egghelp.org community

[alekleet]

<`alias> some ppl say that's it's an eggdrop bug
<`alias> others like wget say's psybnc bug
<`alias> others mirc bug
<ALEKx> awww D
<ALEKx> so how we can protect from all those bugs ?
<`alias> i don't know )
<ALEKx> if he dont know the ip of the eggdrops and if they are silence he can use the bug ?
<`alias> not a clue ... i don't think so


how i can protect my eggdrops from bugs i dont use psybnc.

[Zircon]

Hi there

I see that you use Undernet. In this network, there is a something called ChanFix. It s an automated service to reop opless unregistered channels, and also reverse the situation in case of a takeover. I think that you always lose the OP, coz the other person was OP there long time before you...So even if you succeed becoming OP, the ChanFix will operate, deop you and op The other person. Check this : http://help.undernet.org/faq.php?what=chanfix and specially this : http://help.undernet.org/faq.php?what=chanfix#04

[nml375]

Simply pointing the finger at this or that application, without displaying what the suspicion is based upon or what "proof" there is, is a very bad thing.

How can you protect your eggdrop from known bugs in the source?
Applying proper patches and/or upgrade whenever a new stable version becomes available.

How can you protect your eggdrop from unknown bugs in the source?
You can't since they're not known. If you encounter one of these, you can help sorting it out with proper bugreports and investigative work.

How can you protect your eggdrop from known bugs in scripts?
Simply, don't use the script, find something that works instead.

How can you protect your eggdrop from unknown bugs in scripts?
Unload any and all scripts if you encounter bugs, see if it persists. If not, load scripts one by one until the bug reappears and you figure out which script is to blame. Then send a bugreport to the author.
_________________
NML_375, idling at #eggdrop@IrcNET

[Zircon]

It s a possible reason...is it the real reason ? i dont know, i m not god. Like you said, we have no log to prove something or the other. And it s not a bad thing to point possible reasons. In my post, i said "i think". And not "i m sure"

[nml375]

Zircon: wasn't referring to your post
Right now, with the limited information provided, we're only guessing at what's causing this. alekleet is claiming his eggdrop was the one to op the hacker, which would rule out ChanFix (assuming there is no ircop involved).
_________________
NML_375, idling at #eggdrop@IrcNET

[Zircon]

nml375 : oh sorry then.
Coz i just saw this post from alekleet :

[Alchera]

If that network had DALnet's ChanServ "why" function one would know in a second how this channel "hacking" is being achieved.

To my mind this has nothing to do with eggdrop and all to do with a "stolen" pass.
_________________
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM

[rosc2112]

There's a whole lot of eggdrops on Undernet, but only 1 person appears to be getting hacked - user error most likely. A user who should not be running an eggdrop, if they cannot figure out how to secure it.

[alekleet]

first. not 1 guy , there are lot of guys but jus i`m registered here.


i`m the biggest score on my channel and noone can reop it with chanfix and if somebody do that we will see and i`ll dont come to eggdrop forum for help.

<WGeTz> keep the channel close (+k)
<WGeTz> Coz they have a eggdrop bug:)
<WGeTz> And they make take over:P
<aLLEK> he can take it with +d +x n +silence ?
<WGeTz> hehe
<WGeTz> yes:)
<WGeTz> He can.
<aLLEK> lewl
<WGeTz> Your choose if u keep the channel open.I close my channels:)
<aLLEK> how ? if he dont know hostname and he cant chat ... ?
<WGeTz> With a mirc bruteforget passwd, i don't know exactly.
<WGeTz> Try it, if u know this is the best
<WGeTz> Anyway, the best deal is too keep the chanenl close...
<WGeTz> Or change the eggdrop setups
<aLLEK> i installed new eggdrops
<aLLEK> i make them all +x +d +silence
<aLLEK> i set telnet protect
<WGeTz> I see...
<WGeTz> Use a oldest version
<WGeTz> Don't use this new egg vers.
<aLLEK> ok
<aLLEK> thanks
<WGeTz> The bug is on the new vers.
<WGeTz> use old
<WGeTz> Listen to me:)
<WGeTz> I know the guys
<WGeTz> ...
<aLLEK> ok thanks

[nml375]

A comment or two:
* Bruteforcing passwords are not related to bugs. It's just a matter of trying password after password until a match is found.

I'm not familiar with undernet, but as I've understood it, "/silence +*!*@*" would block any private messages to your bot - yet this does not protect your bot from this bug? You also said there was nothing seen in the channel prior to the takeover occured?
If both are true, this means he had no means of contacting the bot through the irc network, and thus must've telnet:d to your bot, either portscanning the host or already knowing which ports your bot listens to.

One thing that does come to mind now is some old bug in the botnet-code where an untrusted source could succeed with linking into the botnet under certain conditions.

I believe the bug was something like reported on this link: http://marc.info/?l=bugtraq&m=107634593827102&w=2
I believe this bug was sorted out many versions ago.
_________________
NML_375, idling at #eggdrop@IrcNET

[rosc2112]

If this is not utter bullcrap, I suggest someone who knows how to use a packet sniffer set up a tarpit bot, with the cooperation of alekleet to use his channel, set up a bot that can be traced with wireshark so you can log the traffic. Let the bot get hacked, but collect data in the process.

And no, I'm not volunteering, because I'm not convinced this is anything other than user error.

So, Al, produce some proof with wireshark logs.

[Alchera]

[Zircon]

Hello alekleet

I highly doubt it s an aggdrop bug/hack. We absolutely need the log of your channel, so we can have facts and not only figure what may did happen....So you have to turn on the log. In your .config file :

[rosc2112]

If its an internal bug in eggdrop, or even a script hack, you won't likely find anything useful in eggdrop's logs. A Packet sniffer will show everything going on.

[alekleet]

where i can find packet sniffer ? can anyone from here help me ?