#!/usr/bin/perl
 
#If you've ever been port scanned while on IRC and knew the IP that scanned you
#but couldn't find the Nick of the culprit, then this scrip is for you.  This script
#does not detect port scans, software such as port sentry (which rocks I might add) do that
#job and can report the scan in various ways (mine sends the scanners IP to me in an email).
#Once you have the IP of the scanner, you can use tracer.pl to find that users Nick. While you
#can use tracer.pl commands from any room you are currently in, I would recommend the 
#server room (thats what I call the first room in your list where the server name is displayed).
#First, type /dns <insert scanners IP here>. This command will return the IP's domain name.
#Second, type /find <insert domain name here>. This will search all the channels you are currently
#in and, if a match is found, return the Nick and the Room of the person with the matching domain name.
#If a Nick is not returned more than likely the person who scanned you left IRC, the room he 
#scanned you from, or was never on IRC to begin with. Once you have the persons Nick, I would 
#reccomend that you do NOT hassle them about port scanning you, instead alert an OP to their activity.
#Please send any questions or comments to ntm2@bellsouth.net.   



IRC::register("tracer.pl", "1.0", "", "");
IRC::add_command_handler("find", "_finduser");

sub _finduser {
   $suspect = $_[0];
   chomp $suspect;
   $count = 1;
   if ($suspect ne ""){
      $serv = IRC::get_info(3);
      @allchan =  IRC::channel_list();
      $count = 0;
      foreach $room (@allchan){
        if ($room =~ /\x23/) {
           @userlist = IRC::user_list($room, $serv);      
           $list = join(' ', @userlist);
           @usermine = split(/:/,$list);
           foreach $perp (@usermine)  {
	       if ($perp =~ /$suspect/){
	       @info = split(/ /,$perp);
	       IRC::command("/echo %C04############################################################");
               IRC::command("/echo %C04SCAN ORIGINATED FROM -> %C01Nick: %C08${info[1]} %C01Room: %C08$room");
	       IRC::command("/echo %C04############################################################");
	       $count++;
               } 	   
          }
       }
   }
  }else{
    IRC::command("/echo Usage: /find <insert.domain.name.here>");
  }
  if ($count == 0) {
      IRC::command("/echo %C04############################################################");
      IRC::command("/echo %C04COULD NOT FIND SOURCE OF SCAN");
      IRC::command("/echo %C04############################################################");
   } 
  return 1;
}