From 37a3a35120154b6d36e654f3655b4392a1a0c77a Mon Sep 17 00:00:00 2001 From: Marcel Baumgartner Date: Thu, 31 Aug 2023 01:01:15 +0200 Subject: [PATCH] Added discord nuke bot scan --- Moonlight/App/MalwareScans/DiscordNukeScan.cs | 54 +++++++++++++++++++ Moonlight/App/Services/MalwareScanService.cs | 3 +- Moonlight/App/Services/ServerService.cs | 2 +- 3 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 Moonlight/App/MalwareScans/DiscordNukeScan.cs diff --git a/Moonlight/App/MalwareScans/DiscordNukeScan.cs b/Moonlight/App/MalwareScans/DiscordNukeScan.cs new file mode 100644 index 0000000..2fa0f8f --- /dev/null +++ b/Moonlight/App/MalwareScans/DiscordNukeScan.cs @@ -0,0 +1,54 @@ +using Moonlight.App.Database.Entities; +using Moonlight.App.Models.Misc; +using Moonlight.App.Services; + +namespace Moonlight.App.MalwareScans; + +public class DiscordNukeScan : MalwareScan +{ + public override string Name => "Discord nuke"; + public override string Description => "Discord nuke bot detector"; + public override async Task Scan(Server server, IServiceProvider serviceProvider) + { + var serverService = serviceProvider.GetRequiredService(); + var access = await serverService.CreateFileAccess(server, null!); + + var files = await access.Ls(); + var filteredFiles = files.Where(x => + x.Name.EndsWith(".py") || + x.Name.EndsWith(".js") || + x.Name.EndsWith(".json") || + x.Name.EndsWith(".env")); + + foreach (var file in filteredFiles) + { + var content = await access.Read(file); + var filteredContent = content.ToLower(); + + if (filteredContent.Contains("quake") || + filteredContent.Contains("nuked by") || + filteredContent.Contains("nuke bot") || + (filteredContent.Contains("fucked by") && filteredContent.Contains("nuke"))) // fucked by in context with nuke + { + return new() + { + Title = "Discord nuke bot", + Description = "Found suspicious content which may indicate there is a nuke bot running", + Author = "Marcel Baumgartner" + }; + } + + if (files.Any(x => x.Name == "nukes.json")) + { + return new() + { + Title = "Discord nuke bot", + Description = "Found suspicious content which may indicate there is a nuke bot running", + Author = "Marcel Baumgartner" + }; + } + } + + return null; + } +} \ No newline at end of file diff --git a/Moonlight/App/Services/MalwareScanService.cs b/Moonlight/App/Services/MalwareScanService.cs index 999f007..8fd3634 100644 --- a/Moonlight/App/Services/MalwareScanService.cs +++ b/Moonlight/App/Services/MalwareScanService.cs @@ -25,7 +25,8 @@ public class MalwareScanService new SelfBotCodeScan(), new FakePlayerPluginScan(), new MinerScan(), - new ProxyScan() + new ProxyScan(), + new DiscordNukeScan() }; var scans = await PluginService.BuildMalwareScans(defaultScans.ToArray()); diff --git a/Moonlight/App/Services/ServerService.cs b/Moonlight/App/Services/ServerService.cs index 9054e01..11ec06b 100644 --- a/Moonlight/App/Services/ServerService.cs +++ b/Moonlight/App/Services/ServerService.cs @@ -120,7 +120,7 @@ public class ServerService if (result != null) { - Logger.Warn($"Found malware on server {server.Uuid}. Result: " + result.Title); + Logger.Warn($"Found malware on server {server.Uuid}. Result: " + result.Title, "security"); throw new DisplayException( $"Unable to start server. Found following malware on this server: {result.Title}. Please contact the support if you think this detection is a false positive",