This is a proxy scanner that uses basically the same blacklists that BOPM uses to scan for proxies.
It will automatically scan every user that connects globally on the network. If an IP can't be resolved (no hostname), it will post in #Opers in orange text saying the IP can't be resolved. This should be turned off/removed if server isn't set to resolve hostnames.
On detection of a proxy, a global-zline is placed to kick the IP off, and an alert will be posted in red in #Opers.
There are also manual controls, and channel triggers.
Manual controls:
/proxyscan #Chan - will scan every user in the channel on a timer. This will spam results of every scan into #Opers.
/scanuser user - will scan the user. Will spam results into #Opers.
Remote:
!proxyscan nick/ip/hostname - allows other people to activate the script using this command. They can enter either a nick, ip or hostname. Results of the scan will be posted into #Opers
(05:51:27 pm) /Me\ !proxyscan 127.0.0.1
(05:51:27 pm) /Bot\ [ProxyScan] Scanning (Address: Localhost IP: 127.0.0.1)
(05:51:27 pm) /Bot\ [DroneBL] 127.0.0.1 was not found in the DroneBL Blacklist.
(05:51:28 pm) /Bot\ [AHBL] 127.0.0.1 was not found in the IrcAHBL Blacklist.
(05:51:28 pm) /Bot\ [Sectoor] 127.0.0.1 was not found in the Tor Blacklist at Sectoor.de.
(05:51:28 pm) /Bot\ [RBL.Efnet] 127.0.0.1 was not found in the RBL Blacklist at Efnet.org.
(05:51:30 pm) /Bot\ [Tor.Efnet] 127.0.0.1 was not found in the Tor Blacklist at Efnet.org.
I've been using this on 3 networks effectively with very rare problems. Occasionally you do get the same error BOPM had where a blacklist returns a false result and breaks and the IP gets zlined for it (happened to my VPS ip once). For the simple fact that the blacklist involved failed pretty often, I didn't include it here.
;mIRC Proxy Scanner by Rayth
On *:LOAD:{
Set %dns Off
Set %Scanning No
}
on *:TEXT:*:#Opers:{
if ($1 == !proxyscan) {
set %dns on
If ($chr(46) isin $2) { dns $2 }
Else { userip $2 }
}
}
on 1:DNS:{
If (%Scanning == No) {
var %n = $dns(0)
if (%n > 0) {
var %count = 1
while (%n > 0) {
if (%dns == on) { msg #Opers 11,1[ProxyScan] Scanning (Address: $dns(%n).addr IP: $dns(%n).ip $+ ) }
inc %count
dec %n
%ip = $+($gettok($dns(%n).ip,4,46),$chr(46),$gettok($dns(%n).ip,3,46),$chr(46),$gettok($dns(%n).ip,2,46),$chr(46),$gettok($dns(%n).ip,1,46))
set %Scanning Yes
.dns %ip $+ .dnsbl.dronebl.org
}
}
Else {
Var %Query
If ($dns(0).addr) { %Query = %Query Address: $dns(0).addr }
If ($dns(0).ip) { %Query = %Query Ip: $dns(0).ip }
If ($dns(0).nick) { %Query = %Query Nick: $dns(0).nick }
msg #Opers 7,1[ProxyScan] Could not resolve ( $+ %Query $+ )
If ($dns(0).ip) {
%ip = $+($gettok($dns(0).ip,4,46),$chr(46),$gettok($dns(0).ip,3,46),$chr(46),$gettok($dns(0).ip,2,46),$chr(46),$gettok($dns(0).ip,1,46))
set %Scanning Yes
.dns %ip $+ .dnsbl.dronebl.org
}
}
}
Else {
%ip = $+($gettok($dns(0).addr,4,46),$chr(46),$gettok($dns(0).addr,3,46),$chr(46),$gettok($dns(0).addr,2,46),$chr(46),$gettok($dns(0).addr,1,46))
%rip = $+($gettok($dns(0).addr,1,46),$chr(46),$gettok($dns(0).addr,2,46),$chr(46),$gettok($dns(0).addr,3,46),$chr(46),$gettok($dns(0).addr,4,46))
%Service = $remove($dns(0).addr,%rip)
If (%Service == .dnsbl.dronebl.org) {
If ($dns(0).ip) {
msg #Opers 4,1[DroneBL] %ip is a was found in the DroneBL (Type $gettok($dns(0).ip,4,46) $+ / $+ $gettype(dronebl,$gettok($dns(0).ip,4,46)) $+ )
gzline *@ $+ %ip 3h This IP Was found in the DroneBL Blacklist as type $gettype(dronebl,$gettok($dns(0).ip,4,46)) $+ . Goto http://dronebl.org/lookup_branded?ip= $+ %ip $+ &network= $+ $network
}
if (!$dns(0).ip) && (%dns == on) { msg #Opers 3,1[DroneBL] %ip was not found in the DroneBL Blacklist. }
.dns %rip $+ .ircbl.ahbl.org
}
If (%Service == .ircbl.ahbl.org) {
If ($dns(0).ip) {
msg #Opers 4,1[AHBL] %ip is a was found in the IRCBl at AHBL.org (Type $gettok($dns(0).ip,4,46) $+ / $+ $gettype(ircahbl,$gettok($dns(0).ip,4,46)) $+ )
gzline *@ $+ %ip 3h This IP Was found in the IrcBL at AHBL.org as type $gettype(ircahbl,$gettok($dns(0).ip,4,46)) $+ . Goto http://ahbl.org/removals
}
if (!$dns(0).ip) && (%dns == on) { msg #Opers 3,1[AHBL] %ip was not found in the IrcAHBL Blacklist. }
.dns %rip $+ .tor.dnsbl.sectoor.de
}
If (%Service == .tor.dnsbl.sectoor.de) {
If ($dns(0).ip) {
msg #Opers 4,1[Sectoor] %ip is a was found in the Tor Blacklist at sectoor.de (Type $gettok($dns(0).ip,4,46) $+ / $+ $gettype(sectoor,$gettok($dns(0).ip,4,46)) $+ )
gzline *@ $+ %ip 3h This IP Was found in the Tor Blacklist at sectoor.org as type $gettype(sectoor,$gettok($dns(0).ip,4,46)) $+ . Goto http://ahbl.org/removals
}
if (!$dns(0).ip) && (%dns == on) { msg #Opers 3,1[Sectoor] %ip was not found in the Tor Blacklist at Sectoor.de. }
.dns %rip $+ .rbl.efnetrbl.org
}
If (%Service == .rbl.efnetrbl.org) {
If ($dns(0).ip) {
msg #Opers 4,1[RBL.Efnet] %ip is a was found in the DNS Blacklist at Efnet.Org (Type $gettok($dns(0).ip,4,46) $+ / $+ $gettype(rblefnet,$gettok($dns(0).ip,4,46)) $+ )
gzline *@ $+ %ip 3h This IP Was found in the DNS Blacklist at Efnet.org as type $gettype(rblefnet,$gettok($dns(0).ip,4,46)) $+ . Goto http://rbl.efnetrbl.org/?i= $+ %ip
}
if (!$dns(0).ip) && (%dns == on) { msg #Opers 3,1[RBL.Efnet] %ip was not found in the RBL Blacklist at Efnet.org. }
.dns %rip $+ .tor.efnet.org
}
If (%Service == .tor.efnet.org) {
If ($dns(0).ip) {
msg #Opers 4,1[Tor.Efnet] %ip is a was found in the Tor Blacklist at Efnet.Org (Type $gettok($dns(0).ip,4,46) $+ / $+ $gettype(torefnet,$gettok($dns(0).ip,4,46)) $+ )
gzline *@ $+ %ip 3h This IP Was found in the Tor Blacklist at Efnet.org as type $gettype(torefnet,$gettok($dns(0).ip,4,46)) $+ . Goto http://rbl.efnet.org/?i= $+ %ip
}
if (!$dns(0).ip) && (%dns == on) { msg #Opers 3,1[Tor.Efnet] %ip was not found in the Tor Blacklist at Efnet.org. }
set %dns off
set %Scanning No
}
}
}
alias gettype {
If ($1 == dronebl) {
If ($2 == 2) { return Sample }
If ($2 == 3) { return IRC Drone }
If ($2 == 5) { return Bottler }
If ($2 == 6) { return Unknown Spambot/Drone }
If ($2 == 7) { return DDOS Drone }
If ($2 == 8) { return SOCKS Proxy }
If ($2 == 9) { return HTTP Proxy }
If ($2 == 10) { return Proxy Chain }
If ($2 == 13) { return Brute Force Attackers }
If ($2 == 14) { return Open Wingate Proxy }
If ($2 == 15) { return Compromised Router/Gateway }
If ($2 == 17) { return Automatically Detected Botnet }
If ($2 == 255) { return Unknown }
}
if ($1 == ircahbl) { return Open Proxy }
if ($1 == sectoor) { return Tor Exit Server }
if ($1 == torefnet) { return Tor Server }
if ($1 == rblefnet) {
If ($2 == 1) { return Open Proxy }
If ($2 == 2) { return Spamtrap666 }
If ($2 == 3) { return Spamtrap50 }
If ($2 == 4) { return TOR }
If ($2 == 5) { return Drones/Flooding }
}
}
on *:SNOTICE:*:{
if ($4 == client) && ($5 == connecting) { userip $iif($6 == on,$9,$8) }
}
raw 340:*:{ .dns $gettok($2,2,64) | halt }
alias proxyscan {
msg #Opers 11,1[ProxyScan] Scanning Channel $1 for proxies
var %chan = $1
%total = $nick(%chan,0)
%count = 1
while (%count <= %total) {
timer 1 $calc(%count * 2) scanuser $nick(%chan,%count)
inc %count
}
}
alias getHost { return $gettok($1,2,64) }
alias scanuser { set %dns on | userip $1 }
Use it if you wish. It already does a gline/zline whenever a bad ip is detected.