########################################################## ## _ __ ## ## | |__ ___ _ __ _ __ ___ ___ ___ _ __ / _| ## ## | '_ \ / _ \| '_ \| '_ ` _ \ / __/ _ \| '_ \| |_ ## ## | |_) | (_) | |_) | | | | | | | (_| (_) | | | | _| ## ## |_.__/ \___/| .__/|_| |_| |_| \___\___/|_| |_|_| ## ## |_| 3.1.3 ## ## ## ## bopm.conf by DeviL ## ## irc.sisrv.net - support@sisrv.net ## ## ## ## Build on 02.01.2018 ## ########################################################## options { pidfile = "/home/sisrv/bopm/bopm.pid"; dns_fdlimit = 64; }; IRC { vhost = ""; nick = "BOPM"; realname = "SiSrv proxy scanner"; username = "sisrv"; server = "you-shell-ip-here"; port = 6667; oper = "BOPM operPass"; nickserv = "privmsg nickserv :identify bopmpass"; away = "enter your away msg!"; /* If you are using UnrealIRCd then use the configuration options below. */ mode = "+s +cF"; connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; perform = "PROTOCTL HCN"; /* If you are using IRCu then uncomment the configuration options below and comment out the three above *** Note: You must have 'F:CONNEXIT_NOTICES:TRUE' in your ircd.conf to allow opers to see connexits */ #mode = "+s 16384"; # Allows BOPM to see network-wide connexits. #connregex = "\\*\\*\\* Notice -- Client connecting.*: ([^ ]+) \\(([^@]+)@([^\\)]+)\\) \\[([0-9\\.]+)\\].*"; /* Visit http://wiki.blitzed.org/BOPM/FAQ for more connregex for other IRCd software. */ /* Channel configuration for BOPM */ channel { name = "#staff"; key = "keyhere"; invite = "PRIVMSG chanserv :invite #staff"; }; kline = "gline +*@%h 10000 :4An open proxy was detected on your host - 12support@sisrv.net"; }; OPM { /* * * Please check the validity of using : signs in the K-line reason. If it is not supported, * you should change the kline rules below to something without the : sign * */ blacklist { name = "rbl.efnetrbl.org"; type = "A record reply"; ban_unknown = no; reply { 1 = "Open Proxy"; 2 = "spamtrap666"; 3 = "spamtrap50"; 4 = "TOR"; 5 = "Drones / Flooding"; }; kline = "gzline +*@%i 3h 4An open proxy was detected in your host - efnetRBL - 12support@sisrv.net"; }; blacklist { name = "rbl.efnet.org"; type = "A record reply"; reply { 1 = "Open proxy"; 2 = "Trojan spreader"; 3 = "Trojan infected client"; 4 = "TOR exit server"; 5 = "Drones / Flooding"; }; ban_unknown = no; kline = "gzline +*@%i 3h 4An open proxy was detected in your host - efnet RBL - 12support@sisrv.net"; }; blacklist { name = "dnsbl.dronebl.org"; type = "A record reply"; reply { 2 = "Sample"; 3 = "IRC Drone"; 5 = "Bottler"; 6 = "Unknown spambot or drone"; 7 = "DDOS Drone"; 8 = "SOCKS Proxy"; 9 = "HTTP Proxy"; 10 = "ProxyChain"; 13 = "Brute force attackers"; 14 = "Open Wingate Proxy"; 15 = "Compromised router / gateway"; 17 = "Automatically determined botnet IPs (experimental)"; 255 = "Unknown"; }; ban_unknown = no; kline = "gzline +*@%i 3h 4An open proxy was detected in your host - DroneBL - 12support@sisrv.net"; }; }; scanner { name = "Default"; /* The following list of port scans have been compiled by analysing the most common open ports used by proxies that have been added to our DNSBL, and those which have connected to our network. Port scanning will never be able to detect every proxy connecting to your network as many now use random & uncommon ports. However there are still ports which are commonly used and we believe the majority of them are included below. Note: Some IRC hosts do not allow port scans to be conducted through their network regardless of the intention. Please check with your host before conducting any scans using BOPM. Be aware that scanning users on a large list of ports will severely impact the performance of your BOPM, and very often firewalls will block your scans after you have tried a certain number of ports. (Therefore you should list the port scans by how common they are). */ protocol = ROUTER:23; protocol = SOCKS4:559; protocol = HTTPPOST:3128; protocol = SOCKS4:1080; protocol = HTTP:8080; protocol = SOCKS5:1182; protocol = HTTP:3128; protocol = HTTPPOST:8080; protocol = SOCKS4:9999; protocol = HTTPPOST:80; protocol = SOCKS5:1080; protocol = HTTP:63000; protocol = HTTP:8000; protocol = HTTPPOST:808; protocol = HTTP:80; protocol = HTTPPOST:6588; protocol = HTTP:6588; protocol = SOCKS5:3128; protocol = SOCKS5:10080; protocol = HTTPPOST:4480; protocol = SOCKS4:6664; protocol = SOCKS4:63808; protocol = HTTP:6667; protocol = SOCKS4:19991; protocol = SOCKS4:1098; protocol = SOCKS4:10000; protocol = SOCKS4:4471; protocol = HTTP:65506; protocol = HTTP:63809; protocol = SOCKS5:9090; protocol = HTTP:9090; protocol = HTTP:6668; protocol = SOCKS4:58; protocol = SOCKS5:58; protocol = SOCKS4:6969; protocol = WINGATE:23; protocol = SOCKS5:3380; protocol = SOCKS4:40; protocol = SOCKS5:443; protocol = SOCKS4:8888; protocol = HTTPPOST:9090; protocol = HTTP:5490; protocol = SOCKS4:8080; protocol = SOCKS5:6969; protocol = SOCKS4:1026; protocol = SOCKS4:1025; protocol = HTTP:8888; protocol = HTTP:6669; protocol = HTTP:8090; protocol = HTTP:808; protocol = SOCKS5:1029; protocol = SOCKS4:41080; protocol = SOCKS5:8020; protocol = SOCKS5:6000; protocol = HTTPPOST:8081; protocol = HTTP:4480; protocol = SOCKS5:1027; protocol = SOCKS4:1028; protocol = HTTP:3332; protocol = SOCKS5:8888; protocol = SOCKS5:1028; protocol = SOCKS4:3330; protocol = SOCKS4:29992; protocol = SOCKS4:1234; protocol = SOCKS4:1029; protocol = HTTP:5000; protocol = HTTP:443; protocol = SOCKS5:1813; protocol = SOCKS5:1081; protocol = SOCKS5:1026; protocol = SOCKS4:1337; protocol = SOCKS4:1050; protocol = HTTP:1080; protocol = SOCKS5:9999; protocol = SOCKS5:9100; protocol = SOCKS5:19991; protocol = SOCKS5:1098; protocol = SOCKS4:9100; protocol = SOCKS4:7080; protocol = SOCKS4:1033; protocol = HTTP:9000; protocol = HTTP:5800; protocol = HTTP:5634; protocol = HTTP:4471; protocol = HTTP:3382; protocol = SOCKS5:1200; protocol = SOCKS5:1039; protocol = SOCKS5:1025; protocol = SOCKS4:8002; protocol = SOCKS4:6748; protocol = SOCKS4:44548; protocol = SOCKS4:3380; protocol = SOCKS4:32167; protocol = SOCKS4:2000; protocol = SOCKS4:1979; protocol = SOCKS4:12654; protocol = SOCKS4:11225; protocol = SOCKS4:1066; protocol = SOCKS4:1030; protocol = SOCKS4:1027; protocol = SOCKS4:10099; protocol = HTTP:81; protocol = HTTP:6665; protocol = HTTP:6664; protocol = HTTP:6663; protocol = SOCKS5:8278; protocol = SOCKS5:6748; protocol = SOCKS5:4914; protocol = SOCKS5:4471; protocol = SOCKS5:29992; protocol = SOCKS5:17235; protocol = SOCKS5:1234; protocol = SOCKS5:1202; protocol = SOCKS5:1180; protocol = SOCKS5:1075; protocol = SOCKS5:1033; protocol = SOCKS5:10000; protocol = SOCKS4:8020; protocol = SOCKS4:4044; protocol = SOCKS4:3128; protocol = SOCKS4:3127; protocol = SOCKS4:28882; protocol = SOCKS4:24973; protocol = SOCKS4:21421; protocol = SOCKS4:1182; protocol = SOCKS4:1032; protocol = SOCKS4:10242; protocol = HTTPPOST:8089; protocol = HTTP:8082; protocol = HTTP:6661; protocol = HTTP:35233; protocol = HTTP:19991; protocol = HTTP:1098; protocol = HTTP:1050; protocol = SOCKS5:9988; protocol = SOCKS5:8080; protocol = SOCKS5:8009; protocol = SOCKS5:6561; protocol = SOCKS5:24971; protocol = SOCKS5:18844; protocol = SOCKS5:1122; protocol = SOCKS5:10777; protocol = SOCKS5:1030; protocol = SOCKS5:10130; protocol = SOCKS5:10099; protocol = SOCKS4:8751; protocol = SOCKS4:8278; protocol = SOCKS4:8111; protocol = SOCKS4:7007; protocol = SOCKS4:6551; protocol = SOCKS4:5353; protocol = SOCKS4:443; protocol = SOCKS4:43341; protocol = SOCKS4:3801; protocol = SOCKS4:2280; protocol = SOCKS4:1978; protocol = SOCKS4:1212; protocol = SOCKS4:1039; protocol = SOCKS4:1031; protocol = HTTPPOST:81; protocol = HTTP:9988; protocol = HTTP:7868; protocol = HTTP:7070; protocol = HTTP:444; protocol = HTTP:1200; protocol = HTTP:1039; protocol = SOCKS5:1080; protocol = SOCKS4:1080; protocol = HTTP:8080; protocol = HTTP:80; protocol = HTTP:3128; protocol = HTTP:6588; protocol = SOCKS5:25552; protocol = SOCKS4:25552; protocol = SOCKS4:11171; protocol = SOCKS5:11171; /* Note that the following ports may not be scannable on certain machines/IPs. To ensure your network is fully protected * we advise you to make sure that your BOPM is able to scan these ports properly as they have recently become incredibly * popular and can be used in their thousands to connect to networks. */ protocol = SOCKS5:11011; protocol = SOCKS4:11011; protocol = SOCKS5:11022; protocol = SOCKS4:11022; protocol = SOCKS5:11033; protocol = SOCKS4:11033; protocol = SOCKS5:11055; protocol = SOCKS4:11055; protocol = SOCKS5:17327; protocol = SOCKS4:17327; protocol = SOCKS5:14841; protocol = SOCKS4:14841; protocol = SOCKS4:22277; protocol = SOCKS5:22277; protocol = SOCKS5:18888; protocol = SOCKS4:18888; fd = 5000; max_read = 4096; timeout = 15; /* These settings will work for scanning - Feel free to change them if you wish (be careful of false positives when using IRCd banner strings) */ target_ip = "you-shell-ip-here"; target_port = 6667; target_string = "swiftbl check"; }; user { mask = "*!*@*"; scanner = "Default"; }; exempt { mask = "*@*.sisrv.net"; };