| View previous topic :: View next topic |
| Author |
Message |
alekleet Voice
Joined: 15 Jan 2008 Posts: 14
|
Posted: Tue Jan 15, 2008 3:14 pm Post subject: eggdrop hacking |
|
|
| ago two days my eggnet gived op to unknowns users/nicks and they take my channel , i check all my shells and bots userfile and there are no added any user who can give op or take a channel . same guy who take my channel take and lot of channels (like 15-20). i wanna know how i can protect my botnet from that kinds of hackings please can anyone help me. thanks in advance |
|
| Back to top |
|
 |
nml375 Revered One
Joined: 04 Aug 2006 Posts: 2857
|
Posted: Tue Jan 15, 2008 3:20 pm Post subject: |
|
|
We would need some information on which version of eggdrop you are running, where you retrieved the source or binary, wether it was source or a precompiled package (binary), which scripts you are using, what type of irc-servers you have been using (which irc network if you do not know which server-platform they use).
Also, if you can find anything "odd" or strange in your logs, that information might be helpful aswell. _________________ NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
 |
YooHoo Owner

Joined: 13 Feb 2003 Posts: 939 Location: Redwood Coast
|
Posted: Tue Jan 15, 2008 6:06 pm Post subject: |
|
|
also check your userlist for easy to fake and/or new hostmasks (.match * 999).. might be a good idea to check your logfiles to find out what commands were issued and by whom _________________
Johoho's TCL for beginners
 |
|
| Back to top |
|
 |
alekleet Voice
Joined: 15 Jan 2008 Posts: 14
|
Posted: Tue Jan 15, 2008 7:10 pm Post subject: |
|
|
version: eggdrop-1.6.18
scripts:
source scripts/alltools.tcl
source scripts/action.fix.tcl
source scripts/netbots/netbots.tcl
source scripts/netbots/superbitch.tcl
source scripts/bitchxpack1.50.tcl
source scripts/getops.tcl
network: undernet
servers:
lelystad.nl.eu.undernet.org:6667
london.uk.eu.undernet.org:6667
oslo2.no.eu.undernet.org:6667
zagreb.hr.eu.undernet.org:6667
carouge.ch.eu.undernet.org:6669
ede.nl.eu.undernet.org:6667
us.undernet.org:6667
elsene.be.eu.undernet.org:6667
amsterdam.nl.eu.undernet.org:6667
amsterdam2.nl.eu.undernet.org:6668
oslo1.no.eu.undernet.org:6666
diemen.nl.eu.undernet.org:6667
i download from eggheads and it was source.
i cant/dont know how to find logs of chat.... and i check userfile ... there is nothing new ...
that guy take the channels with a trick or he hacked them .... that guy take a channels from three other botnets ... |
|
| Back to top |
|
 |
Alchera Revered One

Joined: 11 Aug 2003 Posts: 3344 Location: Ballarat Victoria, Australia
|
Posted: Tue Jan 15, 2008 7:18 pm Post subject: |
|
|
Logs are stored in the ........... wait for it ........ "logs" directory.
Using Nick!*@* for a user's host is risky and if you have used this format then you'd better change that habit.  _________________ Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
| Back to top |
|
 |
alekleet Voice
Joined: 15 Jan 2008 Posts: 14
|
Posted: Tue Jan 15, 2008 7:33 pm Post subject: |
|
|
egg@edge:~/eggdrop/logs$ ls
CONTENTS
egg@edge:~/eggdrop/logs$
there are no logs and i never use host like nick*!*@* stricly *!*@username.users.undernet.org or *!*ident@host.com .... |
|
| Back to top |
|
 |
Alchera Revered One

Joined: 11 Aug 2003 Posts: 3344 Location: Ballarat Victoria, Australia
|
Posted: Tue Jan 15, 2008 9:07 pm Post subject: |
|
|
| alekleet wrote: | egg@edge:~/eggdrop/logs$ ls
CONTENTS
egg@edge:~/eggdrop/logs$
there are no logs and i never use host like nick*!*@* stricly *!*@username.users.undernet.org or *!*ident@host.com .... |
You need to recheck your 1.6.18 configuration against the tutorial: Setting up an Eggdrop
Anyone that gets hold of a user's channel/ops pass can simply use services without any need for eggdrop access or eggdrop opping them.
It's impossible for eggdrop to even stop a channel takeover! _________________ Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
| Back to top |
|
 |
nml375 Revered One
Joined: 04 Aug 2006 Posts: 2857
|
Posted: Tue Jan 15, 2008 9:07 pm Post subject: |
|
|
There is one confirmed remote exploit in 1.6.18 relating to lack of bounds-checking the sender when PRIVMSG (and other) commands are recieved. Sofar, this have required the use of bogus irc-servers, as as rfc-compliant servers do not exceed this bound. Using this exploit would require the aggressor to make your bot connect to a bogus server.
The lack of logfiles is bad news; could you check your config-file wether you have any "logfile" commands in there?
As for your scripts, I can't think of any known backdoors/issues with those. _________________ NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
 |
alekleet Voice
Joined: 15 Jan 2008 Posts: 14
|
Posted: Wed Jan 16, 2008 6:50 am Post subject: |
|
|
so can anyone tell me how to make an eggdrop 100% secured ?
which scripts , servers , version n all .... i wanna have 100% secured eggdrop from hackings |
|
| Back to top |
|
 |
alekleet Voice
Joined: 15 Jan 2008 Posts: 14
|
Posted: Wed Jan 16, 2008 7:20 am Post subject: |
|
|
| and ... a guy whats happen the same thing to him tell me to patch my eggdrops what u think for that ? |
|
| Back to top |
|
 |
YooHoo Owner

Joined: 13 Feb 2003 Posts: 939 Location: Redwood Coast
|
|
| Back to top |
|
 |
rosc2112 Revered One

Joined: 19 Feb 2006 Posts: 1454 Location: Northeast Pennsylvania
|
Posted: Wed Jan 16, 2008 10:28 am Post subject: |
|
|
| alekleet wrote: | so can anyone tell me how to make an eggdrop 100% secured ?
which scripts , servers , version n all .... i wanna have 100% secured eggdrop from hackings |
The only security you're assured, is what you educate yourself to manage.
Otherwise, you might as well unplug your computer and put it in the closet. |
|
| Back to top |
|
 |
nml375 Revered One
Joined: 04 Aug 2006 Posts: 2857
|
Posted: Wed Jan 16, 2008 12:32 pm Post subject: |
|
|
| alekleet wrote: | | and ... a guy whats happen the same thing to him tell me to patch my eggdrops what u think for that ? |
Did he tell you which/what patches to apply? The only publically spread patch for 1.6.18-eggies is a fix for the bug I mentioned earlier. Exploiting that bug is quite difficult, as the hacker would have to use a nick!ident@host that exceeds some 320 characters or such and would have to contain the code to be injected. In essence, hacker would have to make your bot join his fake server. _________________ NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
 |
alekleet Voice
Joined: 15 Jan 2008 Posts: 14
|
Posted: Wed Jan 16, 2008 8:02 pm Post subject: |
|
|
| that guy again take my channel and i was on the chat on the eggdrops and there is nothing. he gived about 15-20 ops and i didnt see nothing on chat. i dont know hows this possible but i`ll be happy if somebody tell me how to fix this. |
|
| Back to top |
|
 |
nml375 Revered One
Joined: 04 Aug 2006 Posts: 2857
|
Posted: Wed Jan 16, 2008 8:22 pm Post subject: |
|
|
Unfortunately, with this very limited information, it's literally impossible to tell wether this is a simple matter of incorrect configuration, a bugged script, or any bug within the source (known or not).
When this last takeover occured, did you check the .channel listing? I'm abit puzzled that your bot apparently does nothing when he ops other people (as you have the netbots superbitch.tcl script loaded) _________________ NML_375, idling at #eggdrop@IrcNET |
|
| Back to top |
|
 |
|