-
Notifications
You must be signed in to change notification settings - Fork 31
/
Copy pathmalware.sh
executable file
·93 lines (78 loc) · 2.68 KB
/
malware.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/sh
# Update the malware IP list (etc/pf.malware)
# https://www.filters.com
# https://github.com/StevenBlack/hosts
#set -eu
set -o errexit
set -o nounset
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
app=$(basename $0)
FTP=/usr/bin/ftp
CAT=/bin/cat
EGREP=/usr/bin/egrep
SORT=/usr/bin/sort
PFCTL=/sbin/pfctl
RM=/bin/rm
CP=/bin/cp
CHMOD=/bin/chmod
TR=/usr/bin/tr
zeusurl="https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"
fedourl="https://feodotracker.abuse.ch/blocklist/?download=ipblocklist"
# Ransomware https://ransomwaretracker.abuse.ch/blocklist/ (inspect element for URL)
cwallps="https://ransomwaretracker.abuse.ch/downloads/CW_PS_IPBL.txt"
lockyc2="https://ransomwaretracker.abuse.ch/downloads/LY_C2_IPBL.txt"
lockyps="https://ransomwaretracker.abuse.ch/downloads/LY_PS_IPBL.txt"
teslaps="https://ransomwaretracker.abuse.ch/downloads/TC_PS_IPBL.txt"
tlockc2="https://ransomwaretracker.abuse.ch/downloads/TL_C2_IPBL.txt"
tlockps="https://ransomwaretracker.abuse.ch/downloads/TL_PS_IPBL.txt"
#cerbrps="https://ransomwaretracker.abuse.ch/downloads/CB_PS_IPBL.txt"
# Combined ransomware from abuse.ch
ransomw="https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt"
# https://www.blocklist.de/en/export.html
blockls="https://lists.blocklist.de/lists/all.txt"
# http://www.malwaredomainlist.com/forums/?topic=3270.0
malware="http://malwaredomainlist.com/hostslist/ip.txt"
malwaretmp=$(mktemp) || exit 1
malwarerdy=$(mktemp) || exit 1
malwarepf=/etc/pf.malware
error_exit () {
echo "${app}: ${1:-"Unknown Error"}" 1>&2
exit 1
}
# Bail out if non-privileged UID
[ 0 = "$(id -u)" ] || \
error_exit "$LINENO: ERROR: You are using a non-privileged account."
# Mise en place
i=0
# Download
while IFS= read -r url
do
file="${url%%.*}"
file=/tmp/"${file#*//}${i}".ipbl
"${FTP}" -o "${file}" "${url}" || \
error_exit "$LINENO: ERROR: Download failed." && \
# Extract IPs
grep -E -o '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' "${file}" >> "${malwaretmp}"
#"${TR}" -d '\r' < "${file}" | \
rm "${file}"
true $(( i++ ))
done << EOFURL
${zeusurl}
${fedourl}
${ransomw}
${blockls}
${malware}
EOFURL
# Sort
[ "${malwaretmp}" ] && \
"${SORT}" -u "${malwaretmp}" | "${SORT}" -n > "${malwarerdy}"
# Install
"${RM}" -rf "${malwarepf}"
"${CP}" "${malwarerdy}" "${malwarepf}" || exit
"${CHMOD}" 600 "${malwarepf}" || exit
# Populate the pf malware table
"${PFCTL}" -t malware -T replace -f "${malwarepf}" || \
error_exit "$LINENO: ERROR: pf failed."
# Remove temp files
"${RM}" "${malwaretmp}" "${malwarerdy}"
exit