| View previous topic :: View next topic |
| Author |
Message |
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
 Posted: Wed May 09, 2007 10:58 pm Post subject: Detecting users with normal ips and vhost ips |
 |
|
What would be a good way of determining normal ip users, against people using vhosts??
Currently came up with this:
| Code: |
set host [lindex [split $uhost @] 1]
set tld [expr [llength [lindex [split $uhost @] 1]] - 1]
if {[string equal "0" [regexp {^[^0-9]*[a-zA-Z]$} $host]] && [regexp {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $host "."] $tld]]} { return 0 }
|
All suggestions would be appreciated.
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
 |
Sir_Fz
Revered One
Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
|
| Posted: Thu May 10, 2007 3:47 am Post subject: |
|
|
If a host ends with a number then it's an IP else it's a hostname:
| Code: | if {[string is integer [string index $host end]]} {
# IP
} {
# Vhost
} |
_________________
Follow me on GitHub
- Opposing
Public Tcl scripts |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Thu May 10, 2007 3:52 am Post subject: |
|
|
That is also a good logic, but im concerned when hosts are not always in the format of numbers. They are also in the format like:
When they include numbers both together with alphabets. Anything suggested for situations like this?
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Thu May 10, 2007 8:58 am Post subject: |
|
|
It would be helpful to know what characteristics these vhosts have (that is, how are they different from real hosts)?
As for simplifying the code in your first post, considder using this:
| Code: | | if {[lindex [split $uhost "@"] 1]] && [regexp {\.(com|net|org)$} $uhost]} {return 0} |
(list of tld's trunkated to make it easier to read).
Also, I am not sure what you try to accomplish with the first regular expression, although using ![regexp ....] is abit easier than [string equal "0" [regexp...]]
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
honeybee
Halfop
Joined: 01 Jan 2006
Posts: 80
|
| Posted: Thu May 10, 2007 10:03 pm Post subject: |
|
|
vhost are usually resolved so why dont you check if the ip is really a resolving ip?
| Code: | if {[regexp {\@(\d+\.\d+\.\d+\.\d+)$} $uhost tmp host]} {
# is not a resolving ip; where host is the original uhost.
} |
|
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Fri May 11, 2007 3:01 am Post subject: |
|
|
This basically works that, vhosts only contains alphabets with small and upper cases and no numbers. Since virtual hosts normally contain alphabets and no numbers. If so numbers are present only 1 minmum to 3 maximum.
| Code: |
regexp {^[^0-9]*[a-zA-Z]$} $host]
|
Anyway, thanks for all the suggestions.. I'll give them a go 
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Fri May 11, 2007 4:43 am Post subject: |
|
|
Here are some examples of virtual hosts:
| Code: |
64.18.135.148 ==> search.on.g0ogle.be
64.18.135.149 ==> get.me.bill.gatesweb.info
64.18.135.150 ==> halloween.gh0strider.be
64.18.135.151 ==> got.girls4uboys.com
64.18.135.152 ==> trust.godhost.us
64.18.135.153 ==> idiots.gothacked.biz
64.18.135.154 ==> are.you.h0m0.net
64.18.135.155 ==> come.here.to.have-my.info
64.18.135.156 ==> mess.with.me.if.you.want.hellentry.com
64.18.135.157 ==> whats.his-real.name
64.18.135.158 ==> w.hore.be
64.18.135.159 ==> amd.vs.intel.st
64.18.135.160 ==> dont.even.dare.to.ban.my.ip-address.be
64.18.135.161 ==> smart.ircnoob.com
64.18.135.162 ==> you.are.lag.in
64.18.135.163 ==> this.is.leet.la
64.18.135.164 ==> only.me.no-u.be
64.18.135.165 ==> shoutcast.is.nullsoft.be
64.18.135.166 ==> lets.talk.about.ourmeetings.net
64.18.135.167 ==> you.must.be.outofmind.be
64.18.135.168 ==> its.time.to.ping-timeout.be
64.18.135.169 ==> group.of.rappers.cc
64.18.135.170 ==> your.secrets.are.recorded.be
64.18.135.171 ==> dont.worry.you.are.secure.la
64.18.135.172 ==> you.are.just.another.sh1tbox.com
64.18.135.173 ==> be.my.shad0w.be
64.18.135.174 ==> her.nightie.is.made.of.silk.com
64.18.135.175 ==> she.is.one.of.the.top-escort.nl
64.18.135.176 ==> are.you.virgine.ws
|
Yes we can check if virtual hosts resolve to an ip, but also we would need to check if they reverse-dns also resolves? right?
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Fri May 11, 2007 7:53 am Post subject: |
|
|
| awyeah wrote: | This basically works that, vhosts only contains alphabets with small and upper cases and no numbers. Since virtual hosts normally contain alphabets and no numbers. If so numbers are present only 1 minmum to 3 maximum.
| Code: |
regexp {^[^0-9]*[a-zA-Z]$} $host]
|
Anyway, thanks for all the suggestions.. I'll give them a go |
Actually, this matches any number of non-numeric characters, followed by one alphabetic character.
| awyeah wrote: | | Yes we can check if virtual hosts resolve to an ip, but also we would need to check if they reverse-dns also resolves? right? |
Unless they use HostServ vhosts (which are not ip-based at all), a reverse-dns of the ip would most likely return the same hostname as seen on irc, with the rare exception when an ircd would use it's own dns-server with "bogus" entries for *.in-addr.arpa.
In the case of "normal" vhosts, I guess your best bet would be to gather network-ranges that are confirmed vhosts, do a dns-lookup on the suspected hostname, and see if the resulting ip matches any known vhost net.
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Fri May 11, 2007 8:45 am Post subject: |
|
|
| Code: |
[regexp {^[^0-9]} $host] && [regexp {[a-zA-Z]} $host] && [regexp {\.(com|net|org|info|biz|tk)$} $host]
#this would be for hosts with alphabets and no numbers
#my next situation would be for determining with numbers as well, maybe take the percentage of numbers in the vhost along with the length of the alphabets present in the host, and comparing it with a certain number which i will observe by looking at most vhosts of certain shell companies :)
|
This should be the current simplest logic. I'll find a more suitable solution, by looking at vhosts carefully and try to detect the most best setting for matching vhosts over regular ip addresses. I'll follow up the code and include it within this post for other users to see and utilize.
The problem with gathering shell box ranges for various shell providers, would be a very trivial task and tidious, since they are just too many.. and HostServ is not used on DALnet, which is the network I use.
I appreciate everyone for their help and contribution. Thanks.
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
Sir_Fz
Revered One
Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
|
| Posted: Fri May 11, 2007 10:20 am Post subject: |
|
|
| Code: | | [regexp {^[^0-9]} $host] |
Means that the first character in $host is not a number.
| Code: | | [regexp {[a-zA-Z]} $host] |
Means that $host contains an alphabet.
So it can simply be replaced with
| Code: | | [regexp {[^0-9]} $host] |
If there's no numbers, then they're definitely alphabets (with '.' and perhaps '-').
_________________
Follow me on GitHub
- Opposing
Public Tcl scripts |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Fri May 11, 2007 1:15 pm Post subject: |
|
|
Since we're not dealing with HostServ based vhosts, this means that there's really no difference between vhosts and other hosts. I think you're rather looking for a DNS-pollution scanner.
A few good links on the subject:
http://www.dnsspam.nl/, http://www.nl.ircnet.org/hostname-rules.html.
Also might wish to inspect dnsspam.tcl which uses spamcalc to determine the grade of pollution of the hostname.
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Sun May 13, 2007 4:23 am Post subject: |
|
|
After doing a survey I found:
Vhosts have percentage of alphabets like 92% and numbers like 8%, while regular hosts have about percentage of numbers like 40% or more.
Here is the current solution I derived for determining vhosts against normal ip addresses: (not valid if vhosts are not resolved on the ircd)
| Code: |
set tld [expr [llength [lindex [split $uhost @] 1]] - 1]
set domain [expr [llength [lindex [split $uhost @] 1]] - 2]
set tlduhost [lrange [split $uhost "."] 0 [expr $tld - 1]]
set notlduhost [string map {" " ""} $tlduhost]
set numbers [regexp -all {[0-9]} $uhost]
set alphabets [regexp -nocase -all {[a-z]} $uhost]
set totalchar [expr $numbers + $alphabets]
set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar]
#vhosts with no numbers
if {[string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $uhost "."] $tld]]} {
#do stuff
}
#vhosts with numbers
if {($numbersper <= 8) && ([regexp -all {\-} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all {[0-9]} [lindex [split $uhost "."] $domain]] <= 2) && ([regexp -all {\-} [lrange [split $uhost "."] 0 [expr $domain - 1]]] <= 1) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk} [lindex [split $uhost "."] $tld]]} {
#do stuff
}
#ip address in (0.0.0.0 - 255.255.255.255 range)
if {([string length $uhost] <= 15) && [string equal "3" [regexp -all {\.} $uhost]] && [string equal [string length [string map {"." ""} $uhost]] [regexp -all {[0-9]} $uhost]] || [regexp {^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost]} {
#do stuff
}
#ip address in domain format
if {([string length [string map {"." ""} $uhost]] >= 18) && ($numbersper >= 30) && [string equal "0" [regexp -all {\-} [lindex [split $uhost "."] $domain]]] && [string equal "0" [regexp -all {[0-9]} [lindex [split $uhost "."] $domain]]] && ([regexp -all {\-} [lrange [split $uhost "."] 0 [expr $domain - 1]]] >= 1) && ([regexp -all -nocase {[a-z]} $notlduhost] >= 8)} {
#do stuff
}
|
Edit: I haven't really tested these logics yet for accuracy
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Mon May 14, 2007 1:50 am Post subject: |
|
|
This is the complete tested script. Works efficiently to determine vhosts against normal ip addresses. Also added a DNS function in normal ips to check for vhosts if they are not resolved on the ircd.
| Code: |
global unresolved_vhost
#setting variables
set uhost [lindex [split $host @] 1]
set tld [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 1]]
set domain [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 2]]
set nodomaintld [string map {" " "."} [lrange [split $uhost "."] 0 [expr [llength [split $uhost "."]] - 3]]]
set numbers [regexp -all {[0-9]} $uhost]
set alphabets [regexp -nocase -all {[a-z]} $uhost]
set totalchar [expr $numbers + $alphabets]
set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar]
if {[info exists vhost_ip]} { unset vhost_ip }
#vhosts with no numbers
if {[string equal "0" $numbersper] && [string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} $domain] <= 2) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {
set vhost_ip 1
}
#vhosts with numbers
if {($numbersper >= 1) && ($numbersper <= 8) && ([regexp -all {\-} $domain] <= 2) && ([regexp -all {[0-9]} $domain] <= 2) && ([regexp -all {\-} $nodomaintld] <= 1) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {
set vhost_ip 1
}
if {![info exists vhost_ip]} {
#ip address in (0.0.0.0 - 255.255.255.255 range) - can be unresolved vhost
if {([string length [string map {"." ""} $uhost]] <= 12) && [string equal "3" [regexp -all {\.} $uhost]] && [string equal [string length [string map {"." ""} $uhost]] [regexp -all {[0-9]} $uhost]] && [string equal "0" [regexp -all -nocase {[a-z]} $uhost]] && [regexp {^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost] && [string equal "0" [regexp -all -nocase {[a-z]} $uhost]] || [string equal "100" $numbersper] && [regexp {^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$} $uhost]} {
if {[info exists unresolved_vhost]} { unset unresolved_vhost }
#check for unresolved vhost
dnslookup $uhost ip_address_output $uhost
if {[info exists unresolved_vhost]} {
unset unresolved_vhost
#do stuff
}
#ip address in domain format
} elseif {([string length [string map {"." ""} $uhost]] >= 18) && ($numbersper >= 20) && [string equal "0" [regexp -all {\-} $domain]] && [string equal "0" [regexp -all {[0-9]} $domain]] && ([regexp -all {\-} $nodomaintld] >= 1) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 8)} {
#do stuff
}
}
proc ip_address_output {ip host status addr} {
global unresolved_vhost
set uhost [expr {([string match -nocase *$ip* $addr])?$host:$ip}]
set tld [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 1]]
set domain [lindex [split $uhost "."] [expr [llength [split $uhost "."]] - 2]]
set nodomaintld [string map {" " "."} [lrange [split $uhost "."] 0 [expr [llength [split $uhost "."]] - 3]]]
set numbers [regexp -all {[0-9]} $uhost]
set alphabets [regexp -nocase -all {[a-z]} $uhost]
set totalchar [expr $numbers + $alphabets]
set numbersper [expr (($totalchar - $alphabets) * 100) / $totalchar]
if {[info exists $status] && [string equal "0" $numbersper] && [string equal "0" [regexp -all {[0-9]} $uhost]] && ([regexp -all {\-} $domain] <= 2) && ([regexp -all -nocase {[a-z]} $nodomaintld] >= 5) && [regexp -nocase {com|net|org|biz|info|tv|uk|us|name|ac|as|at|au|br|ca|cc|cd|de|eu|fr|id|in|it|je|jp|kz|la|lt|lu|my|pk|ro|tk|ws} $tld]} {
set unresolved_vhost 1
} else {
return
}
}
|
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
