egghelp.org community Forum Index
[ egghelp.org home | forum home ]		 egghelp.org community
Discussion of eggdrop bots, shell accounts and tcl scripts.
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Detecting fast botnet join with different ips

 
Post new topic   Reply to topic    egghelp.org community Forum Index -> Scripting Help
View previous topic :: View next topic  
Author Message
awyeah
Revered One


Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
PostPosted: Thu May 10, 2007 4:07 am    Post subject: Detecting fast botnet join with different ips Reply with quote
I wanted to accomplish something, which is done through hashes in mIRC scripting. If suppose a fast botnet joins with similar hosts and a bot within that has a different host? how should it be detected?

I can detect the users which have similar ips, but not the users which have only one ip?

example all this botnet joins fast in a channel within a sec
Code:

user1 (a@a.com)
user2 (a@a.com)
user3 (a@a.com)
user4 (b@dfds.org)
user5 (a@a.com)
user6 (a@a.com)
user7 (afgf@fdsgdf.net)


how can i detect user4 and user7? all the rest can be detected for clones, and can be filter kicked. All help would be appreciated thanks. Because I would want to remove all bots who joined, even the ones who have different ip addresses.
_________________
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================

Last edited by awyeah on Fri May 11, 2007 2:50 am; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
Sir_Fz
Revered One


Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
PostPosted: Thu May 10, 2007 4:06 pm    Post subject: Reply with quote
When you're detecting join floods from 1 host you're probably using an array of $chan:$host, well if you just use an array for $chan then you'll be able to detect a join flood from unique hosts, just save the nicks that are joining at every increment.
_________________
Follow me on GitHub

- Opposing

Public Tcl scripts
Back to top
View user's profile Send private message Visit poster's website
awyeah
Revered One


Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
PostPosted: Fri May 11, 2007 2:53 am    Post subject: Reply with quote
Okay thanks, yes I am using an array for $host:$chan. Thanks I will switch it to $chan only and then see how things work. So basically I'll create a list and then lappend all joining nicks to that list and then ban and kick them. kthx.
_________________
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
caesar
Mint Rubber


Joined: 14 Oct 2001
Posts: 3741
Location: Mint Factory
PostPosted: Sat May 12, 2007 4:00 pm    Post subject: Reply with quote
This ain't flawless as some innocent people may join and get banned.
_________________
Once the game is over, the king and the pawn go back in the same box.
Back to top
View user's profile Send private message
Sir_Fz
Revered One


Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
PostPosted: Sat May 12, 2007 4:03 pm    Post subject: Reply with quote
caesar wrote:
This ain't flawless as some innocent people may join and get banned.

Exactly, especially after netsplits. IMO it's a bad idea to kick users on mass joins, a channel lock is enough.
_________________
Follow me on GitHub

- Opposing

Public Tcl scripts
Back to top
View user's profile Send private message Visit poster's website
awyeah
Revered One


Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
PostPosted: Sun May 13, 2007 3:11 am    Post subject: Reply with quote
Yes, i've experienced people getting kicked on netsplit rejoins. I guess tcl is still though limited as compared with mIRC scripting, for accomplishing this.
_________________
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
Sir_Fz
Revered One


Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
PostPosted: Sun May 13, 2007 7:36 am    Post subject: Reply with quote
awyeah wrote:
Yes, i've experienced people getting kicked on netsplit rejoins. I guess tcl is still though limited as compared with mIRC scripting, for accomplishing this.

In what way exactly? What does "the extremely advanced" mIRC scripting offer that Tcl cannot accomplish?
_________________
Follow me on GitHub

- Opposing

Public Tcl scripts
Back to top
View user's profile Send private message Visit poster's website
nml375
Revered One


Joined: 04 Aug 2006
Posts: 2857
PostPosted: Sun May 13, 2007 11:17 am    Post subject: Reply with quote
I believe he's just not thinking what you can accomplish using "bind splt", "bind rejn", "onchansplit", etc..
And if you're a really hardcore coder *j*, I guess you could join your bot to &servers and grab the SERVER and SQUIT notices to try and predict netsplits/netmerges...

In any case, all that is needed to do some fancy netsplit detection/handling is in there, it's just up to the scripters to use it...
_________________
NML_375, idling at #eggdrop@IrcNET
Back to top
View user's profile Send private message
awyeah
Revered One


Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
PostPosted: Sun May 13, 2007 1:11 pm    Post subject: Reply with quote
I don't beleive I'm a hardcoder. I'm just like all the other people out there. Just that I spend more time trying to analyze and solve the problem myself and then ask help, rather ask people for help from scratch.

Detecting netsplits is not an easy task and to integrate that for a fast botnet join script isn't a trivial task as well. As I am aware the wait-netsplit global var in the .config file also plays a role in detecting netsplits. Since it is an approximation prediction hence I thought it is a difficult task to detect netsplit rejoins, since bind splt and rejn utilize that global var and onchansplit also I guess.

However RAW SJOIN and SQUIT notices would be a good idea to take into consideration, but theres always a different delay for every channel as we know when split rejoins. Anyway I will see what I can come up with, in free time to solve this problem once and for all.
_________________
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
nml375
Revered One


Joined: 04 Aug 2006
Posts: 2857
PostPosted: Sun May 13, 2007 1:35 pm    Post subject: Reply with quote
Well, as stated, if you're not the "hardcore coder" (most of us are'nt), there's always "bind splt" and "bind rejn" to help detect netsplits and netmerges..

The splt-binding checks the quit-messages for hints on netsplits, in order to try and determine wether it was a normal quit or a netsplit (in which case we suspect that the user will rejoin once the split merges). The wait-netsplit variable is just a setting for how long we will bother to keep track of already splitted nicks...
The rejn-binding, as well as ischansplit only rely on wait-netsplit in the way that it uses the same list of splitted nicks that was generated by the same mechanisms that generate the split-triggering...

So, wait-netsplit has nothing todo with the actual detection of any netsplits, it only tells us how long we bother to keep track of netsplitted nicks before we assume they've quit'd, changed nicks, or the server was permanently unlinked.

So, getting back on the main subject; being not triggering join-floods on netmerges. This would be a mere issue of checking wether the nick joining was considdered netsplit'd before he joined or not. If (s)he was, then don't count the join, if not, count it...
_________________
NML_375, idling at #eggdrop@IrcNET
Back to top
View user's profile Send private message
awyeah
Revered One


Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
PostPosted: Sun May 13, 2007 8:25 pm    Post subject: Reply with quote
Thanks for the very detailed info, appreciate it. I will try to imply this and let you know in time what I solution I come up with for this problem.
_________________
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
awyeah
Revered One


Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
PostPosted: Tue May 15, 2007 9:27 pm    Post subject: Reply with quote
Here is the script which I have currently made in accordance with the bind splt and rejn mechanisms. I am not sure if it will work or not, since haven't tested it, because netsplits don't occur when you want them too obviously.

So I'm just pasting the code and if anyone can follow up, have a look and browse through to let me know would this work or not. Once more I'll give info:

This script is basically detects fast mass joining hosts from bots, which have more than 1 host and removes all bots which joined the channel.

Code:

set mjointrigger "3:5"

bind join - "*" mass:join:chan

proc mass:join:chan {nick uhost hand chan} {
 global botnick mjointrigger joinflood kickno net_split
 if {[isbotnick $nick] || [info exists net_split]} { return 0 }
 set host "*!*@[lindex [split [maskhost $uhost] @] 1]"
 set user [string tolower $chan]
 if {[string match -nocase "#*" $chan]} {
 if {![info exists joinflood($user)]} {
   set joinflood($user) 0
  }
  utimer [lindex [split $mjointrigger :] 1] [list mass:join:list $user]
  if {[incr joinflood($user)] >= [lindex [split $mjointrigger :] 0]} {
   if {[botisop $chan]} {
    putquick "MODE $chan +b $host" -next
    set clonenicks [list]; set clonenum 0
    foreach person [chanlist $chan] {
     if {[string match -nocase *$host* "$person![getchanhost $person $chan]"] && ![isop $person $chan] && ![isvoice $person $chan]} {
      incr clonenum; lappend clonenicks $person:$clonenum
      }
    }
    foreach clone $clonenicks {
     putquick "KICK $chan [lindex [split $clone :] 0] :0,1 Clone Mass Join Flood 12,0 - You 2joined with6 [lindex [split $mjointrigger :] 0] clients 2or more 12in less than6 [lindex [split $mjointrigger :] 1] secs 12from the host 6*!*@[lindex [split $uhost @] 1] 12- (Clone2 #[lindex [split $clone :] 1] 12of2 #[llength $clonenicks]12)" -next
    }
    unset clonenicks; unset clonenum
    timer 60 [list putquick "MODE $chan -b $host"]
    }
   if {[info exists joinflood($user)]} { unset joinflood($user) }
  }
 }
}

proc mass:join:list {user} {
 global joinflood
 if {[info exists joinflood($user)]} { incr joinflood($user) -1 }
}


bind splt "*" - mass:join:split
bind rejn "*" - mass:join:rejoin

proc mass:join:split {nick host hand chan} {
 global net_split
  if {[info exists net_split]} {
   return 0
  } elseif {![info exists net_split] && [onchansplit $nick $chan]} {
   set net_split 1
   }
}

proc mass:join:rejoin {nick host hand chan} {
 global net_split
  if {[info exists net_split]} {
   utimer 5 [list "unset net_split"]
   }
}


Moreover, I searched the forum for rejn and splt and found Wcc gave a small snipplet for detecting netsplits. It basically uses RAW with keyword QUIT. I think bind splt would be more relevant to detect netsplits than just use raw.

Code:

bind raw - QUIT raw:netsplit

proc raw:netsplit {from keyword text} {
 if {![regexp "(.*) (.*)" $text match server1 server2]} { return 0 }
 foreach chan [channels] {
  putserv "PRIVMSG $chan :Netsplit detected: $server1 just split from $server2"
 }
 return 1
}


Here is what I came up with to detect users which have split:
Code:

bind raw - QUIT raw:netsplit

proc raw:netsplit {from keyword text} {
 global detect_netsplit
 if {![info exists detect_netsplit]} {
  if {[string equal "2" [llength $text]] && [regexp {^(.*) (.*)$} $text] && [string is lower [string map {"." "" " " ""} $text]] && [string equal "0" [regexp -all {[0-9]} $text]] && ([regexp -all {\.} [lindex $text 0]] > 3) && ([regexp -all {\.} [lindex $text 1]] > 3)} {
   foreach chan [channels] {
    putserv "PRIVMSG $chan :Netsplit detected: $server1 just split from $server2"
     if {![info exists detect_netsplit]} { set detect_netsplit 1 }
      utimer 10 [list "unset detect_netsplit"]; return 1
      }
    }
  }
}


Also is it NECESSARY to include a bind on SIGN for the nicks which didn't join back from the netsplit on REJN (users which quit IRC after the servers split). And how would I implement that?

Example of a netsplit rejoin:
Code:

* PapaJaHaT- (one@64.18.135.100) has joined #chatzone
* mariahilal (tin@208.98.24.223) has joined #chatzone
* Uk_Dude (vdn@[censored].this.is.an.all-out-war.net) has joined #chatzone
* Toyong^Hasibuan (Toyong@208.98.12.236) has joined #chatzone
* }-|-{ (united@im.coming.back.home.kg) has joined #chatzone
* Ramoo (sam@Harami.org) has joined #chatzone
* brain.hub.eu.dal.net sets mode: +ovo The^Lovely^Slut Forecast[V23] DenDen
* brain.hub.eu.dal.net sets mode: +b *!*@60.53.52.62
* Hong24 (~Hong24_C_@37.248.208.218.klj02-home.tm.net.my) has joined #chatzone


When server sets channel modes, the channel rejoin from the netsplit is complete. Can I also do something like using bind MODE instead of bind REJN, so that I don't need to add a delay to unset the global var net_split. Coz bind rejn will detect the first user joining and for channels with big user counts, lots of people will rejoin, so I have to make the script run after everyone has rejoined from the netsplit.

Code:

bind mode - "*" server:mode:on:rejoin

proc server:mode:on:rejoin {nick uhost hand chan mode arg} {
 global net_split
 if {([regexp -all {\.} $nick] > 3) && [regexp {o|v|b} $arg]} {
 #which will match the nick as the server setting chanmode
 #the only time server sets mode on DALnet is after netsplit rejoins
  if {[info exists net_split]} {
    unset net_split
    }
  }
}

_________________
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
Sir_Fz
Revered One


Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
PostPosted: Tue May 22, 2007 3:44 am    Post subject: Reply with quote
Bind rejn won't help you in your case because it is only triggered if the rejoin occurs during the wait-split duration. As for the modes option, the server doesn't always set a mode after the net rejoin so it is not efficient enough. IMO, it's best to increase the wait-split setting if the splits are taking longer than expected.
_________________
Follow me on GitHub

- Opposing

Public Tcl scripts
Back to top
View user's profile Send private message Visit poster's website
awyeah
Revered One


Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
PostPosted: Sat May 26, 2007 3:34 am    Post subject: Reply with quote
Yes I forgot to mention that, I increase the wait-netsplit global var, to around about 3hrs or so, the maximum which I think can occur on DALnet. Hope that helps. Smile
_________________
·­awyeah·

==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
Back to top
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    egghelp.org community Forum Index -> Scripting Help All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Forum hosting provided by Reverse.net

Powered by phpBB © 2001, 2005 phpBB Group
subGreen style by ktauber