Adding Cryptojacking Campaign - Drupal Sites To Main Blocklist


#1

Hi

Please can someone add the Cryptojacking Campaign - Drupal Sites, to the main pi-hole block list repository.

Link https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/edit#gid=0

Thanks


#2

I took the hosts from the lists above and placed them on this pastebin.

It will never expire so go ahead and use it as an additional list.

https://pastebin.com/raw/a1TPEPfP (manually updated)

I signed up for updates from that list, so once it gets updated I’ll update the pastebin too (i’ll still maintain pastebin for the ones using it).

L.E.

you can also use @deHakkelaar’s list:
http://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt

It auto updates itself. Simply add it to the block lists in your pi-hole and it will work.


#3

That’s great thanks :slight_smile:


#4

EDIT: Read down posts below this one for updates!!!

Put it in CRON like so:

sudo mkdir /var/www/html/lists

echo $((RANDOM % 60)) "2 * * * root curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=0' | awk -F , '{print $1}' | tail -n +2 | tee /var/www/html/lists/cryptojacking_campaign.list.txt 2>&1 > /dev/null && curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=1317599353' | awk -F , '{print $1}' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt 2>&1 > /dev/null" | sudo tee /etc/cron.d/cryptojacking_campaign

sudo service cron reload

When CRON runs between 2 and 3 AM (randomized), the generated list will be written locally to “/var/www/html/lists/cryptojacking_campaign.list.txt

To create the list immediately instead of waiting for CRON to run:

curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=0' | awk -F , '{print $1}' | tail -n +2 | sudo tee /var/www/html/lists/cryptojacking_campaign.list.txt 2>&1 > /dev/null && curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=1317599353' | awk -F , '{print $1}' | tail -n +2 | sudo tee -a /var/www/html/lists/cryptojacking_campaign.list.txt 2>&1 > /dev/null

On the Pi-hole admin page you can add below link as a list:

http://localhost/lists/cryptojacking_campaign.list.txt


#5

http://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt

It syncs with the google sheet every hour as the list is still growing
… for the lazy ones :wink:

@Ukruler54321, maybe you could mention the source in your first posting:


#6

I added the https://pastebin.com/raw/a1TPEPfP URL to adlists.list, which is in /etc/pihole will this do the trick?


#7

That will do the trick.
If you run below one, the added URL will be imported into Pi-hole:

pihole -g

But I offered two automated alternatives as to relieve @RamSet from having to manually update that pastebin list whenever the google sheet gets updated.
If you dont want to setup cron like described above, you can use the link I provided as a list instead of the pastebin one:

http://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt

And you dont need to edit the “adlists.list” file manually.
Instead use the web GUI to add the URL to the lists:

http://pi.hole/admin/settings.php?tab=blocklists


#8

I updated the Pastebin list (and added the new host they added unders the second tab)

@deHakkelaar they started adding hosts to the second tab of the excel file.

You should update your contab to grab from there also :slight_smile:


#9

I have deleted https://pastebin.com/raw/a1TPEPfP link from adlists.list.

Then added dehakkelaar.nl/lists/cryptojacking_campaign.list.txt to the blocklist using the following command.

The terminal displays the “is not a valid argument or domain name!”

Untitled


#10

pihole -b adds a domain to the blacklist. It’s not the correct way to add it to your ad lists.

sudo nano /etc/pihole/adlists.list

add http://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt
at the end, save and run a

pihole -g

That should get you there :slight_smile:


#11

I updated the cron instructions above, the cron line is a bit long now :wink:
and below list is generated every hour pulling in both sheets now:

http://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt

pi@noads:~ $ curl -s http://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt | wc -l
393

pi@noads:~ $ curl -s http://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt | tail
thenationalpastimemuseum.com
tigase.net
unitedbike.com
vini.pf
vivicariolano.portaldoholanda.com.br
widescreen-centre.co.uk
wildfor.life
2plus-misenal-v2.rtvc.gov.co
www.trade.gov.mm
nfrc.ucla.edu

#12

Use the Pi-hole admin web GUI to add URL lists.
It will automatically pull all the blocked domains into Pi-hole.
The below link should get you there:

http://pi.hole/admin/settings.php?tab=blocklists


#13

Thanks it worked


#14

@deHakkelaar the spreadsheet has 5 pages. Does your list contain all of them?


Compromised Drupal properties (Source, Malwarebytes blog)


#15

Concatenated all on the pastebin list.


#16

Now it does:

pi@noads:~ $ curl -s https://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt | wc -l
1082

And I moved shop to a VM thats got LetsEncrypt SSL:

https://dehakkelaar.nl/lists/cryptojacking_campaign.list.txt

Better test the URL in a browser first as my DNS change might not have propagated yet.
If you get a “Secure Connection Failed” messages or similar in the browser you need to wait a bit (DNS record TTL = 12 hours).
But as soon as you can load that https link in a browser, you can add it as a list in Pi-hole, and remove the old http one of course.
I’ll keep the old http one running for a while as well.

The crontab became too long so I scripted it and put that in a crontab:

#!/bin/bash

curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=0' | awk -F , '{print $1}' | tail -n +2 | tee /var/www/html/lists/cryptojacking_campaign.list.txt
curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=1317599353' | awk -F , '{print $1}' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt
curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=1874348923' | awk -F , '{print $1}' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt
curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=1200297433' | awk -F , '{print $1}' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt
curl -s 'https://docs.google.com/spreadsheets/d/14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4/export?format=csv&id=14TWw0lf2x6y8ji5Zd7zv9sIIVixU33irCM-i9CIrmo4&gid=820026181' | awk -F , '{print $1}' | awk -F '//' '{print$2}' | grep -v '^$' | tail -n +2 | tee -a /var/www/html/lists/cryptojacking_campaign.list.txt