mIRC Home    About    Download    Register    News    Help

Print Thread
Open Proxies #268175 07/12/20 07:52 AM
Joined: Dec 2020
Posts: 3
S
Sleepyhead Offline OP
Self-satisfied door
OP Offline
Self-satisfied door
S
Joined: Dec 2020
Posts: 3
Hello,

I am an official chanops/helperop on a network and currently we are facing a surge in abusers/flooders with open proxies. Also, the network has been following dnsbl.org to scan the users while it connects (but most of the time it just lets in flooder/abuser without any issue). I have searched few ips on dnsbl.info but found it was not listed as a defaulter. whereas, ircbl.org does mark the same ip to be blacklisted (hence, i trust ircbl.org over dnsbl.info).

I am looking for a code which would scan for open proxies in an incoming nick joining a specific channel (tcl code or normal irc based code will do). The switch could be auto (on join) or manual (where i would trigger the scan manually). Also i should be able to kick/ban the user once i find them using an open proxy. Here are few websites where i can search for an open proxy.

1. ircbl.org (i find results displayed on this website to be more comprehensive)
2. dnsbl.info
3. dronebl.org

ps. It would be great if someone could help me with a proxy scanner with dialogue (it will scan for open proxies on above given websites and if found on these websites, it should be able to kick/ban the user). Also i am not into coding so might need further help/support from the coding community with the issue.

Thanks & Regards,
SH

Re: Open Proxies [Re: Sleepyhead] #268254 18/12/20 06:56 PM
Joined: Jan 2012
Posts: 82
Epic Online
Babel fish
Online
Babel fish
Joined: Jan 2012
Posts: 82
So, I finally finished writing my first version of the script for you, so that it would be possible using a connections scan to protect your server from massive penetration of users from proxy addresses.
This may not be all you would like to see to protect your server, but it is better than nothing. In my opinion, it is more efficiently better to catch proxies when connecting to the server than when they are already entering on channels, since their addresses can be encrypted or be a virtual host, and you will be flooded with constant messages about Joins with probable spam. Of course, this code is still raw and may not be perfect, so I suggest you test it for several weeks to collect a report on the errors found and suggestions for improving this code.

Description to v1.0:

  1.Scans all incoming connections to the server and checks users by "IP4" (address must be in the form of numbers). For this, the bot where this script will be installed must have IRCop privileges with snomask (+cC).
  2.You can use the command with the syntax: "!ps <start/stop/reload>". (All nicknames for which this command will be available are recorded in the "%ps_admins" variable).
  3.In the "ps_gettype" alias, you can, if you wish, write your signatures for those DNSBL servers that should describe the proxy type in case of detection.

  4.You can create your own DNSBL server lists in the "proxyscanner_list" alias with which you should check the IP of all connecting users. (Use the provided list as an example, which includes the server name and a comma-separated list of response numbers to act on if they match). Warning: This requires very fine tuning so that there is no false positive and that innocent netizens are not banned. Therefore, it is recommended to first check through similar websites to which reply number the script was correctly triggered. For example, if the "dnsbl.dronebl.org" server answered "9" when checking through the DNSBL, then this is correct in most cases and you will ban the real proxy. And if in the same place the answer is "3" or "14", then this may be a false positive. My advice for a while testing is to turn off the bans and set the variable to "%ps_btype = off" so that you can just watch what is happening and make accurate debugging using the resulting numbers in the response rechecking where the truth is and where the lie.

  5.Through the alias "proxyscanner_set" you can customize the configuration parameters of the script:
      %ps_servers – Contains a comma-separated list of the "irc.server1.com,irc.server2.com" servers on which the script should work. (You can specify "all" for all servers).
      %ps_snomask – All "snomask" modes that must be enabled for the bot to work correctly are indicated here.
      %ps_btype – The type of server ban is indicated here. (Possible options: "ZLINE/KLINE/GLINE" or to disable bans set the value to "off").
      %ps_btime – Contains the time for which the ban will be set for the user.
      %ps_breason – The reason for the ban is indicated here, which will be visible to the banned user.
      %ps_blogo – Here the logo prefix, which will be present in all messages of the script.
      %ps_mchan – Here you specify the channel to which you want to write a message in case of ban the detected proxy.
      %ps_admins – A comma-separated list of aliases for which script control will be available.

I am attaching a screenshot of how the script, after the user is banned, reports in the specified channel about the found proxy through in the DNSBL list:

      [Linked Image from i.ibb.co]

Click on the button to reveal the spoiler. This code must be inserted into the scripts editor. To do this, press the key combination "ALT+R" and save this code as new "File/New" script called "AntiProxyScan.mrc":

Code
#####################################################################
#   Name: AntiProxyScan v1.0
#   Author: Epic (epicnet@mail.ru, http://epicnet.ru)
#   Description: Automatically scans all incoming connections to the server for proxy addresses and sets a server ban if found.
#####################################################################

alias -l proxyscanner_set {
  %ps_servers = all
  %ps_snomask = +cC
  %ps_btype = ZLINE
  %ps_btime = 3d
  %ps_breason = Your IP was found in DNSBL and it is suspected that is (VPN/Tor/Proxy). To unlock contact the chat administration.
  %ps_blogo = DNSBL: 01,04 BAN 
  %ps_mchan = #Services
  %ps_admins = Epic,Sleepyhead,Admin
}
alias -l proxyscanner_list {
  if ($hget(ps-dnsbl,0).item) .hfree -sw ps-dnsbl
  .hadd -m ps-dnsbl dnsbl.dronebl.org 4,5,6,7,8,9,10,13,15,17,255
  .hadd -m ps-dnsbl rbl.efnetrbl.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
  .hadd -m ps-dnsbl rbl.efnet.org 1,4,5
  .hadd -m ps-dnsbl tor.efnet.org 1
  .hadd -m ps-dnsbl cbl.abuseat.org 1,3,4,5,6,7,8,9,10,11,12,13,14,15
  .hadd -m ps-dnsbl sbl.spamhaus.org 1,5,6,7,8,9,10,12,13,14,15,255
  .hadd -m ps-dnsbl abuse-contacts.abusix.org 2,3,4
  .hadd -m ps-dnsbl safe.dnsbl.sorbs.net 1,3
  .hadd -m ps-dnsbl all.s5h.net 1,3
  .hadd -m ps-dnsbl bl-h1.rbl.polspam.pl 1
  .hadd -m ps-dnsbl postmaster.rfc-clueless.org 3
}
====================================================
on *:LOAD:{ proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on }
on *:CONNECT: proxyscanner_set | proxyscanner_list | if (!%ps_work) %ps_work = on | if ($istok(%ps_servers,$server,44)) || (%ps_servers == all) { /mode $me +s %ps_snomask }
on *:TEXT:!ps*:#:{
  if ($1 == !ps && $istok(%ps_admins,$nick,44)) {
    if (!$2) { .notice $nick Syntax: !ps <start/stop/reload> | halt }
    if ($2 == start) { %ps_work = on | .notice $nick ProxyScanner on } | if ($2 == stop) { %ps_work = off | .notice $nick ProxyScanner off }
    if ($2 == reload) { proxyscanner_set | proxyscanner_list | .notice $nick ProxyScanner reload }
  }
}
on *:SNOTICE:*Client connecting*:{
  if (%ps_work == on) {
    if ($istok(%ps_servers,$nick,44)) || ($hget(ps,servers) == all) {
      var %ps_mask $remove($wildtok($1-,*@*,1,32),$chr(40),$chr(41)) | var %ps_nick $gettok(%ps_mask,1,33) | var %ps_ip $gettok(%ps_mask,2,64) | var %ps_id $gettok($gettok(%ps_mask,1,64),2,33)
      if ($ps_detectip(%ps_ip)) proxyscanner_check %ps_ip %ps_id %ps_nick
    }
  }
}
====================================================
alias -l proxyscanner_check {
  var %ps_reverse $ps_revip($1) | .hadd -mu60 ps-oip %ps_reverse $1 | .hadd -mu60 ps-oid %ps_reverse $2 | .hadd -mu60 ps-onick %ps_reverse $3
  var %ps_all $hget(ps-dnsbl,0).item | var %ps_q 1 | while (%ps_q <= %ps_all) {
    var %ps_name $hget(ps-dnsbl,%ps_q).item | var %ps_check $+(%ps_reverse,.,%ps_name)
    .dns %ps_check | inc %ps_q
  }
}
on *:DNS:{
  var %ps_i $dns(0) | while (%ps_i > 0) {
    var %ps_dnsname $dns(%ps_i) | var %ps_dnsip $dns(%ps_i).ip | var %ps_dnsnum $gettok(%ps_dnsip,4,46) | var %ps_dnsrip $gettok(%ps_dnsname,1-4,46) | var %ps_dnsrname $gettok(%ps_dnsname,5-,46)
    if (!$hget(ps-banip,%ps_dnsrip) && $istok($hget(ps-dnsbl,%ps_dnsrname),%ps_dnsnum,44)) {
      ;------------------------------------
      if ($me ison %ps_mchan) /msg %ps_mchan %ps_blogo $+(07,$hget(ps-onick,%ps_dnsrip),) => $+(04,$hget(ps-oid,%ps_dnsrip),@,$hget(ps-oip,%ps_dnsrip),) => $+(06,%ps_dnsrname,) $+($chr(40),07,%ps_dnsnum,,$chr(41)) - $ps_gettype(%ps_dnsname,%ps_dnsnum)
      if (%ps_btype == ZLINE) .ZLINE $hget(ps-oip,%ps_dnsrip) %ps_btime %ps_breason
      if (%ps_btype == KLINE) .KLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
      if (%ps_btype == GLINE) .GLINE $+(*@,$hget(ps-oip,%ps_dnsrip)) %ps_btime %ps_breason
      ;------------------------------------
      .hadd -mu30 ps-banip %ps_dnsrip 1 | .break
    } | dec %ps_i
  }
}
alias -l ps_revip { tokenize 46 $1 | return $+($4,.,$3,.,$2,.,$1) }
alias -l ps_detectip { tokenize 46 $1 | if ($0 == 4 && $1 isnum 0-255 && $2 isnum 0-255 && $3 isnum 0-255 && $4 isnum 0-255) { return 1 } }
alias -l ps_gettype {
  if (dronebl isin $1) { 
    if ($2 == 2) { return Sample }
    if ($2 == 3) { return IRC Drone }
    if ($2 == 5) { return Bottler }
    if ($2 == 6) { return Unknown Spambot/Drone }
    if ($2 == 7) { return DDOS Drone }
    if ($2 == 8) { return SOCKS Proxy }
    if ($2 == 9) { return HTTP Proxy }
    if ($2 == 10) { return Proxy Chain }
    if ($2 == 11) { return Web Page Proxy }
    if ($2 == 12) { return Open DNS Resolver }
    if ($2 == 13) { return Brute Force Attackers }
    if ($2 == 14) { return Open Wingate Proxy }
    if ($2 == 15) { return Compromised Router/Gateway }
    if ($2 == 16) { return Autorooting worms }
    if ($2 == 17) { return Automatically determined botnet IPs (experimental) }
    if ($2 == 18) { return DNS/MX type hostname detected on IRC }
  }
  if (rbl.efnet isin $1) { 
    if ($2 == 1) { return Open Proxy }
    if ($2 == 2) { return Spamtrap666 }
    if ($2 == 3) { return Spamtrap50 }
    if ($2 == 4) { return TOR } 
    if ($2 == 5) { return Drones/Flooding }
  }
  if (tor.efnet isin $1) { return Tor Server }
  if ($2 == 255) { return 10Unknown }
  else { return Unknown Proxy }
}


The script was tested on InspIRCD v3 + mIRC v7.63.

Remember that if something went wrong, or you accidentally erased something, then you can always reinstall this script again.
If you find any errors in the code and in its work, or maybe you have new ideas or if you think that this script needs to be improved, then be sure to write to me here about it, and we are together think about what we can do.


Re: Open Proxies [Re: Epic] #268255 18/12/20 10:46 PM
Joined: Nov 2020
Posts: 16
Konrado Offline
Pikka bird
Offline
Pikka bird
Joined: Nov 2020
Posts: 16
auto-scan join nick in channel "SCANNER" grin

Nice script good job

Re: Open Proxies [Re: Epic] #268257 19/12/20 07:14 AM
Joined: Dec 2020
Posts: 3
S
Sleepyhead Offline OP
Self-satisfied door
OP Offline
Self-satisfied door
S
Joined: Dec 2020
Posts: 3
Hello Epic,

Thank you so much for the code. I really appreciate the efforts you have taken into building this code and helping me out. I will go ahead and test this code and will get you the much necessary feedback on it. I just have one more question to ask.. Is it possible to add http://ircbl.org into the list of scanning websites? Most of the VPN proxies which the abusers may use can be found on ircbl.org and it would be of great help.

Nonetheless, thank you for helping us out,

Thanks & Regards,
SH

Re: Open Proxies [Re: Sleepyhead] #268258 19/12/20 03:05 PM
Joined: Jan 2012
Posts: 82
Epic Online
Babel fish
Online
Babel fish
Joined: Jan 2012
Posts: 82
As far as I could find information about "http://ircbl.org", it is most likely closed from general remote use and works only by invitation or after registering on their resource. (I could be wrong). But I was unable to find their DNSBL servers that check for bad IP addresses. Only if try to add an additional piece of code to this script that could check the addresses of attackers through this web page. But this will already be a workaround and not entirely reliable, because the resource owners can block access to the site due to frequent requests from the bot to this page.

Fortunately, I think this is not really necessary, because you can create your own large list from free of DNSBL servers to protect your chat. And this will work no less efficiently than that site. The main thing is to keep your list compact, so that the check happens quickly enough (within 1 second) and it is important to minimize the false positives of the script by fine tuning.

The lists themselves can be searched through search engines and thus you can to collect a working and reliable list of DNSBL servers in this script. The main thing is to test them thoroughly, because not everyone can be working or they can give false responses to both normal and bad IP addresses, therefore to detect real proxies, it is necessary to set work only with those numerical answers that give 99.9% correct results.

For example: "dnsbl.dronebl.org 4,5,6,7,8,9,10,13,15,17,255" - during my testing with this DNSBL server false positive was were with numeric responses "1,2,3,11,12,14,16", therefore they do absent in a numeric comma-separated list. The numeric response "255" catches unknown and unsigned (without a signature) addresses as proxy found through this server, which can also be a false positive, but I included it this the list just in case.


Re: Open Proxies [Re: Epic] #268260 20/12/20 02:43 AM
Joined: Dec 2020
Posts: 3
S
Sleepyhead Offline OP
Self-satisfied door
OP Offline
Self-satisfied door
S
Joined: Dec 2020
Posts: 3
Hello Epic,

The code which you posted earlier works well.. I have been using it since yesterday and i havent seen any false positive as yet. I have crossed check it on different websites. Talking about IRCbl.org, even i m trying to find out a way to subscribe them but with no luck so far. Will keep you posted if i get any valuable information on it.

Thank you again for your valuable response on the issue.

Thanks & Regards,
SH

Re: Open Proxies [Re: Epic] #268308 30/12/20 11:30 PM
Joined: Dec 2020
Posts: 8
Bes Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
Joined: Dec 2020
Posts: 8
I have proved to me and it doesn't work to my script. I don't know where the problem is.

I have the last version of mirc and I have make step by step how you have wrote but does not work.

can you make a mirc and just this script and can u make a rar file and can u send me?

to my server i cant make mode to me +cC because servers says unknown modes.

thanks for a help..

Last edited by Bes; 30/12/20 11:43 PM.