Suitable binding to check for DCC send/resume

[awyeah]

I was wondering what binding will be used to check if someone is sending the bot a file? via DCC. I'm looking for file extensions, that I will use regexp later, to find for DCC exploit. Currently I only have this.

Code: Select all

LOST (stackable)

bind lost <flags> <mask> <proc>
proc-name <handle> <nick> <path> <bytes-transferred> <length-of-file>

Description: triggered when a DCC SEND transfer gets lost, such as when the connection is terminated before all data was successfully sent/received. This is typically caused by a user abort.

Module: transfer

TOUT (stackable)

bind tout <flags> <mask> <proc>
proc-name <handle> <nick> <path> <bytes-transferred> <length-of-file>

Description: triggered when a DCC SEND transfer times out. This may either happen because the dcc connection was not accepted or because the data transfer stalled for some reason.

Module: transfer

Would bind RAW work? If so, with what keyword? any example? Also bind DCC is only limited to the partyline I noticed.

How about bind CTCP with keyword DCC?
All help would be appreciated in this matter, Thanks!

[Sir_Fz]

When someone sends the bot a file, the bot receives a notice containing:

DCC Send <file-name> (<IP>)

So you can bind to notc and use "DCC Send * (%)" as its mask to catch a dcc send.

[nml375]

A notice is not mandatory, and will not work reliably with some clients..
As for raw vs. ctcp bindings, ctcp would probably be easier, as you won't have to extract all the bits and pieces to figure out it's a ctcp-message, or that the keyword is "DCC". Both bindings do allow you to prevent further processing using returncodes.

As for the format of the actual transfer negotiation, it's a ctcp with keyword "DCC" and parameters "SEND <filename> <ipaddress> <port> <filesize>". IP and port are expected to be unsigned integers (aka "longip").

http://www.kvirc.de/docu/doc_dcc_connection.html provides some further info on the dcc subprotocol

[Sir_Fz]

Yes indeed, I forgot to mention. So you can do something like:

Code: Select all

bind ctcp - DCC dcc:send

proc dcc:send {nick uhost hand dest kw arg} {
 if {[isbotnick $dest] && [string match "SEND *" $arg]} {
  # DCC SEND detected
 }
}

[awyeah]

DALnet is a bit different, dealing with DCC sends on the bahamut IRCd. I tried bind ctcp with DCC as the keyword, got no response when I sent a file to the bot via DCC.

The only response was from Notice. So there are two options either use bind raw with the keyword NOTICE or just simply bind notc. Hence for simplicity I used bind notc.

These were the responses on bind notc when I send a file to the bot.

($nick) ($uhost) ($hand) ($text) ($dest)

<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send mirc.exe (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send spamrem.zvk (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send servers.ini (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send aliases.ini (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send remote.ini (219.92.24.7)) (adapter)

So if anyone sends you bot a file, the bot will remove that person found on any of the channels the bot is on. This is the script for DALnet, utilizing bind notc.

Code: Select all

bind notc - "*" dcc:exploit:check

proc dcc:exploit:check {nick uhost hand text {dest ""}} {
 global botnick
 if {[isbotnick $nick] || [string equal $nick "ChanServ"] || [string equal $nick "NickServ"] || [string equal $nick "MemoServ"] || ($nick == "") || [matchattr $hand mnof|mnof]} { return 0 }
 if {[string equal "@" [string index $dest 0]] && [string equal "#" [string index $dest 1]]} { return 0 }
 if {[string equal "#" [string index $dest 0]] && [string match "#*" $dest]} { return 0 }
 if {[isbotnick $dest]} {
  if {[string equal "4" [split [llength $text]]] && [string equal "DCC Send" [lrange $text 0 1]] && ([regexp -all {\.} [lindex $text 2]] <= 3) && [string match "(%)" [lindex $text 3]]} {
  foreach chan [channels] {
   if {[botisop $chan] && [onchan $nick $chan] && ![isop $nick $chan] && ![isvoice $nick $chan]} {
    putquick "MODE $chan +b *!*@[lindex [split $uhost @] 1]" -next
    putquick "KICK $chan $nick :DCC Exploit Infected File  - You are sending a infected file to channel users. You are infected with a DCC exploit. Please join #nohack to clean your infected PC."
    }
   }
  }
 }
}

Thanks for your help on this nml375 and Sir_Fz! Really appreciate it
So I guess Sir_Fz was right using notc and the matching keyword. Sorry, since I intially forgot to mention this is to be used for DALnet.

[nml375]

Once again, however, I must stress that this notice is mainly a feature of mIRC (and a few other clients). This will most likely not prevent any more advanced viruses utilizing irc to spread itself.

As for using ctcp-binding, It works just fine for me. Which network you are using really should'nt matter at all, as any and all ircd's should simply forward PRIVMSG's from client to client, without interfering or altering the message. Also, not even mIRC will try to recieve a dcc transfer if you simply send the notice (especially since it lacks information on which port to connect to).

[Sir_Fz]

Actually, I tested it on my Eggdrop on DALnet and the ctcp worked just fine. This is what a user receives when a DCC send is requested (raw):

:<nick>!<user>@<host> NOTICE <receiver> :DCC Send dalnet.txt (<ip>)
:<nick>!<user>@<host> PRIVMSG <receiver> :☺DCC SEND dalnet.txt 32322483 21 4602 374☺

on DALnet. The '☺' character is \001.

[nml375]

Oh, also forgot, I doubt this is what you actually intended:

Code: Select all

[string equal "4" [split [llength $text]]]

More likely you're trying to split $text into a list, and then get the lenght of the list... also, since you're comparing integers, == would suffice, so no need for string equal.

Next,

Code: Select all

[regexp -all {\.} [lindex $text 2]] <= 3

$text is a string, not a list :p And why are you counting the number of dots in the filename? *confused*

Finally, this is just overkill, the second test catches any and all conditions of the first one, making it obsolete.

Code: Select all

[string equal "#" [string index $dest 0]] && [string match "#*" $dest]

I also do not get why you are checking for @ as the first character of dest... But maybe that's something I've forgotten from the rfc's...

[nml375]

Ohh, also, when you tried the ctcp-approach, did you make sure you used "DCC" as keyword and nothing else (such as "DCC Send")?

[r0t3n]

Who say's that the file being sent/sender is infected? Maybe it's just a normal user sending a file.....

[awyeah]

Who say's that the file being sent/sender is infected? Maybe it's just a normal user sending a file.....

I added it on join a channel, if a user sends a file almost immediately on join then definately user is infected. And then I also added file extension checks also using regexp.

[awyeah]

Ohh, also, when you tried the ctcp-approach, did you make sure you used "DCC" as keyword and nothing else (such as "DCC Send")?

Yes I tried:

Code: Select all

bind ctcp - DCC proc_here

I didnt use "DCC Send" as the keyword however.

The weird thing is, I didn't see the proc being executed, so I checked it with putlog also, the same thing ah, the proc didn't fire. Anyway PRIVMSG also worked yeap, but NOTICE was more relevant so stuck with it.

[awyeah]

Oh, also forgot, I doubt this is what you actually intended:

Code: Select all

[string equal "4" [split [llength $text]]]

More likely you're trying to split $text into a list, and then get the lenght of the list... also, since you're comparing integers, == would suffice, so no need for string equal.

Next,

Code: Select all

[regexp -all {\.} [lindex $text 2]] <= 3

$text is a string, not a list :p And why are you counting the number of dots in the filename? *confused*

Finally, this is just overkill, the second test catches any and all conditions of the first one, making it obsolete.

Code: Select all

[string equal "#" [string index $dest 0]] && [string match "#*" $dest]

I also do not get why you are checking for @ as the first character of dest... But maybe that's something I've forgotten from the rfc's...

As for this:

Code: Select all

[string equal "4" [split [llength $text]]]

Yes i'll try to omit the split. But I am matching 4 parameteres here, so there always should be 4, else stop there immediately.

The "==" sign is also recommended for this case, but I overlooked it, anyway both would produce the same result. Well the one thing I will observe is the equality (==) will execute faster than string equal, if I am correct.

For this:

Code: Select all

[regexp -all {\.} [lindex $text 2]] <= 3]

I am trying to match:

DCC Send mirc.exe (219.92.24.7)
DCC Send remote.txt.ini (219.92.24.7)
DCC Send versions.tar.gz (219.92.24.7)
DCC Send alias.ini.scr.com (219.92.24.7)

The letters in bold, meaning the file name. These are very good examples of infected files. The extension of the file name is changed or additional extension is added to cloack the original file being sent. This is encountered mostly on DALnet.

Thirdly:

Code: Select all

[string equal "#" [string index $dest 0]] && [string match "#*" $dest]

Yeah I guess I overlooked this. After seeing the complete proc, this statement is redundant and already implemented, so it should be removed.

Checking @ as first character.. remember OPNOTICE? Sometimes channel ops us opnotice so dest is like "@#channel" and even ChanServ on DALnet uses opnotices for VERBOSE commands mostly.

[awyeah]

This should be the final code:

Code: Select all

bind notc - "*" dcc:exploit:check 

proc dcc:exploit:check {nick uhost hand text {dest ""}} { 
 if {[isbotnick $nick] || [string equal $nick "ChanServ"] || [string equal $nick "NickServ"] || [string equal $nick "MemoServ"] || ($nick == "") || [matchattr $hand mnof|mnof]} { return 0 }
 if {[string equal "#" [string index $dest 0]] || [string equal "@" [string index $dest 0]] && [string equal "#" [string index $dest 1]]} { return 0 } 
 if {[isbotnick $dest]} {
  if {([llength $text] == "4") && [string equal "DCC Send" [lrange $text 0 1]] && ([regexp -all {\.} [lindex $text 2]] >= 1) && ([regexp -all {\.} [lindex $text 2]] <= 3) && [string match "(%)" [lindex $text 3]]} { 
  foreach chan [channels] { 
   if {[botisop $chan] && [onchan $nick $chan] && ![isop $nick $chan] && ![isvoice $nick $chan]} { 
    putquick "MODE $chan +b *!*@[lindex [split $uhost @] 1]" -next 
    putquick "KICK $chan $nick :DCC Exploit Infected File  - You are sending a infected file to channel users. You are infected with a DCC exploit. Please join #nohack to clean your infected PC." 
    } 
   } 
  } 
 } 
}

[nml375]

Still, $text is not a list, so can't use llength, lindex or lrange here without split.

Never heard of opnotice, but then again I do not use services such as chanserv... However, this being a service, means that it will not trigger notc-bindings, virtually making the @#-matching useless...

I still don't see the point in counting number of dots, as "valid" files seldom would have 4 or more dots, and for someone malicious it'd be merely a matter of adding another dot in the filename.

Finally, would'nt it just be simpler matching something like this?:

Code: Select all

string match "DCC Send % (%)" $text

I'd probably implement it roughly like this tho:

Code: Select all

bind ctcp -of&-of DCC check_send
bind ctcp -of&-of XDCC check_send
proc check_send {nick host hand dest key text} {
 set subkey [lindex [split $text] 0]
 if {[string equal -nocase $subkey "send"]} {
  foreach chan [channels] {
   pushmode $chan +b "*!*@[lindex [split $host "@"] end]"
   putkick $chan $nick "Unsolisticed dcc send requested. Banning..."
  }
  return 1
 }
 return 0
}