With any proxies it works very well, but when i see this in the bopm.log:
Code: Select all
[Jun 22 03:41:22 2012] DNSBL -> [email protected] appears in BL zone tor.dnsbl.sectoor.de (Tor exit server)
bopm.conf:
Code: Select all
IRC
{
nick = "del";
realname = "del";
username = "del";
server = "del";
port = 6667;
# password = "pass";
# nickserv = "privmsg nickserv :identify pass";
oper = "del";
mode = "+csFGk";
away = "del";
# vhost = "0.0.0.0";
channel { name = "#opers";
# key = "key";
# invite = "privmsg chanserv :invite #bopm";
};
connregex = "\\*\\*\\* Notice -- Client connectin.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([^ ]+)\\] .*";
kline = "GLINE *@%h 0 :del";
perform = "PROTOCTL HCN";
};
OPM {
blacklist {
name = "dnsbl.dronebl.org";
type = "A record reply";
reply {
2 = "Sample";
3 = "IRC Drone";
5 = "Bottler";
6 = "Unknown spambot or drone";
7 = "DDOS Drone";
8 = "SOCKS Proxy";
9 = "HTTP Proxy";
10 = "ProxyChain";
13 = "Brute force attackers";
14 = "Open Wingate Proxy";
15 = "Compromised router / gateway";
17 = "Automatically determined botnet IPs (experimental)";
255 = "Unknown";
};
ban_unknown = no;
kline = "PRIVMSG OperServ :akill add +3h *@%i You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=Network";
};
blacklist {
name = "opm.blitzed.org";
type = "A record bitmask";
ban_unknown = yes;
reply {
1 = "WinGate";
2 = "Socks";
4 = "HTTP";
8 = "Router";
16 = "HTTP POST";
};
kline = "KLINE 10080 *@%i :Sorry, %n, Open Proxy found on your host. Please visit www.blitzed.org/proxy?ip=%i for more information.";
};
blacklist {
name = "dnsbl.njabl.org";
type = "A record reply";
reply {
9 = "Open proxy";
};
ban_unknown = no;
kline = "KLINE 10080 *@%i :%n, Your IP, %i, is in our Open Proxy List.. www.njabl.org/cgi-bin/lookup.cgi?query=%i";
};
blacklist {
name = "dnsbl.swiftbl.org";
type = "A record reply";
reply {
2 = "SOCKS Proxy";
3 = "HTTP Proxy";
4 = "IRC Drone";
};
ban_unknown = no;
kline = "gline +*@%h 10000 :Your host is listed in SwiftBL. For further information and removal visit http://swiftbl.org/lookup";
};
blacklist {
name = "virbl.dnsbl.bit.nl";
type = "A record reply";
ban_unknown = yes;
reply {
2 = "Virus";
};
kline = "KLINE 10080 *@%i :%n, Your IP, %i, is in our Virus List.. http://virbl.bit.nl/list.php";
};
blacklist {
name = "ircbl.ahbl.org";
type = "A record reply";
ban_unknown = yes;
reply {
2 = "Abusive";
};
kline = "KLINE 10080 *@%i :%n, Your IP, %i, is in our DDoS/Drone/Spammer/Abuse List.. http://www.ahbl.org/tools/lookup.php?ip=%i";
};
blacklist {
name = "tor.dnsbl.sectoor.de";
type = "A record reply";
reply {
1 = "Tor exit server";
};
ban_unknown = no;
kline = "KLINE 10080 *@%i :%n, Your IP, %i, is in our TOR Server List.. http://www.sectoor.de/tor.php?ip=%i";
};
/* rbl.efnet.org - http://rbl.efnet.org/ */
blacklist {
name = "rbl.efnetrbl.org";
type = "A record reply";
ban_unknown = no;
reply {
1 = "Open Proxy";
2 = "spamtrap666";
3 = "spamtrap50";
4 = "TOR";
5 = "Drones / Flooding";
};
kline = "KLINE 1440 *@%h :Blacklisted Proxy found. Visit http://rbl.efnetrbl.org/?i=%i for info.";
};
blacklist {
name = "tor.ahbl.org";
type = "A record reply";
reply {
2 = "Tor exit server";
};
ban_unknown = no;
kline = "KLINE 10080 *@%i :%n, Your IP, %i, is in our TOR Server List.. http://www.ahbl.org/tools/lookup.php?ip=%i";
};
blacklist {
name = "no-more-funn.moensted.dk";
type = "A record reply";
ban_unknown = no;
reply {
10 = "Open Proxy";
};
kline = "KLINE 10080 *@%i :%n, Your IP, %i, is in our Open Proxy List.. http://moensted.dk/spam/no-more-funn?addr=%i";
};
blacklist {
name = "dnsbl.sorbs.net";
type = "A record reply";
ban_unknown = no;
reply {
2 = "Open HTTP Proxy";
3 = "Open Socks Proxy";
4 = "Other Open Proxy";
};
kline = "KLINE 10080 *@%i :%n, Your IP, %i, is in our Open Proxy List as a %t.. http://dnsbl.sorbs.net/cgi-bin/db?IP=%i";
};
blacklist {
name = "spbl.bl.winbots.org";
type = "A record reply";
ban_unknown = yes;
reply {
1 = "Test";
2 = "UnderNet Spam";
3 = "QuakeNet Spam";
4 = "Winbots Spam";
};
kline = "KLINE 10080 *@%i :%n, Your IP, %i, is in our %t List.. Email [email protected] to get this resolved.";
};
blacklist {
name = "dronebl.noderebellion.net";
type = "A record reply";
ban_unknown = no;
reply {
3 = "IRC spam drone (litmus/sdbot)";
4 = "Tor anonymous proxy";
5 = "IRC DDoS drone (wisdom/agobot/phatbot/rxbot)";
10 = "Open proxy";
14 = "Unknown worm/bot (found in DDoS attack by dronebl user)";
17 = "Unknown worm/bot (found scanning NodeRebellion's IP network)";
19 = "Open proxy (proxychain)";
};
kline = "KLINE 10080 *@%i :Your IP (%i), is listed as a %t in the DroneBL, see http://www.noderebellion.net/tools/lookup/?ip=%i";
};
blacklist {
name = "tor.sectoor.de";
type = "A record reply";
reply {
1 = "tor exit server";
};
ban_unknown = no;
kline = "KLINE *@%i 7d :You are in the tor.sectoor.de DNSBL. Please visit http://www.sectoor.de/tor.php?ip=%i";
};
dnsbl_from = "[email protected]";
dnsbl_to = "[email protected]";
sendmail = "/usr/sbin/sendmail";
};
scanner {
name = "default";
protocol = ROUTER:23;
protocol = SOCKS4:559;
protocol = HTTPPOST:3128;
protocol = SOCKS4:1080;
protocol = HTTP:8080;
protocol = SOCKS5:1182;
protocol = HTTP:3128;
protocol = HTTPPOST:8080;
protocol = SOCKS4:9999;
protocol = HTTPPOST:80;
protocol = SOCKS5:1080;
protocol = HTTP:63000;
protocol = HTTP:8000;
protocol = HTTPPOST:808;
protocol = HTTP:80;
protocol = HTTPPOST:6588;
protocol = HTTP:6588;
protocol = SOCKS5:3128;
protocol = SOCKS5:10080;
protocol = HTTPPOST:4480;
protocol = SOCKS4:63808;
protocol = SOCKS4:19991;
protocol = SOCKS4:1098;
protocol = SOCKS4:10000;
protocol = SOCKS4:4471;
protocol = HTTP:65506;
protocol = HTTP:63809;
protocol = SOCKS5:9090;
protocol = HTTP:9090;
protocol = SOCKS4:58;
protocol = SOCKS5:58;
protocol = SOCKS4:6969;
protocol = WINGATE:23;
protocol = SOCKS5:3380;
protocol = SOCKS4:40;
protocol = SOCKS5:443;
protocol = SOCKS4:8888;
protocol = HTTPPOST:9090;
protocol = HTTP:5490;
protocol = SOCKS4:8080;
protocol = SOCKS5:6969;
protocol = SOCKS4:1026;
protocol = SOCKS4:1025;
protocol = HTTP:8888;
protocol = HTTP:8090;
protocol = HTTP:808;
protocol = SOCKS5:1029;
protocol = SOCKS4:41080;
protocol = SOCKS5:8020;
protocol = SOCKS5:6000;
protocol = HTTPPOST:8081;
protocol = HTTP:4480;
protocol = SOCKS5:1027;
protocol = SOCKS4:1028;
protocol = HTTP:3332;
protocol = SOCKS5:8888;
protocol = SOCKS5:1028;
protocol = SOCKS4:3330;
protocol = SOCKS4:29992;
protocol = SOCKS4:1234;
protocol = SOCKS4:1029;
protocol = HTTP:5000;
protocol = HTTP:443;
protocol = SOCKS5:1813;
protocol = SOCKS5:1081;
protocol = SOCKS5:1026;
protocol = SOCKS4:1337;
protocol = SOCKS4:1050;
protocol = HTTP:1080;
protocol = SOCKS5:9999;
protocol = SOCKS5:9100;
protocol = SOCKS5:19991;
protocol = SOCKS5:1098;
protocol = SOCKS4:9100;
protocol = SOCKS4:7080;
protocol = SOCKS4:1033;
protocol = HTTP:9000;
protocol = HTTP:5800;
protocol = HTTP:5634;
protocol = HTTP:4471;
protocol = HTTP:3382;
protocol = SOCKS5:1200;
protocol = SOCKS5:1039;
protocol = SOCKS5:1025;
protocol = SOCKS4:8002;
protocol = SOCKS4:6748;
protocol = SOCKS4:44548;
protocol = SOCKS4:3380;
protocol = SOCKS4:32167;
protocol = SOCKS4:2000;
protocol = SOCKS4:1979;
protocol = SOCKS4:12654;
protocol = SOCKS4:11225;
protocol = SOCKS4:1066;
protocol = SOCKS4:1030;
protocol = SOCKS4:1027;
protocol = SOCKS4:10099;
protocol = HTTP:81;
protocol = SOCKS5:8278;
protocol = SOCKS5:6748;
protocol = SOCKS5:4914;
protocol = SOCKS5:4471;
protocol = SOCKS5:29992;
protocol = SOCKS5:17235;
protocol = SOCKS5:1234;
protocol = SOCKS5:1202;
protocol = SOCKS5:1180;
protocol = SOCKS5:1075;
protocol = SOCKS5:1033;
protocol = SOCKS5:10000;
protocol = SOCKS4:8020;
protocol = SOCKS4:4044;
protocol = SOCKS4:3128;
protocol = SOCKS4:3127;
protocol = SOCKS4:28882;
protocol = SOCKS4:24973;
protocol = SOCKS4:21421;
protocol = SOCKS4:1182;
protocol = SOCKS4:1032;
protocol = SOCKS4:10242;
protocol = HTTPPOST:8089;
protocol = HTTP:8082;
protocol = HTTP:35233;
protocol = HTTP:19991;
protocol = HTTP:1098;
protocol = HTTP:1050;
protocol = SOCKS5:9988;
protocol = SOCKS5:8080;
protocol = SOCKS5:8009;
protocol = SOCKS5:6561;
protocol = SOCKS5:24971;
protocol = SOCKS5:18844;
protocol = SOCKS5:1122;
protocol = SOCKS5:10777;
protocol = SOCKS5:1030;
protocol = SOCKS5:10130;
protocol = SOCKS5:10099;
protocol = SOCKS4:8751;
protocol = SOCKS4:8278;
protocol = SOCKS4:8111;
protocol = SOCKS4:7007;
protocol = SOCKS4:6551;
protocol = SOCKS4:5353;
protocol = SOCKS4:443;
protocol = SOCKS4:43341;
protocol = SOCKS4:3801;
protocol = SOCKS4:2280;
protocol = SOCKS4:1978;
protocol = SOCKS4:1212;
protocol = SOCKS4:1039;
protocol = SOCKS4:1031;
protocol = HTTPPOST:81;
protocol = HTTP:9988;
protocol = HTTP:7868;
protocol = HTTP:7070;
protocol = HTTP:444;
protocol = HTTP:1200;
protocol = HTTP:1039;
vhost = "0.0.0.0";
fd = 512;
max_read = 4096;
timeout = 30;
target_ip = "83.69.233.12";
target_port = 6667;
target_string = "*** Looking up your hostname...";
};
scanner {
name = "extra";
protocol = WINGATE:1181;
protocol = HTTP:81;
protocol = HTTP:8000;
protocol = HTTP:8001;
protocol = HTTP:8081;
protocol = HTTP:5748;
protocol = HTTP:443;
protocol = SOCKS4:4914;
protocol = SOCKS4:6826;
protocol = SOCKS4:7198;
protocol = SOCKS4:7366;
protocol = SOCKS4:9036;
protocol = SOCKS5:4438;
protocol = SOCKS5:5104;
protocol = SOCKS5:5113;
protocol = SOCKS5:5262;
protocol = SOCKS5:5634;
protocol = SOCKS5:6552;
protocol = SOCKS5:6561;
protocol = SOCKS5:7464;
protocol = SOCKS5:7810;
protocol = SOCKS5:8130;
protocol = SOCKS5:8148;
protocol = SOCKS5:8520;
protocol = SOCKS5:8814;
protocol = SOCKS5:9100;
protocol = SOCKS5:9186;
protocol = SOCKS5:9447;
protocol = SOCKS5:9578;
protocol = SOCKS4:559;
protocol = HTTPPOST:3128;
protocol = SOCKS4:1080;
protocol = HTTP:8080;
protocol = SOCKS5:1182;
protocol = HTTP:3128;
protocol = HTTPPOST:8080;
protocol = SOCKS4:9999;
protocol = SOCKS5:1080;
protocol = HTTP:63000;
protocol = HTTP:8000;
protocol = HTTPPOST:808;
protocol = HTTPPOST:6588;
protocol = HTTP:6588;
protocol = SOCKS5:3128;
protocol = SOCKS5:10080;
protocol = HTTPPOST:4480;
protocol = SOCKS4:63808;
protocol = SOCKS4:19991;
protocol = SOCKS4:1098;
protocol = SOCKS4:10000;
protocol = SOCKS4:4471;
protocol = HTTP:65506;
protocol = HTTP:63809;
protocol = SOCKS5:9090;
protocol = HTTP:9090;
protocol = SOCKS4:58;
protocol = SOCKS5:58;
protocol = SOCKS4:6969;
protocol = WINGATE:23;
protocol = SOCKS5:3380;
protocol = SOCKS4:40;
protocol = SOCKS5:443;
protocol = SOCKS4:8888;
protocol = HTTPPOST:9090;
protocol = HTTP:5490;
protocol = SOCKS4:8080;
protocol = SOCKS5:6969;
protocol = SOCKS4:1026;
protocol = SOCKS4:1025;
protocol = HTTP:8090;
protocol = HTTP:808;
protocol = SOCKS5:1029;
protocol = SOCKS4:41080;
protocol = SOCKS5:8020;
protocol = SOCKS5:6000;
protocol = HTTPPOST:8081;
protocol = HTTP:4480;
protocol = SOCKS5:1027;
protocol = SOCKS4:1028;
protocol = HTTP:3332;
protocol = SOCKS5:8888;
protocol = SOCKS5:1028;
protocol = SOCKS4:3330;
protocol = SOCKS4:29992;
protocol = SOCKS4:1234;
protocol = SOCKS4:1029;
protocol = HTTP:5000;
protocol = HTTP:443;
protocol = SOCKS5:1813;
protocol = SOCKS5:1081;
protocol = SOCKS5:1026;
protocol = SOCKS4:1337;
protocol = SOCKS4:1050;
protocol = HTTP:1080;
protocol = SOCKS5:9999;
protocol = SOCKS5:9100;
protocol = SOCKS5:19991;
protocol = SOCKS5:1098;
protocol = SOCKS4:9100;
protocol = SOCKS4:7080;
protocol = SOCKS4:1033;
protocol = HTTP:9000;
protocol = HTTP:5800;
protocol = HTTP:5634;
protocol = HTTP:4471;
protocol = HTTP:3382;
protocol = SOCKS5:1200;
protocol = SOCKS5:1039;
protocol = SOCKS5:1025;
protocol = SOCKS4:8002;
protocol = SOCKS4:6748;
protocol = SOCKS4:44548;
protocol = SOCKS4:3380;
protocol = SOCKS4:32167;
protocol = SOCKS4:2000;
protocol = SOCKS4:1979;
protocol = SOCKS4:12654;
protocol = SOCKS4:11225;
protocol = SOCKS4:1066;
protocol = SOCKS4:1030;
protocol = SOCKS4:1027;
protocol = SOCKS4:10099;
protocol = HTTP:81;
protocol = SOCKS5:8278;
protocol = SOCKS5:6748;
protocol = SOCKS5:4914;
protocol = SOCKS5:4471;
protocol = SOCKS5:29992;
protocol = SOCKS5:17235;
protocol = SOCKS5:1234;
protocol = SOCKS5:1202;
protocol = SOCKS5:1180;
protocol = SOCKS5:1075;
protocol = SOCKS5:1033;
protocol = SOCKS5:10000;
protocol = SOCKS4:8020;
protocol = SOCKS4:4044;
protocol = SOCKS4:3128;
protocol = SOCKS4:3127;
protocol = SOCKS4:28882;
protocol = SOCKS4:24973;
protocol = SOCKS4:21421;
protocol = SOCKS4:1182;
protocol = SOCKS4:1032;
protocol = SOCKS4:10242;
protocol = HTTPPOST:8089;
protocol = HTTP:8082;
protocol = HTTP:35233;
protocol = HTTP:19991;
protocol = HTTP:1098;
protocol = HTTP:1050;
protocol = SOCKS5:9988;
protocol = SOCKS5:8080;
protocol = SOCKS5:8009;
protocol = SOCKS5:6561;
protocol = SOCKS5:24971;
protocol = SOCKS5:18844;
protocol = SOCKS5:1122;
protocol = SOCKS5:10777;
protocol = SOCKS5:1030;
protocol = SOCKS5:10130;
protocol = SOCKS5:10099;
protocol = SOCKS4:8751;
protocol = SOCKS4:8278;
protocol = SOCKS4:8111;
protocol = SOCKS4:7007;
protocol = SOCKS4:6551;
protocol = SOCKS4:5353;
protocol = SOCKS4:443;
protocol = SOCKS4:43341;
protocol = SOCKS4:3801;
protocol = SOCKS4:2280;
protocol = SOCKS4:1978;
protocol = SOCKS4:1212;
protocol = SOCKS4:1039;
protocol = SOCKS4:1031;
protocol = HTTPPOST:81;
protocol = HTTP:9988;
protocol = HTTP:7868;
protocol = HTTP:7070;
protocol = HTTP:444;
protocol = HTTP:1200;
protocol = HTTP:1039;
protocol = SOCKS4:11348;
protocol = SOCKS5:11348;
protocol = SOCKS4:6081;
protocol = SOCKS5:6081;
protocol = SOCKS4:25552;
protocol = SOCKS5:25552;
protocol = SOCKS4:50305;
protocol = SOCKS5:50305;
protocol = SOCKS4:29992;
protocol = SOCKS4:38884;
protocol = SOCKS4:18844;
protocol = SOCKS4:17771;
protocol = SOCKS4:31121;
protocol = HTTPPOST:81;
protocol = HTTPPOST:6588;
protocol = HTTPPOST:8000;
protocol = HTTPPOST:8001;
protocol = HTTPPOST:8081;
protocol = SOCKS5:1978;
protocol = SOCKS5:10001;
protocol = SOCKS5:30021;
protocol = SOCKS5:30022;
protocol = SOCKS5:38994;
protocol = SOCKS5:15859;
protocol = SOCKS5:1027;
protocol = SOCKS5:2425;
protocol = SOCKS4:559;
protocol = SOCKS4:29992;
protocol = SOCKS4:38884;
protocol = SOCKS4:18844;
protocol = SOCKS4:17771;
protocol = SOCKS4:31121;
protocol = SOCKS4:1182;
protocol = ROUTER:23;
fd = 400;
};
user {
scanner = "default";
mask = "*!*@*";
};
user {
scanner = "extra";
mask = "*!squid@*";
mask = "*!nobody@*";
mask = "*!www-data@*";
mask = "*!cache@*";
mask = "*!CacheFlowS@*";
mask = "*!*@*www*";
mask = "*!*@*proxy*";
mask = "*!*@*cache*";
};
exempt {
mask = "*!*@127.0.0.1";
};
options {
pidfile = "/var/log/bopm/bopm.pid";
# negcache = 3600;
dns_fdlimit = 64;
# scanlog = "/var/log/bopm/scan.log";
};