| View previous topic :: View next topic |
| Author |
Message |
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
 Posted: Wed May 30, 2007 9:30 pm Post subject: Suitable binding to check for DCC send/resume |
 |
|
I was wondering what binding will be used to check if someone is sending the bot a file? via DCC. I'm looking for file extensions, that I will use regexp later, to find for DCC exploit. Currently I only have this.
| Code: |
LOST (stackable)
bind lost <flags> <mask> <proc>
proc-name <handle> <nick> <path> <bytes-transferred> <length-of-file>
Description: triggered when a DCC SEND transfer gets lost, such as when the connection is terminated before all data was successfully sent/received. This is typically caused by a user abort.
Module: transfer
TOUT (stackable)
bind tout <flags> <mask> <proc>
proc-name <handle> <nick> <path> <bytes-transferred> <length-of-file>
Description: triggered when a DCC SEND transfer times out. This may either happen because the dcc connection was not accepted or because the data transfer stalled for some reason.
Module: transfer
|
Would bind RAW work? If so, with what keyword? any example? Also bind DCC is only limited to the partyline I noticed.
How about bind CTCP with keyword DCC?
All help would be appreciated in this matter, Thanks!
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
 |
Sir_Fz
Revered One
Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
|
| Posted: Thu May 31, 2007 5:45 pm Post subject: |
|
|
When someone sends the bot a file, the bot receives a notice containing:
| Quote: | | DCC Send <file-name> (<IP>) |
So you can bind to notc and use "DCC Send * (%)" as its mask to catch a dcc send.
_________________
Follow me on GitHub
- Opposing
Public Tcl scripts |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Thu May 31, 2007 6:13 pm Post subject: |
|
|
A notice is not mandatory, and will not work reliably with some clients..
As for raw vs. ctcp bindings, ctcp would probably be easier, as you won't have to extract all the bits and pieces to figure out it's a ctcp-message, or that the keyword is "DCC". Both bindings do allow you to prevent further processing using returncodes.
As for the format of the actual transfer negotiation, it's a ctcp with keyword "DCC" and parameters "SEND <filename> <ipaddress> <port> <filesize>". IP and port are expected to be unsigned integers (aka "longip").
http://www.kvirc.de/docu/doc_dcc_connection.html provides some further info on the dcc subprotocol
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
Sir_Fz
Revered One
Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
|
| Posted: Thu May 31, 2007 8:11 pm Post subject: |
|
|
Yes indeed, I forgot to mention. So you can do something like:
| Code: | bind ctcp - DCC dcc:send
proc dcc:send {nick uhost hand dest kw arg} {
if {[isbotnick $dest] && [string match "SEND *" $arg]} {
# DCC SEND detected
}
} |
_________________
Follow me on GitHub
- Opposing
Public Tcl scripts |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Sat Jun 02, 2007 3:57 am Post subject: |
|
|
DALnet is a bit different, dealing with DCC sends on the bahamut IRCd. I tried bind ctcp with DCC as the keyword, got no response when I sent a file to the bot via DCC.
The only response was from Notice. So there are two options either use bind raw with the keyword NOTICE or just simply bind notc. Hence for simplicity I used bind notc.
These were the responses on bind notc when I send a file to the bot.
| Quote: |
($nick) ($uhost) ($hand) ($text) ($dest)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send mirc.exe (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send spamrem.zvk (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send servers.ini (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send aliases.ini (219.92.24.7)) (adapter)
<adapter> (awyeah-) (awyeah@219.92.24.7) (*) (DCC Send remote.ini (219.92.24.7)) (adapter)
|
So if anyone sends you bot a file, the bot will remove that person found on any of the channels the bot is on. This is the script for DALnet, utilizing bind notc.
| Code: |
bind notc - "*" dcc:exploit:check
proc dcc:exploit:check {nick uhost hand text {dest ""}} {
global botnick
if {[isbotnick $nick] || [string equal $nick "ChanServ"] || [string equal $nick "NickServ"] || [string equal $nick "MemoServ"] || ($nick == "") || [matchattr $hand mnof|mnof]} { return 0 }
if {[string equal "@" [string index $dest 0]] && [string equal "#" [string index $dest 1]]} { return 0 }
if {[string equal "#" [string index $dest 0]] && [string match "#*" $dest]} { return 0 }
if {[isbotnick $dest]} {
if {[string equal "4" [split [llength $text]]] && [string equal "DCC Send" [lrange $text 0 1]] && ([regexp -all {\.} [lindex $text 2]] <= 3) && [string match "(%)" [lindex $text 3]]} {
foreach chan [channels] {
if {[botisop $chan] && [onchan $nick $chan] && ![isop $nick $chan] && ![isvoice $nick $chan]} {
putquick "MODE $chan +b *!*@[lindex [split $uhost @] 1]" -next
putquick "KICK $chan $nick :DCC Exploit Infected File - You are sending a infected file to channel users. You are infected with a DCC exploit. Please join #nohack to clean your infected PC."
}
}
}
}
}
|
Thanks for your help on this nml375 and Sir_Fz! Really appreciate it 
So I guess Sir_Fz was right using notc and the matching keyword. Sorry, since I intially forgot to mention this is to be used for DALnet. 
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Sat Jun 02, 2007 9:47 am Post subject: |
|
|
Once again, however, I must stress that this notice is mainly a feature of mIRC (and a few other clients). This will most likely not prevent any more advanced viruses utilizing irc to spread itself.
As for using ctcp-binding, It works just fine for me. Which network you are using really should'nt matter at all, as any and all ircd's should simply forward PRIVMSG's from client to client, without interfering or altering the message. Also, not even mIRC will try to recieve a dcc transfer if you simply send the notice (especially since it lacks information on which port to connect to).
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
Sir_Fz
Revered One
Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon
|
| Posted: Sat Jun 02, 2007 9:49 am Post subject: |
|
|
Actually, I tested it on my Eggdrop on DALnet and the ctcp worked just fine. This is what a user receives when a DCC send is requested (raw):
| Quote: | :<nick>!<user>@<host> NOTICE <receiver> :DCC Send dalnet.txt (<ip>)
:<nick>!<user>@<host> PRIVMSG <receiver> :☺DCC SEND dalnet.txt 32322483 21 4602 374☺ |
on DALnet. The '☺' character is \001.
_________________
Follow me on GitHub
- Opposing
Public Tcl scripts |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Sat Jun 02, 2007 10:14 am Post subject: |
|
|
Oh, also forgot, I doubt this is what you actually intended:
| Code: | | [string equal "4" [split [llength $text]]] |
More likely you're trying to split $text into a list, and then get the lenght of the list... also, since you're comparing integers, == would suffice, so no need for string equal.
Next, | Code: | | [regexp -all {\.} [lindex $text 2]] <= 3 |
$text is a string, not a list :p And why are you counting the number of dots in the filename? *confused*
Finally, this is just overkill, the second test catches any and all conditions of the first one, making it obsolete. | Code: | | [string equal "#" [string index $dest 0]] && [string match "#*" $dest] |
I also do not get why you are checking for @ as the first character of dest... But maybe that's something I've forgotten from the rfc's...
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Sat Jun 02, 2007 3:37 pm Post subject: |
|
|
Ohh, also, when you tried the ctcp-approach, did you make sure you used "DCC" as keyword and nothing else (such as "DCC Send")?
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
r0t3n
Owner
Joined: 31 May 2005
Posts: 507
Location: UK
|
| Posted: Sat Jun 02, 2007 5:05 pm Post subject: |
|
|
Who say's that the file being sent/sender is infected? Maybe it's just a normal user sending a file.....
_________________
r0t3n @ #r0t3n @ Quakenet |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Mon Jun 04, 2007 1:54 am Post subject: |
|
|
| Tosser^^ wrote: | | Who say's that the file being sent/sender is infected? Maybe it's just a normal user sending a file..... |
I added it on join a channel, if a user sends a file almost immediately on join then definately user is infected. And then I also added file extension checks also using regexp.
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
==================================
Last edited by awyeah on Mon Jun 04, 2007 2:06 am; edited 1 time in total |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Mon Jun 04, 2007 1:56 am Post subject: |
|
|
| nml375 wrote: | | Ohh, also, when you tried the ctcp-approach, did you make sure you used "DCC" as keyword and nothing else (such as "DCC Send")? |
Yes I tried:
| Code: |
bind ctcp - DCC proc_here
|
I didnt use "DCC Send" as the keyword however.
The weird thing is, I didn't see the proc being executed, so I checked it with putlog also, the same thing ah, the proc didn't fire. Anyway PRIVMSG also worked yeap, but NOTICE was more relevant so stuck with it.
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Mon Jun 04, 2007 2:05 am Post subject: |
|
|
| nml375 wrote: | Oh, also forgot, I doubt this is what you actually intended:
| Code: | | [string equal "4" [split [llength $text]]] |
More likely you're trying to split $text into a list, and then get the lenght of the list... also, since you're comparing integers, == would suffice, so no need for string equal.
Next, | Code: | | [regexp -all {\.} [lindex $text 2]] <= 3 |
$text is a string, not a list :p And why are you counting the number of dots in the filename? *confused*
Finally, this is just overkill, the second test catches any and all conditions of the first one, making it obsolete. | Code: | | [string equal "#" [string index $dest 0]] && [string match "#*" $dest] |
I also do not get why you are checking for @ as the first character of dest... But maybe that's something I've forgotten from the rfc's... |
As for this:
| Code: |
[string equal "4" [split [llength $text]]]
|
Yes i'll try to omit the split. But I am matching 4 parameteres here, so there always should be 4, else stop there immediately.
The "==" sign is also recommended for this case, but I overlooked it, anyway both would produce the same result. Well the one thing I will observe is the equality (==) will execute faster than string equal, if I am correct.
For this:
| Code: |
[regexp -all {\.} [lindex $text 2]] <= 3]
|
I am trying to match:
| Quote: |
DCC Send mirc.exe (219.92.24.7)
DCC Send remote.txt.ini (219.92.24.7)
DCC Send versions.tar.gz (219.92.24.7)
DCC Send alias.ini.scr.com (219.92.24.7)
|
The letters in bold, meaning the file name. These are very good examples of infected files. The extension of the file name is changed or additional extension is added to cloack the original file being sent. This is encountered mostly on DALnet.
Thirdly:
| Code: |
[string equal "#" [string index $dest 0]] && [string match "#*" $dest]
|
Yeah I guess I overlooked this. After seeing the complete proc, this statement is redundant and already implemented, so it should be removed.
Checking @ as first character.. remember OPNOTICE? Sometimes channel ops us opnotice so dest is like "@#channel" and even ChanServ on DALnet uses opnotices for VERBOSE commands mostly.
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
awyeah
Revered One
Joined: 26 Apr 2004
Posts: 1580
Location: Switzerland
|
| Posted: Mon Jun 04, 2007 2:14 am Post subject: |
|
|
This should be the final code:
| Code: |
bind notc - "*" dcc:exploit:check
proc dcc:exploit:check {nick uhost hand text {dest ""}} {
if {[isbotnick $nick] || [string equal $nick "ChanServ"] || [string equal $nick "NickServ"] || [string equal $nick "MemoServ"] || ($nick == "") || [matchattr $hand mnof|mnof]} { return 0 }
if {[string equal "#" [string index $dest 0]] || [string equal "@" [string index $dest 0]] && [string equal "#" [string index $dest 1]]} { return 0 }
if {[isbotnick $dest]} {
if {([llength $text] == "4") && [string equal "DCC Send" [lrange $text 0 1]] && ([regexp -all {\.} [lindex $text 2]] >= 1) && ([regexp -all {\.} [lindex $text 2]] <= 3) && [string match "(%)" [lindex $text 3]]} {
foreach chan [channels] {
if {[botisop $chan] && [onchan $nick $chan] && ![isop $nick $chan] && ![isvoice $nick $chan]} {
putquick "MODE $chan +b *!*@[lindex [split $uhost @] 1]" -next
putquick "KICK $chan $nick :DCC Exploit Infected File - You are sending a infected file to channel users. You are infected with a DCC exploit. Please join #nohack to clean your infected PC."
}
}
}
}
}
|
_________________
·awyeah·
==================================
Facebook: jawad@idsia.ch (Jay Dee)
PS: Guys, I don't accept script helps or requests personally anymore.
================================== |
|
| Back to top |
|
|
nml375
Revered One
Joined: 04 Aug 2006
Posts: 2857
|
| Posted: Mon Jun 04, 2007 12:20 pm Post subject: |
|
|
Still, $text is not a list, so can't use llength, lindex or lrange here without split.
Never heard of opnotice, but then again I do not use services such as chanserv... However, this being a service, means that it will not trigger notc-bindings, virtually making the @#-matching useless...
I still don't see the point in counting number of dots, as "valid" files seldom would have 4 or more dots, and for someone malicious it'd be merely a matter of adding another dot in the filename.
Finally, would'nt it just be simpler matching something like this?:
| Code: | | string match "DCC Send % (%)" $text |
I'd probably implement it roughly like this tho:
| Code: | bind ctcp -of&-of DCC check_send
bind ctcp -of&-of XDCC check_send
proc check_send {nick host hand dest key text} {
set subkey [lindex [split $text] 0]
if {[string equal -nocase $subkey "send"]} {
foreach chan [channels] {
pushmode $chan +b "*!*@[lindex [split $host "@"] end]"
putkick $chan $nick "Unsolisticed dcc send requested. Banning..."
}
return 1
}
return 0
} |
_________________
NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
