0
				}
			}
		}
		# If we didn't return above, it means there wasn't a match in that RBL.
		variable rbls
		if {$ipinfo(priority) >= [lindex [lindex $rbls end] 1]} {
			# If we've tried all the RBLs, do cleanup and exit:
			unset IPs($origip)
		} else {
			# Clear the info for this RBL:
			array unset ipinfo rbl,$rbl
			set IPs($origip) [array get ipinfo]
			# Try the next priority:
			after idle [list ::rblcheck::CheckRBLs $origip]
		}
	}
}

setudef flag rblcheck
bind join - {* *!*@*} ::rblcheck::Join
putlog "rblcheck.tcl v0.8.1 by FireEgl"

s0ulw4r · Post by **s0ulw4r** » Mon Dec 20, 2004 4:23 am

the problem all "antiproxy tcl's" they is that enough times they make their BAN users that they have wingates with error configuration

egghelp/eggheads community

Proxy Banning Script

code by jamesoff

EFNET code

problem