Coders-IRC

IRC for Coders

AntiProxyScan v1.0

Chain Monday, 9 August 2021 Snippet in Various languages 0 Comments
image 
#####################################################################
#   Name: AntiProxyScan v1.0
#   Author: Epic (epicnet@mail.ru, http://epicnet.ru)
#   Description: Automatically scans all incoming connections to the server for proxy addresses and sets a server ban if found.
#####################################################################

alias -l proxyscanner_set {
  %ps_servers = all
  %ps_snomask = +cC
  %ps_btype = ZLINE
  %ps_btime = 3d
  %ps_breason = Your IP was found in DNSBL and it is suspected that is (VPN/Tor/Proxy). To unlock contact the chat administration.
  %ps_blogo = DNSBL: 01,04 BAN 
  %ps_mchan = #Services
  %ps_admins = Epic,Sleepyhead,Admin
}
alias -l proxyscanner_list {
  if ($hget(ps-dnsbl,0).item) .hfree -sw ps-dnsbl
  .hadd -m ps-dnsbl dnsbl.dronebl.org 4,5,6,7,8,9,10,13,15,17,255
  .hadd -m ps-dnsbl rbl.efnetrbl.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
  .hadd -m ps-dnsbl rbl.efnet.org 1,4,5
  .hadd -m ps-dnsbl tor.efnet.org 1
  .hadd -m ps-dnsbl cbl.abuseat.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
  .hadd -m ps-dnsbl sbl.spamhaus.org 1,5,6,7,8,9,10,12,13,14,15,255
  .hadd -m ps-dnsbl abuse-contacts.abusix.org 2,3,4
  .hadd -m ps-dnsbl safe.dnsbl.sorbs.net 1,3
  .hadd -m ps-dnsbl all.s5h.net 1,3
  .hadd -m ps-dnsbl bl-h1.rbl.polspam.pl 1
  .hadd -m ps-dnsbl postmaster.rfc-clueless.org 3
}
====================================================
on *:LOAD:{ proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on }
on *:CONNECT: proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on | if ($istok(%ps_servers,$server,44)) || (%ps_servers == all) { /mode $me +s %ps_snomask }
on *:TEXT:!ps*:#:{
  if ($1 == !ps && $istok(%ps_admins,$nick,44)) {
    if (!$2) { .notice $nick Syntax: !ps <start/stop/reload> | halt }
    if ($2 == start) { %ps_work = on | .notice $nick ProxyScanner on } | if ($2 == stop) { %ps_work = off | .notice $nick ProxyScanner off }
    if ($2 == reload) { proxyscanner_set | proxyscanner_list | .notice $nick ProxyScanner reload }
  }
}
on *:SNOTICE:*Client connecting*:{
  if (%ps_work == on) {
    if ($istok(%ps_servers,$nick,44)) || ($hget(ps,servers) == all) {
      var %ps_mask $remove($wildtok($1-,*@*,1,32),$chr(40),$chr(41)) | var %ps_nick $gettok(%ps_mask,1,33) | var %ps_ip $gettok(%ps_mask,2,64) | var %ps_id $gettok($gettok(%ps_mask,1,64),2,33)
      if ($ps_detectip(%ps_ip)) proxyscanner_check %ps_ip %ps_id %ps_nick
    }
  }
}
====================================================
alias -l proxyscanner_check {
  var %ps_reverse $ps_revip($1) | .hadd -mu60 ps-oip %ps_reverse $1 | .hadd -mu60 ps-oid %ps_reverse $2 | .hadd -mu60 ps-onick %ps_reverse $3
  var %ps_all $hget(ps-dnsbl,0).item | var %ps_q 1 | while (%ps_q <= %ps_all) {
    var %ps_name $hget(ps-dnsbl,%ps_q).item | var %ps_check $+(%ps_reverse,.,%ps_name)
    .dns %ps_check | inc %ps_q
  }
}
on *:DNS:{
  var %ps_i $dns(0) | while (%ps_i > 0) {
    var %ps_dnsname $dns(%ps_i) | var %ps_dnsip $dns(%ps_i).ip | var %ps_dnsnum $gettok(%ps_dnsip,4,46) | var %ps_dnsrip $gettok(%ps_dnsname,1-4,46) | var %ps_dnsrname $gettok(%ps_dnsname,5-,46)
    if (!$hget(ps-banip,%ps_dnsrip) && $istok($hget(ps-dnsbl,%ps_dnsrname),%ps_dnsnum,44)) {
      ;------------------------------------
      if ($me ison %ps_mchan) /msg %ps_mchan %ps_blogo $+(07,$hget(ps-onick,%ps_dnsrip),) => $+(04,$hget(ps-oid,%ps_dnsrip),@,$hget(ps-oip,%ps_dnsrip),) => $+(06,%ps_dnsrname,) $+($chr(40),07,%ps_dnsnum,,$chr(41)) - $ps_gettype(%ps_dnsname,%ps_dnsnum)
      if (%ps_btype == ZLINE) .ZLINE $hget(ps-oip,%ps_dnsrip) %ps_btime %ps_breason
      if (%ps_btype == KLINE) .KLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
      if (%ps_btype == GLINE) .GLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
      ;------------------------------------
      .hadd -mu30 ps-banip %ps_dnsrip 1 | .break
    } | dec %ps_i
  }
}
alias -l ps_revip { tokenize 46 $1 | return $+($4,.,$3,.,$2,.,$1) }
alias -l ps_detectip { tokenize 46 $1 | if ($0 == 4 && $1 isnum 0-255 && $2 isnum 0-255 && $3 isnum 0-255 && $4 isnum 0-255) { return 1 } }
alias -l ps_gettype {
  if (dronebl isin $1) { 
    if ($2 == 2) { return Sample }
    if ($2 == 3) { return IRC Drone }
    if ($2 == 5) { return Bottler }
    if ($2 == 6) { return Unknown Spambot/Drone }
    if ($2 == 7) { return DDOS Drone }
    if ($2 == 8) { return SOCKS Proxy }
    if ($2 == 9) { return HTTP Proxy }
    if ($2 == 10) { return Proxy Chain }
    if ($2 == 11) { return Web Page Proxy }
    if ($2 == 12) { return Open DNS Resolver }
    if ($2 == 13) { return Brute Force Attackers }
    if ($2 == 14) { return Open Wingate Proxy }
    if ($2 == 15) { return Compromised Router/Gateway }
    if ($2 == 16) { return Autorooting worms }
    if ($2 == 17) { return Automatically determined botnet IPs (experimental) }
    if ($2 == 18) { return DNS/MX type hostname detected on IRC }
  }
  if (rbl.efnet isin $1) { 
    if ($2 == 1) { return Open Proxy }
    if ($2 == 2) { return Spamtrap666 }
    if ($2 == 3) { return Spamtrap50 }
    if ($2 == 4) { return TOR } 
    if ($2 == 5) { return Drones/Flooding }
  }
  if (tor.efnet isin $1) { return Tor Server }
  if ($2 == 255) { return 10Unknown }
  else { return Unknown Proxy }
}
Comments 0