UnrealIRCd Forums

Welcome to the UnrealIRCd Forums!
https://forums.unrealircd.org/

TRJ/SOEX.A

https://forums.unrealircd.org/viewtopic.php?t=28

Page 1 of 1

TRJ/SOEX.A

Posted: Tue Mar 09, 2004 12:37 pm
by Jay

Code: Select all

spamfilter { 
   regex "^porn! porno! http://.+\/sexo.exe"; 
   target { private; }; 
   action gline; 
   reason "TRJ/SOEX.A Trojan Detected, http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SOEX.A"; 
   ban-time 1d; 
};
I got these spammers on my network, it's not really a harmfull bot, cause the .exe file mostly can't execute (bad programming)
Hope the regex is acceptable.

Posted: Tue Mar 09, 2004 4:36 pm
by codemastr
Looks good except,

sexo.exe";

That should probably be sexo\.exe

Since . is a special character in a regex.

Posted: Tue Mar 09, 2004 8:51 pm
by Syzop
Thanks, added in CVS :)

Code: Select all

spamfilter {
   regex "^porn! porno! http://.+\/sexo\.exe";
   target private;
   action block;
   reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
};
(note that _ gets translated into a space, so I just use %5F for now, I'll see if I can make __ [double underscore] translate into _ :P)

Filder Mask

Posted: Tue May 18, 2004 6:44 am
by APCyberax
I've spotted the follow mask sould catch them all.

http://*.*.*.*:*/*.exe

how sure if this would catch to many things but it seems like a sound idea.
what you people think?

Posted: Tue May 18, 2004 1:43 pm
by aquanight
Well that would certainly block sending any URL ending in .exe if not for the fact that that is not correct regex sytnax. It should be:

http://.+\..+\..+\..+:.+/.*\.exe
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited