Hlep protecting server from proxys/clone bots!

These are old archives. They are kept for historic purposes only.
Post Reply
goldrunner
Posts: 6
Joined: Wed Jan 11, 2006 3:07 am
Contact:

Hlep protecting server from proxys/clone bots!

Post by goldrunner » Wed Jan 11, 2006 3:44 am

Hi,

Can someone please tell me how i can stop proxys and clone bots joining i tried setting up AntiRandom but while compiling the module i get tons of c++ errors. I had 400+ clones on the server at one stage :( i have also tried spamfilter but i get this error " *** Notice -- error: spamfilter.conf:209: spamfilter::action is missing" with my code below :-

spamfilter {
regex "^[a-z][0-9]{1,4}!~[a-z][0-9]{1,4}@.+:[a-z]{6}$";
target { private; channel; }
action block;
reason "Clone flood";

};

Please help and i tried bopm but it dont run when i do ./bopm :x

Thankyou

Goldrunner

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Wed Jan 11, 2006 4:12 am

spamfilter {
regex "^[a-z][0-9]{1,4}!~[a-z][0-9]{1,4}@.+:[a-z]{6}$";
target { private; channel; }
action block;
reason "Clone flood";

};
Why it is not working:
  1. Your regex is for a user target, even though your target is a user
  2. You have a missing semi-colon ";"
  3. You might want to use a better action, like gline or gzline
  4. Don't forget to specify a time with that!
  5. I think a better reason might be good too...

JIVXor
Posts: 134
Joined: Fri Sep 09, 2005 10:53 pm
Location: Cuba

Post by JIVXor » Wed Jan 11, 2006 4:26 am

[*]Your regex is for a user target, even though your target is a user
He meant


even though your target isN'T a user



And the semi-colon is here :
target { private; channel; };

goldrunner
Posts: 6
Joined: Wed Jan 11, 2006 3:07 am
Contact:

Post by goldrunner » Wed Jan 11, 2006 9:10 am

Hi,

Thankyou both for your reply, i was wondering if one of you could tell me how i add the ban time? i have pasted my spamfilter.conf below thankyou.

/*
* This an example spamfilter file, it contains several
* real and useful spamfilters. This should give you an
* idea of how powerful spamfilter can be in real-life
* situations.
*
* $Id: spamfilter.conf,v 1.1.6.5 2005/03/13 21:02:21 syzop Exp $
*/

/* Guidelines on the 'action' field:
* As a general rule we use 'action block' for any newly added
* spamfilters at first, later on (after knowing about false
* positives) we might change some to viruschan/kill/gline/etc..
*/

spamfilter {
regex "\x01DCC (SEND|RESUME)[ ]+\"(.+ ){20}";
target { private; channel; };
reason "mIRC 6.0-6.11 exploit attempt";
action kill;
};

spamfilter {
regex "\x01DCC (SEND|RESUME).{225}";
target { private; channel; };
reason "Possible mIRC 6.12 exploit attempt";
action kill;
};

spamfilter {
regex "Come watch me on my webcam and chat /w me :-\) http://.+:\d+/me\.mpg";
target private;
reason "Infected by fyle trojan: see http://www.sophos.com/virusinfo/analyse ... ylexa.html";
action gline;
};

spamfilter {
regex "Speed up your mIRC DCC Transfer by up to 75%.*www\.freewebs\.com/mircupdate/mircspeedup\.exe";
target private;
reason "Infected by mirseed trojan: see http://www.sophos.com/virusinfo/analyse ... seeda.html";
action gline;
};

spamfilter {
regex "^http://www\.angelfire\.com/[a-z0-9]+/[a-z0-9]+/[a-z_]+\.jpg <- .*!";
target private;
reason "Infected by fagot worm: see http://www.f-secure.com/v-descs/fagot.shtml";
action block;
};

spamfilter {
regex "^FREE PORN: http://free:porn@([0-9]{1,3}\.){3}[0-9]{1,3}:8180$";
target private;
reason "Infected by aplore worm: see http://www.f-secure.com/v-descs/aplore.shtml";
action gline;
};

spamfilter {
regex "^!login Wasszup!$";
target channel;
reason "Attempting to login to a GTBot";
action gline;
};

spamfilter {
regex "^!login grrrr yeah baby!$";
target channel;
reason "Attempting to login to a GTBot";
action gline;
};

spamfilter {
regex "^!packet ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15}";
target channel;
reason "Attempting to use a GTBot";
action gline;
};

spamfilter {
regex "^!icqpagebomb ([0-9]{1,15} ){2}.+";
target channel;
reason "Attempting to use a GTBot";
action gline;
};

spamfilter {
regex "^!pfast [0-9]{1,15} ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5}$";
target channel;
reason "Attempting to use a GTBot";
action gline;
};

spamfilter {
regex "^!portscan ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,5} [0-9]{1,5}$";
target channel;
reason "Attempting to use a GTBot";
action gline;
};

spamfilter {
regex "^.u(dp)? ([0-9]{1,3}\.){3}[0-9]{1,3} [0-9]{1,15} [0-9]{1,15} [0-9]{1,15}( [0-9])*$";
target channel;
reason "Attempting to use an SDBot";
action gline;
};

spamfilter {
regex "^.syn ((([0-9]{1,3}\.){3}[0-9]{1,3})|([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_.-]+)) [0-9]{1,5} [0-9]{1,15} [0-9]{1,15}";
target { channel; private; };
reason "Attempting to use a SpyBot";
action gline;
};

spamfilter {
regex "^porn! porno! http://.+\/sexo\.exe";
target private;
action gline;
reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusen ... J%5FSOEX.A";
};

spamfilter {
regex "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
target private;
action gline;
reason "Infected by some trojan (erotica?)";
};

spamfilter {
regex "^STOP SPAM, USE THIS COMMAND: //write nospam \$decode\(.+\) \| \.load -rs nospam \| //mode \$me \+R$";
target private;
action gline;
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
regex "^FOR MATRIX 2 DOWNLOAD, USE THIS COMMAND: //write Matrix2 \$decode\(.+=,m\) \| \.load -rs Matrix2 \| //mode \$me \+R$";
target private;
action gline;
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
regex "^hey .* to get OPs use this hack in the chan but SHH! //\$decode\(.*,m\) \| \$decode\(.*,m\)$";
target private;
action gline;
reason "Infected by nkie worm: see http://www.trojaninfo.com/nkie/nkie.htm";
};

spamfilter {
regex ".*(http://jokes\.clubdepeche\.com|http://horny\.69sexy\.net|http://private\.a123sdsdssddddgfg\.com).*";
target private;
action gline;
reason "Infected by LOI trojan"; /* Name is still unsure */
};

/* This is a 'general sig' which might have a tad more false positives, hence just 'block' is used */
spamfilter {
regex "C:\\WINNT\\system32\\[][0-9a-z_-{|}`]+\.zip";
target dcc;
action block;
reason "Infected by Gaggle worm?";
};

spamfilter {
regex "C:\\WINNT\\system32\\(notes|videos|xxx|ManualSeduccion|postal|hechizos|images|sex|avril)\.zip";
target dcc;
action dccblock;
reason "Infected by Gaggle worm";
};

spamfilter {
regex "http://.+\.lycos\..+/[iy]server[0-9]/[a-z]{4,11}\.(gif|jpg|avi|txt)";
target { private; quit; };
action block;
reason "Infected by Gaggle worm";
};

spamfilter {
regex "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
target private;
reason "Unknown virus. Site causes Backdoor.Delf.lq infection";
action block;
};

spamfilter {
regex "^LOL! //echo -a \$\(\$decode\(.+,m\),[0-9]\)$";
target channel;
reason "$decode exploit";
action block;
};


spamfilter {
regex "//write \$decode\(.+\|.+load -rs";
target { private; channel; };
reason "Generic $decode exploit";
action block;
};


spamfilter {
regex "^Want To Be An IRCOp\? Try This New Bug Type: //write \$decode\(.+=.?,m\) \| \.load -rs \$decode\(.+=.?,m\)$";
target private;
action block;
reason "Spamming users with an mIRC trojan. Type '/unload -rs newb' to remove the trojan.";
};


spamfilter {
regex "^[a-z][0-9]{1,4}!~[a-z][0-9]{1,4}@.+:[a-z]{6}$";
target { private; channel; };
action gline;
reason "Using Proxy Or Flood Bot";

};

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Wed Jan 11, 2006 2:20 pm

This will gzline the clones for 1 day

Code: Select all

spamfilter { 
  regex "^[a-z][0-9]{1,4}!~[a-z][0-9]{1,4}@.+:[a-z]{6}$"; 
  target user;
  action gzline; 
  reason "Clone flood"; 
  ban-time 1d;
};

Solutech
Posts: 296
Joined: Thu Mar 18, 2004 11:38 pm

Post by Solutech » Wed Jan 11, 2006 3:58 pm

As for your proxys get Bopm . Works a treat :) .

http://wiki.blitzed.org/BOPM#BOPM
Yawn. So there's yet another "if the user clicks the button, they're infected" exploit. Why is this news? We already know users are idiots.

Post Reply