Emotet is back again

…and will waste our time and resources to fight against.

abuse.ch provides some sources about the tracker IPs. “We urge you to BLOCK these command and control servers and regularly update your block list to receive the maximum protection,”

Is it possible to integrate these database of tracker IPs into Nethserver?

They also provide an API: https://urlhaus.abuse.ch/browse/

Somethink about the architecture of Emotet.

1 Like

there is a blacklist, but pihole cannot process it: https://urlhaus.abuse.ch/downloads/text/

but https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
works
[✓] Status: Retrieval successful
[i] Analyzed 246 domains

Probably it can be blocked by CalamAV https://github.com/StefanKelm/yara-rules

Some rules may be outdated, others may lead to false positives.

other blocklists, inlc. Suricata: Feodo Tracker | Blocklist

https://feodotracker.abuse.ch/downloads/feodotracker.rules

OPNSense has integrated them

1 Like

…but if I activate it, my small box overloaded.

Thread shield has the feodo lists by abuse.

2 Likes

They should be there (but they aren’t) when using the firehol blocklists but currently the urls are wrong and the contents of abuse.ch related files is empty.
There are some open bugs on firehol issue tracker but seems an unresolved problem from time ago:

3 Likes

At the link @capote posted are the IP’s at a textfile

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

Aren’t we able to create an own blacklist and import this one by a cronjob?

An additional question, where can I find the block-lists of threadshield?

1 Like

Stored under /usr/share/nethserver-blacklist/ipsets/, if I’m not mistaken.

No, you aren’t. Thanks for the answer.
I’ve done some testing, activating Feodo as Category and adding IP addresses manually to feodo.ipset works after restarting shorewall till next renewing of the file. At the feodo.ipset file is a comment

# List source URL : https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
but the address of the list is

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

Now I’m searching for the configuration file to set the right download address for the list.
@giacomo Can you help?

1 Like

You need to have those IPs inside the git repository. You can hope Firehole will fix it or create a new git repository, see nethserver-blacklist — NethServer 7 documentation

1 Like

Thanks for your answer.
I’ve also seen I’ve gotten a system mail with a fetch error:

Cron root@groupware sleep $(( ( RANDOM % 60 ) )); /usr/share/nethserver-blacklist/download ipsets

[ERROR] Can’t update blacklist repository: fetch failed

Now I tried to install an own git repository, but the installation described at the documentation doesn’t work for me, because the ius repository is not found.
I did the following steps:

yum install -y https://github.com/firehol/packages/releases/download/2020-02-18-0552/firehol-3.1.6-12.el7.noarch.rpm https://github.com/firehol/packages/releases/download/2020-02-18-0552/iprange-1.0.4-2.el7.x86_64.rpm unzip https://centos7.iuscommunity.org/ius-release.rpm

This step works fine.

yum install -y git216-core --enablerepo=ius

This gives the following error:

Error getting repository data for ius, repository not found
[root@project ~]# Error getting repository data for ius, repository not found

Has somebody an idea?

The ius repo seems to have changed:

yum install https://repo.ius.io/ius-release-el7.rpm

git216-core isn’t available anymore but git224-core is provided:

yum install -y git224-core --enablerepo=ius

2 Likes

Thanks Markus,
this works and I have done a pullrequest for the documentation.

3 Likes

I got an error:

yum install -y git224-core --enablerepo=ius

Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile

it doesn’t help:

You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest

You already installed git so it conflicts with git224-core. Please remove it and try again:

yum remove git

1 Like

yes, that works, but removed Tread Shield completely. I reinstalled and all is fine.
Thank you!

You can’t install the git repository and Threadshield at the same server.

2 Likes

:thinking: