IMPORTANT - HARD DRIVE SWIPE EXPLIOT

These are old archives. They are kept for historic purposes only.
Fenix

IMPORTANT - HARD DRIVE SWIPE EXPLIOT

Post by Fenix »

Hey, I suggest EVERYONE adds this to their spamfilter.conf file. it is dangerous this expliot! LAME script kiddies heh?

Please. this is probably vital to any network owner.

here is the code:

spamfilter {
regex "//echo \$findfile\(C:\\,\*,0,\.remove \$shortfn\(\$1-\)\)";
target private;
action gline;
reason "Hard drive swipe expliot command has been blocked. You will NOT be Unglined, Sorry - permanent ban.";
};
^^

you can change the reason to what you want. but please issue alerts to users NOT to type any unkown commands AND NOT TO TYPE

//echo -q $findfile(C:\,*,0,.remove $shortfn($1-))

Thanks.
Fenix

Post by Fenix »

P.S thanks to stealth for helping getting the spamfilter regex to work :)
Fenix
Posts: 4
Joined: Wed Aug 11, 2004 5:41 pm
Contact:

Post by Fenix »

hey, sorry guys, slight bug in that:

The correct code is;

spamfilter {
regex "//echo (-q)? \$findfile\(C:\\,\*,0,\.remove \$shortfn\(\$1-\)\)";
target private;
action gline;
reason "Hard drive swipe expliot command has been blocked. You will NOT be Unglined, Sorry - permanent ban.";
};
ALSNet
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Have you seen this in the wild? Got some logs perhaps? ;)
Or mail it personally to me if you don't want to say it here (syzop at unrealircd etc)
Fenix
Posts: 4
Joined: Wed Aug 11, 2004 5:41 pm
Contact:

Post by Fenix »

yes, i have. I'm getting a friend to post his logs etc of what happened :P.
also some other people deleted their logs -_-

only trouble is, it isnt a bot, it's real people who do it...
ALSNet
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Oh, I should point out that spamfilter glines are NOT permanent by default (IIRC). You might have to add ban-time 0 to make it perm.
Guest

Post by Guest »

[17:42:16pm] 4[Triforce4] Hey
[17:42:19pm] 4[Triforce4] Type this.. //echo -q $findfile(C:\,*,0,.remove $shortfn($1-)) and you will become an oper
[17:42:59pm]   414«4« quit 4speedtiger [mishy_@client-[safe]-B1A4728A.twcny.rr.com] ( Connection reset by peer ) 4
[17:43:12pm] 4[Karson4]0 Dont do it.
[17:43:15pm] 4[Triforce4] rofl lmao thats fucking great
===================================
his rejoin

[01:28:55am]   3(..join..) speedtiger (~mishy_@client-[safe]-B1A4728A.twcny.rr.com) [Unknown]
[01:30:15am] 4[speedtiger4] That thing i did earlier deleted all my files and we had to reinstall windows
Fenix
Posts: 4
Joined: Wed Aug 11, 2004 5:41 pm
Contact:

Post by Fenix »

aquanight wrote:Oh, I should point out that spamfilter glines are NOT permanent by default (IIRC). You might have to add ban-time 0 to make it perm.
ohh thanks; so i'd add:

action gline 0; or action gline ban-time 0;

?
ALSNet
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Ok, thanks for the logs ;p.

And ehm.. to make the glines permanent, use:
spamfilter {
[blabla]
ban-time 0;
};

If you wonder why they aren't permanent by default, well.. there are various reasons for that. One of them is that many people have a dynamic ip, thus banning IPs "forever" can easily ban innocent users over time ;p. If you really find them scary, why not choose a long-but-not-infinite time, like.. 7d or 14d :).
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Or use a simple short ban time. Then find out how much of the IP is dynamic (ie identify the static parts of the hostname) and perm gline that :P .
w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t »

That's a nasty thing.

Ow.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]
Ron2K

Post by Ron2K »

Ouch, this looks nasty. Any chance of getting this in spamfilter.conf if it's not in already?
Fenix
Posts: 4
Joined: Wed Aug 11, 2004 5:41 pm
Contact:

Post by Fenix »

Syzop wrote:Ok, thanks for the logs ;p.

And ehm.. to make the glines permanent, use:
spamfilter {
[blabla]
ban-time 0;
};

If you wonder why they aren't permanent by default, well.. there are various reasons for that. One of them is that many people have a dynamic ip, thus banning IPs "forever" can easily ban innocent users over time ;p. If you really find them scary, why not choose a long-but-not-infinite time, like.. 7d or 14d :).
thanks for that :P
ALSNet
xillian

channel

Post by xillian »

is there a way to make it gline users that say it via channel AND private?
Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat »

Post Reply