Merge pull request #299 from Moonlight-Panel/AddNewScan

Added discord nuke bot scan
Moonlight-Panel · Aug 30, 2023 · f48ec22 · f48ec22
2 parents c549d45 + 37a3a35
commit f48ec22
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 2 deletions.
diff --git a/Moonlight/App/MalwareScans/DiscordNukeScan.cs b/Moonlight/App/MalwareScans/DiscordNukeScan.cs
@@ -0,0 +1,54 @@
+using Moonlight.App.Database.Entities;
+using Moonlight.App.Models.Misc;
+using Moonlight.App.Services;
+
+namespace Moonlight.App.MalwareScans;
+
+public class DiscordNukeScan : MalwareScan
+{
+    public override string Name => "Discord nuke";
+    public override string Description => "Discord nuke bot detector";
+    public override async Task<MalwareScanResult?> Scan(Server server, IServiceProvider serviceProvider)
+    {
+        var serverService = serviceProvider.GetRequiredService<ServerService>();
+        var access = await serverService.CreateFileAccess(server, null!);
+
+        var files = await access.Ls();
+        var filteredFiles = files.Where(x =>
+            x.Name.EndsWith(".py") || 
+            x.Name.EndsWith(".js") || 
+            x.Name.EndsWith(".json") || 
+            x.Name.EndsWith(".env"));
+
+        foreach (var file in filteredFiles)
+        {
+            var content = await access.Read(file);
+            var filteredContent = content.ToLower();
+
+            if (filteredContent.Contains("quake") || 
+                filteredContent.Contains("nuked by") || 
+                filteredContent.Contains("nuke bot") || 
+                (filteredContent.Contains("fucked by") && filteredContent.Contains("nuke"))) // fucked by in context with nuke
+            {
+                return new()
+                {
+                    Title = "Discord nuke bot",
+                    Description = "Found suspicious content which may indicate there is a nuke bot running",
+                    Author = "Marcel Baumgartner"
+                };
+            }
+
+            if (files.Any(x => x.Name == "nukes.json"))
+            {
+                return new()
+                {
+                    Title = "Discord nuke bot",
+                    Description = "Found suspicious content which may indicate there is a nuke bot running",
+                    Author = "Marcel Baumgartner"
+                };
+            }
+        }
+
+        return null;
+    }
+}
diff --git a/Moonlight/App/Services/MalwareScanService.cs b/Moonlight/App/Services/MalwareScanService.cs
@@ -25,7 +25,8 @@ public MalwareScanService(PluginService pluginService, IServiceScopeFactory serv
             new SelfBotCodeScan(),
             new FakePlayerPluginScan(),
             new MinerScan(),
-            new ProxyScan()
+            new ProxyScan(),
+            new DiscordNukeScan()
         };
 
         var scans = await PluginService.BuildMalwareScans(defaultScans.ToArray());

diff --git a/Moonlight/App/Services/ServerService.cs b/Moonlight/App/Services/ServerService.cs
@@ -120,7 +120,7 @@ public async Task SetPowerState(Server s, PowerSignal signal)
 
             if (result != null)
             {
-                Logger.Warn($"Found malware on server {server.Uuid}. Result: " + result.Title);
+                Logger.Warn($"Found malware on server {server.Uuid}. Result: " + result.Title, "security");
 
                 throw new DisplayException(
                     $"Unable to start server. Found following malware on this server: {result.Title}. Please contact the support if you think this detection is a false positive",