Merge pull request #299 from Moonlight-Panel/AddNewScan

Added discord nuke bot scan
2023-08-31 01:03:24 +02:00 · 2023-08-31 01:03:24 +02:00 · f48ec2245c
commit f48ec2245c
parent c549d45d54 37a3a35120
3 changed files with 57 additions and 2 deletions
--- a/Moonlight/App/MalwareScans/DiscordNukeScan.cs
+++ b/Moonlight/App/MalwareScans/DiscordNukeScan.cs
@ -0,0 +1,54 @@
+using Moonlight.App.Database.Entities;
+using Moonlight.App.Models.Misc;
+using Moonlight.App.Services;
+
+namespace Moonlight.App.MalwareScans;
+
+public class DiscordNukeScan : MalwareScan
+{
+    public override string Name => "Discord nuke";
+    public override string Description => "Discord nuke bot detector";
+    public override async Task<MalwareScanResult?> Scan(Server server, IServiceProvider serviceProvider)
+    {
+        var serverService = serviceProvider.GetRequiredService<ServerService>();
+        var access = await serverService.CreateFileAccess(server, null!);
+
+        var files = await access.Ls();
+        var filteredFiles = files.Where(x =>
+            x.Name.EndsWith(".py") || 
+            x.Name.EndsWith(".js") || 
+            x.Name.EndsWith(".json") || 
+            x.Name.EndsWith(".env"));
+
+        foreach (var file in filteredFiles)
+        {
+            var content = await access.Read(file);
+            var filteredContent = content.ToLower();
+
+            if (filteredContent.Contains("quake") || 
+                filteredContent.Contains("nuked by") || 
+                filteredContent.Contains("nuke bot") || 
+                (filteredContent.Contains("fucked by") && filteredContent.Contains("nuke"))) // fucked by in context with nuke
+            {
+                return new()
+                {
+                    Title = "Discord nuke bot",
+                    Description = "Found suspicious content which may indicate there is a nuke bot running",
+                    Author = "Marcel Baumgartner"
+                };
+            }
+
+            if (files.Any(x => x.Name == "nukes.json"))
+            {
+                return new()
+                {
+                    Title = "Discord nuke bot",
+                    Description = "Found suspicious content which may indicate there is a nuke bot running",
+                    Author = "Marcel Baumgartner"
+                };
+            }
+        }
+
+        return null;
+    }
+}
--- a/Moonlight/App/Services/MalwareScanService.cs
+++ b/Moonlight/App/Services/MalwareScanService.cs
@ -25,7 +25,8 @@ public class MalwareScanService
            new SelfBotCodeScan(),
            new FakePlayerPluginScan(),
            new MinerScan(),
-            new ProxyScan()
+            new ProxyScan(),
+            new DiscordNukeScan()
        };

        var scans = await PluginService.BuildMalwareScans(defaultScans.ToArray());
--- a/Moonlight/App/Services/ServerService.cs
+++ b/Moonlight/App/Services/ServerService.cs
@ -120,7 +120,7 @@ public class ServerService

            if (result != null)
            {
-                Logger.Warn($"Found malware on server {server.Uuid}. Result: " + result.Title);
+                Logger.Warn($"Found malware on server {server.Uuid}. Result: " + result.Title, "security");

                throw new DisplayException(
                    $"Unable to start server. Found following malware on this server: {result.Title}. Please contact the support if you think this detection is a false positive",